Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
GrimoireLab is a CHAOSS toolset for software development analytics. It includes a coordinated set of tools to retrieve data from systems used to support software development (repositories), store it in databases, enrich it by computing relevant metrics, and make it easy to run analytics and visualizations on it.
You can learn more about GrimoireLab in the GrimoireLab tutorial, or visit the GrimoireLab website.
Metrics available in GrimoireLab are, in part, developed in the CHAOSS project. For more information regarding CHAOSS metrics, see the latest release at: https://chaoss.community/metrics/
To ease the newcomer experience we are providing a default setup to analyze git activity for this repository. For this set up, there are several options to run GrimoireLab:
docker-compose
Requirements:
root@test-68b8628f:~# git --version
git version 2.17.1
root@test-68b8628f:~# docker --version
Docker version 19.03.1, build 74b1e89
root@test-68b8628f:~# docker-compose --version
docker-compose version 1.22.0, build f46880fe
Steps:
git clone https://github.com/chaoss/grimoirelab
docker-compose
folder and run the following command:cd grimoirelab/docker-compose
docker-compose up -d
Your dashboard will be ready after a while at http://localhost:8000
. The waiting time depends on the amount of data to fetch from a repo, for small repositories you can expect your data to be visible in the dashboard after 10-15 minutes.
More details or troubleshooting in the docker-compose folder.
docker run
Requirements:
root@test-68b8628f:~# git --version
git version 2.17.1
root@test-68b8628f:~# docker --version
Docker version 19.03.1, build 74b1e89
Steps:
git clone https://github.com/chaoss/grimoirelab
cd grimoirelab
docker run --net=host \
-v $(pwd)/default-grimoirelab-settings/projects.json:/home/grimoire/conf/projects.json \
-v $(pwd)/default-grimoirelab-settings/setup-docker.cfg:/home/grimoire/conf/setup.cfg \
-t grimoirelab/grimoirelab
Your dashboard will be ready after a while at http://localhost:8000
. The waiting time depends on the amount of data to fetch from a repo, for small repositories you can expect your data to be visible in the dashboard after 10-15 minutes.
More details in the docker folder.
1.3.0
. SortingHat permission groups.Starting from GrimoireLab 1.3.0, creating new users in SortingHat requires assigning them to a permission group. By default, they will have read-only permissions. Please refer to the following documentation for instructions on how to update permissions: assign users to permission groups
Currently, GrimoireLab toolkit is organized in the following repositories:
There are also some components built by the GrimoreLab community, which can be useful for you. Other related repositories are:
This repository is for content relevant to GrimoireLab as a whole. For example:
Issues for new features or bug reports that affect more than one GrimoireLab module. In this case, let's open an issue here, and when implementing the fix or the feature, let´s comment about the specific tickets in the specific modules that are used. For example, when supporting a new datasource, we will need patches (at least) in Perceval
, GrimoireELK
and panels. In this case, we would open a feature request (or the user story) for the whole case, an issue (and later a pull request) in Perceval
for the data retriever, same for GrimoireELK
for the enriching code, and same for panels
for the Kibiter panels.
Release notes for most GrimoireLab components (directory releases).
Docker container for showcasing GrimoireLab (directory docker). Includes a Dockerfile and configuration files for the GrimoireLab containers that can be used to demo the technology, and can be the basis for real deployments. See more information in the docker README.md file.
If you feel more comfortable with docker-compose
, the docker-compose
folder includes instructions and configuration files to deploy GrimoireLab using
docker-compose
command.
Source code of the GrimoireLab components is available in src
. Each directory is a
Git submodule, so its contents will not be available after cloning the repository. To
fetch all the data, and get the latest version, you can run the following command:
git submodule update --init --remote
If you use GrimoireLab in your research papers, please refer to GrimoireLab: A toolset for software development analytics:
APA style:
Dueñas S, Cosentino V, Gonzalez-Barahona JM, del Castillo San Felix A, Izquierdo-Cortazar D, Cañas-Díaz L, Pérez García-Plaza A. 2021. GrimoireLab: A toolset for software development analytics. PeerJ Computer Science 7:e601 https://doi.org/10.7717/peerj-cs.601
BibTeX / BibLaTeX:
@Article{duenas2021:grimoirelab,
author = {Dueñas, Santiago and Cosentino, Valerio and Gonzalez-Barahona, Jesus M. and del Castillo San Felix, Alvaro and Izquierdo-Cortazar, Daniel and Cañas-Díaz, Luis and Pérez García-Plaza, Alberto},
title = {GrimoireLab: A toolset for software development analytics},
journaltitle = {PeerJ Computer Science},
date = {2021-07-09},
volume = 7,
number = {e601},
doi = {10.7717/peerj-cs.601},
url = {https://doi.org/10.7717/peerj-cs.601}}
Contributions are welcome, please check the Contributing Guidelines.
FAQs
Tool set for software development analytics
We found that grimoirelab demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.