Being the Change: My Free Software Contributions in 2022

Be the change you wish to see in the world.

Mahatma Gandhi

Even the smallest contribution can made a big difference: a one line change to improve documentation can prevent countless users from wasting hours in frustration. Imagine how much better the world could be if every user contributed just one small change. With this in mind, I report a lot of bug reports and feature requests, and when I can, I submit merge/pull requests. As 2022 comes to a close, I’m taking a look back at the widely varied contributions I’ve made, many to projects I bet you already know, love, use, and rely upon.

This year, as usual, my contributions are widely varied. I made contributions in a number of programming languages from Ruby to Java to C#. I contributed to many types of projects from entertainment to cybersecurity to network libraries and build tools. And I of course kept up with my responsibilities as a Gentoo Linux Developer. The motivation behind these contributions is also widely varied; some are due to issues I encountered at work, others are just for fun.

All of the following have been merged unless otherwise noted:

• Gentoo: Linux distribution built using the Portage package management system. Unlike a binary software distribution, the source code is compiled locally according to the user’s preferences and is often optimized for the specific type of computer. Precompiled binaries are available for some larger packages or those with no available source code.
  • Maintainer for more than 130 packages
  • Made more than 150 commits
• Trivy: comprehensive security scanner
  • feat(report): add location.message to SARIF output
  • feat(report): Use understandable value for shortDescription in SARIF reports
• GitLab Advisory Database: The GitLab Advisory Database, used in Dependency Scanning.
  • Update CVE-2022-31197 (PostgreSQL JDBC Driver java.sql.ResultRow.refreshRow sql injection) to fix false positive
  • Update CVE-2022-36944 (Scala JAR File deserialization) to fix false positive
  • Delete CVE-2021-44832.yml for log4j-api to fix false positive
  • Invalid CVE-2022-41881 in inappropriate io.netty:* packages
• GitLab: open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab on your own servers, in a container, or on a cloud provider.
  • Use PURL type “maven” for Gradle specified dependencies
  • Use docker image to merge CycloneDX SBOMs
  • Update cyclonedx/cyclonedx-cli reference to 0.24.0
  • Use printf instead of echo because echo flags are undefined
  • Use `openssl base64 -A` to encode instead of `base64`
• Renovate: Automated dependency updates. Multi-platform and multi-language.
  • chore: Don’t re-specify image name for GitLab CI variables
  • fix(maven): Use correct snapshot URL in getDependencyInfo
  • refactor(maven): move createUrlForDependencyPom from index.ts to util.ts
• mdx-mermaid: Plug and play Mermaid in MDX
  • Upgrade unist-util-visit to 4.1.0
• LittleProxy: high performance HTTP proxy written in Java atop Netty
  • Bump log4j-core from 2.16.0 to 2.17.1
  • Bump netty from 4.1.71 to 4.1.72
  • Bump slf4j from 1.7.30 to 1.7.32
• Sonar: continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells on 29 programming languages.
  • Remove obsolete java bin dir from $PATH
• Transmission: fast, easy, and free BitTorrent client.
  • daemon: deny memory wx in transmission-daemon.service
• Gradle: build tool with a focus on build automation and support for multi-language development.
  • Suppress ignorable shellcheck warnings
• Spring Boot: helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss. It takes an opinionated view of the Spring platform so that new and existing users can quickly get to the bits they need.
  • Update instead of replace environment in bootBuildImage documentation
  • MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath
• Spring Session: Spring Session provides an API and implementations for managing a user’s session information, while also making it trivial to support clustered sessions without being tied to an application container specific solution.
  • Update reference site link
• valfirst/browserup-proxy: The BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests.
  • Use the CONNECT method URI as host fallback
  • README.md: Update groupId to point this project
  • Upgrade Gradle Wrapper to 7.4.2
  • Add missing import for ProxyManagerTest to ProxyPortAssignmentTest
  • Remove IDE files that shouldn’t be in source control
• Dependency-Check: Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
  • Use exit codes between 0 and 255 (inclusive)
• Jellyfin: Free Software Media System that puts you in control of managing and streaming your media.
  • Add Gentoo installation instructions
  • Move transcodes to be under CachePath
• Netdata: high-fidelity infrastructure monitoring and troubleshooting. Open-source, free, preconfigured, opinionated, and always real-time.
  • netdata.service: Update PIDFile to avoid systemd legacy path warning
• Fortify SSC: enables management, development, and security teams to work together to triage, track, validate, automate, and manage software security activities.
  • fix: set Java target version to 1.8
  • feat: use security-severity property to determine priority
  • feat: use location.message if available as the file name; use shortDescription if available as the category
  • feat: display help if available
• cyclonedx-cli: supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.
  • Dockerfile: add path containing cyclonedx to PATH
  • Set serialNumber when merging
• appthreat/cdxgen: creates a valid and compliant CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in XML and JSON format.
  • Check for non-zero status instead of status = 1
  • Introduce fail-on-error argument to fail on errors
  • maven: Do not fall back to methods that can produce incomplete results when failOnError is set
  • Improve Gradle dependency parsing to catch transitive dependencies
• CycloneDX/cyclonedx-javascript-library: Core functionality of CycloneDX for JavaScript (Node.js or WebBrowsers), written in TypeScript and compiled for the target.
  • tsconfig: default esModuleInterop & allowSyntheticDefaultImports
• Snyk CLI: scans and monitors your projects for security vulnerabilities.
  • feat: add “sbom” command that produces a CycloneDX 1.4 JSON SBOM (not yet merged)
    Check out Creating SBOMs with the Snyk CLI for the interesting tale on this contribution
  • chore: upgrade to typescript 4.8 (not yet merged)
• Pre-Liquibase: Companion to Spring Boot Liquibase module which allows to execute some SQL script file prior to executing Liquibase ChangeSets.
  • Autoconfiguration file for Spring Boot 2.7+ / Required by Spring Boot 3
• helm-sign: Python Command Line Tool for creating Valid Helm Chart Signatures
  • Don’t require helm charts to use semver versioning

I’m looking forward to seeing how I can do my part to improve the world via free software contributions in 2023.

Being the Change: My Free Software Contributions in 2022 by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.