halnasri-Resolve_TT_CONFIDENCE_Feedback

.dotstop.dot

@@ -67,6 +67,13 @@ digraph G {
 "JLS-33" [sha="16ebc7717e389ac1ca349ead591b4dc5b65997e8c5f78d58d6293cd75bbe0d28"];
 "JLS-34" [sha="3484d9766deace45ecbc0d6892c7114ce7d97a51836399887500a318b3a88dc6"];
 "JLS-35" [sha="b11006d1d5708c3aba84d4f06834ad965d6aebde8619306389a4f8fa655b2dcf"];
+"JLS-36" [sha="1a9abf2ab101af32cc6490d9ed5218df96a06b31cc2aeaff07f769ebf4ba98bb"];
+"JLS-37" [sha="fb19166fd1d71acbe8a852fd1bfced3874efdc687cbf95b03f3201a722fdef8f"];
+"JLS-40" [sha="8a6c2a7c6888f0c13fc4045535125d90a4866858e40ac11910f05eace9ff179a"];
+"JLS-41" [sha="f7cc07fd06ed4605d4207a5f59d60f8b7da48152c76b94132e4ad80a4512975a"];
+"JLS-42" [sha="d90e0a0d85a952868a794945a7ecfb0217202752ccb97bc0a6e4724700fd20b8"];
+"JLS-43" [sha="ab3f0247c96f064628d255d44c63be9a50cbee11ca64432b5f0181e55347e5a2"];
+"JLS-44" [sha="3cc7206ec555271d1f369cb1c7ebf3753d32e9fc9be2d0aead5bb5e0e5472375"];
 "NJF-01" [sha="548dc86014e093974f68660942daa231271496a471885bbed092a375b3079bd8"];
 "NJF-02" [sha="6ea015646d696e3f014390ff41612eab66ac940f20cf27ce933cbadf8482d526"];
 "NJF-03" [sha="4bd1f8210b7bba9a248055a437f377d9da0b7576c5e3ed053606cf8b5b2febe3"];
@@ -378,6 +385,7 @@ digraph G {
 "TA-CONFIDENCE" -> "JLS-08" [sha="506164051180023c8533ea1f6dedf1bad894c3ee6020ff16b002e33b109c2791"];
 "TA-CONFIDENCE" -> "JLS-09" [sha="80bbde95fc14f89acf3dad10b3831bc751943fe4a1d79d5cbf4702416c27530f"];
 "TA-CONFIDENCE" -> "JLS-20" [sha="1bfd214ab8186a3c095262ae503451b8d71ada8db5b13ecc7b906739a05bc102"];
+"TA-CONFIDENCE" -> "JLS-37" [sha="b8294c05b686be5c608685b6077af39aabebda04acc465720695595582dcc041"];
 "TA-CONSTRAINTS" -> "AOU-04" [sha="9466008edc5257d5d6ad6cae05eadbd7e6c63ed10f45f9bbe9166dc5af5db294"];
 "TA-CONSTRAINTS" -> "AOU-05" [sha="ead38077bd84ce52bc7ce9ab1be36ef6d1b62aa7bd30b2a5d5eea3aedfe9da3c"];
 "TA-CONSTRAINTS" -> "AOU-06" [sha=bb3ac58ca7f67d9676503a6c71660abd650268e02d6773cb57dfa07d0743fb40];
@@ -417,6 +425,12 @@ digraph G {
 "TA-ITERATIONS" -> "JLS-10" [sha="6e77b132d4159d65e261e90466537dbf44edc643b44c0671b8c40b994ef08590"];
 "TA-ITERATIONS" -> "JLS-19" [sha="9bc13b823f8b49d742b92a8aaf18b8aeb2bb9b0749f4b6dead241af85aea876c"];
 "TA-METHODOLOGIES" -> "JLS-13" [sha="4e2fb7871a608c98d11b10f4ca4391d69b360419c6a9e1baf7cb40b980fc9e94"];
+"TA-METHODOLOGIES" -> "JLS-36" [sha="bb56d3a2aa32b55d9158cd606172b8c4a5b7605acc703f5aca1ecdd37fc6a65a"];
+"TA-METHODOLOGIES" -> "JLS-40" [sha="af896a265a2ef24e341ff11d722aaf863ccc7c789bf90ebeb9a4e33ddabfd727"];
+"TA-METHODOLOGIES" -> "JLS-41" [sha="812e1a905c911c110c49edb7ede42dcfaf0bf2d790b67e13337f4a054d897bf7"];
+"TA-METHODOLOGIES" -> "JLS-42" [sha="69fa2c45ac391620896dd387d7b422252f11000b386c4e8915147d286543da3e"];
+"TA-METHODOLOGIES" -> "JLS-43" [sha="4aa2cb58cb0c308eeed861ef358138de644cae5d56760d6ebcd10d78caa59e5e"];
+"TA-METHODOLOGIES" -> "JLS-44" [sha="694a7ca81623ff8393b0bc601f9b71d425a6436ce250ce61e37ea3d1bceb4a5e"];
 "TA-MISBEHAVIOURS" -> "JLS-02" [sha="532ddabfefb6664d9731084a44df220d1ebdb9f840760d7c471cf04dfc8e96ef"];
 "TA-MISBEHAVIOURS" -> "JLS-24" [sha=e8de01ff7c316debcd96afa4b3b6b62be73522e4531214c18b3ad7eec826275e];
 "TA-MISBEHAVIOURS" -> "JLS-25" [sha="56ba396580f90e5a10fd5adfe33864921537d47e21b215a8faf531855af40ecd"];

TSF/trustable/assertions/TA-CONFIDENCE_CONTEXT.md

@@ -26,7 +26,7 @@ The process itself should be analysed to determine score maturity, with meta-ana
 **Evidence**
 
 - Confidence scores from other TA items
-  - **Answer**: 
+  - **Answer**: Provided in JLS-08, JLS-09 and JLS-37
 
 **Confidence scoring**
 
@@ -36,10 +36,10 @@ scores given to Statements
 **Checklist**
 
 - What is the algorithm for combining/comparing the scores?
-  - **Answer**: 
+  - **Answer**: The algorithm behind the scoring in given in JLS-09
 - How confident are we that this algorithm is fit for purpose?
-  - **Answer**: 
+  - **Answer**: We are confident that the scoring algorithm is fit for purpose and is aligned with the TSF methodology described (see also JLS-09). However, at the moment, the statements require a larger number of SME reviewers to profit from the law-of-large-numbers and arrive at statistically significant scores.
 - What are the trends for each score?
-  - **Answer**: 
+  - **Answer**: At the moment, there are no trends as all statements have the review-status 'unreviewed'. However, the infrastructure for saving history of scores is already in place (see JLS-20).
 - How well do our scores correlate with external feedback signals?
-  - **Answer**: 
+  - **Answer**: Such correlation can not be measured yet due to missing data.

TSF/trustable/assertions/TA-METHODOLOGIES_CONTEXT.md

@@ -31,15 +31,15 @@ Any resulting changes from reviews must follow change control, regardless of who
 **Evidence**
 
 - Manual process documentation
-  - **Answer**: 
+  - **Answer**: Manual processes relevant for nlohmann/json have been identified and documented (see JLS-36, 40, 41, 42, 43 and 44).
 - References to methodologies applied as part of these processes
-  - **Answer**: 
+  - **Answer**: The corresponding references are given for each statement (see JLS-36, 40, 41, 42, 43 and 44).
 - Results of applying the processes
-  - **Answer**: 
+  - **Answer**: Results include reviewed and merged pull requests, maintained high test coverage, published security advisories and resolved issues, updated documentation on json.nlohmann.me (see JLS-36, 40, 41, 42, 43 and 44).
 - Criteria used to confirm that the processes were applied correctly
-  - **Answer**: 
+  - **Answer**: The criteria are given in the documentation (see JLS-36, 40, 41, 42, 43 and 44).
 - Review records for results
-  - **Answer**: 
+  - **Answer**: Review records are provided by GitHub pull-request reviews and comments, issue and advisory discussions, as well as release notes describing behavioural and documentation changes (see JLS-36, 40, 41, 42, 43 and 44).
 
 **Confidence scoring**
 
@@ -51,22 +51,22 @@ in comparison to the analysed results
 **Checklist**
 
 - Are the identified gaps documented clearly to justify using a manual process?
-  - **Answer**: 
+  - **Answer**: Manual processes are introduced where automation is not feasible and are clearly documented. While no explicit justification for each manual step is provided, the rationale is generally clear from the surrounding context.
 - Are the goals for each process clearly defined?
-  - **Answer**: 
+  - **Answer**: Yes. For the manual processes that were found the goals are clearly defined in the corresponding documentation. The goals include ensuring that user-facing documentation accurately reflect behavioural and API changes, correctly handling bug and vulnerability reports, and keeping the test suite at (or close to) 100% coverage for non-trivial changes.
 - Is the sequence of procedures documented in an unambiguous manner?
-  - **Answer**: 
+  - **Answer**: Largely yes. Where necessary, examples and templates make the expected sequence explicit.
 - Can improvements to the processes be suggested and implemented?
-  - **Answer**: 
+  - **Answer**: Improvements are proposed via GitHub issues or pull request.
 - How frequently are processes changed?
-  - **Answer**: 
+  - **Answer**: Process changes are infrequent and usually happen with a new nlohmann/json release, when a need for improvement is identified. 
 - How are changes to manual processes communicated?
-  - **Answer**: 
+  - **Answer**: Mostly, changes are communicated through updated documentation in the repository and release notes.
 - Are there any exceptions to the processes?
-  - **Answer**: 
+  - **Answer**: Known exceptions include automatic dependency updates from Dependabot as well as smaller trivial changes (such as fixing typos in documentation). These are exempted from having to manually create issues and explain the rationale behind the change. 
 - How is evidence of process adherence recorded?
-  - **Answer**: 
+  - **Answer**: Evidence in GitHub; PR histories with reviews and passing checks, issue and advisory discussions, audit trails for documentation and test updates
 - How is the effectiveness of the process evaluated?
-  - **Answer**: 
+  - **Answer**: Effectiveness is evaluated indirectly via stable releases, test coverage, and documentation quality.
 - Is ongoing training required to follow these processes?
-  - **Answer**: 
+  - **Answer**: No formal training is required, but contributors are expected to be familiar with the contribution guidelines and security policy.

TSF/trustable/statements/JLS-08.md

@@ -1,6 +1,21 @@
 ---
 level: 1.1
 normative: true
+references:
+    - type: web_content
+      url: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/dashboard.html#summary"
+      description: "Dashboard showing distributions of evidence scores and SME (subject-matter expert) scores."
+    - type: project_website
+      url: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html"
+      description: "Trustable Compliance Report showing scores for statements."
+    - type: web_content
+      url: "https://codethinklabs.gitlab.io/trustable/trustable/methodology.html#documenting-assumptions"
+      description: "Definition of Assumptions as part of the methodology"
+evidence:
+    type: https_response_time
+    configuration:
+        target: 2.0
+        urls: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html"
 ---
 
-Each statement within the TSF documentation is scored based on SME reviews or automatic validation functions. (TODO)
+Each leaf node in the Trustable Graph that is not an Assumption-of-Use (AoU) is scored either based on SME review(s) alone or on a combination of SME review(s) and an automatic validator.

TSF/trustable/statements/JLS-09.md

@@ -1,6 +1,10 @@
 ---
 level: 1.1
 normative: true
+references:
+    - type: web_content
+      url: "https://eclipse-score.github.io/inc_nlohmann_json/main/concept.html"
+      description: "Description of the algorithm on how scores are accumulated."
 ---
 
-Scores within the TSF documentation are reasonably, systematically and repeatably accumulated. (TODO)
+Scores within the TSF documentation are reasonably, systematically and repeatably accumulated.

TSF/trustable/statements/JLS-13.md

@@ -2,12 +2,22 @@
 level: 1.1
 normative: true
 references:
-        - type: website
-          url: "https://eclipse-score.github.io/process_description/main/general_concepts/score_review_concept.html"
-          description: "Documentation of S-CORE methodologies"
-score:
-    Jonas-Kirchhoff: 1.0
-    Erikhu1: 1.0
+  - type: project_website
+    url: "https://json.nlohmann.me/community/contribution_guidelines/#update-the-documentation"
+    description: "Contribution guidelines describing how to update and locally build the mkdocs-based documentation"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/releases"
+    description: "Release notes summarising behavioural changes and documentation updates for each version"
+  - type: web_content
+    url: "https://json.nlohmann.me"
+    description: "Published documentation site for the nlohmann/json library"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://json.nlohmann.me/community/contribution_guidelines/#update-the-documentation"
+      - "https://github.com/nlohmann/json/releases"
 ---
 
-The S-Core methodologies are followed in eclipse-score/inc_nlohmann_json.
+For changes that affect the behaviour or public API of the nlohmann/json library, contributors manually update the library documentation and locally rebuild it for verification.

TSF/trustable/statements/JLS-36.md

@@ -0,0 +1,10 @@
+---
+level: 1.1
+normative: true
+references:
+    - type: verbose_file
+      path: "./TSF/README.md"
+      description: "release management and update process description"    
+---
+
+Updates of the eclipse-score/inc_nlohmann_json repository are carried out in accordance with the defined and documented update process in TSF/README.md.

TSF/trustable/statements/JLS-37.md

@@ -0,0 +1,20 @@
+---
+level: 1.1
+normative: true
+references:
+        - type: project_website
+          url: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html#compliance-for-ta"
+          description: "Trustable Compliance Report showing scores for different TA items."
+        - type: project_website
+          url: "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_graph.html"
+          description: "presentation of the full trustable graph in which high-level statements are broken down"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html#compliance-for-ta"
+      - "https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_graph.html"
+---
+
+High-level statements are decomposed into smaller, recursive statements.

TSF/trustable/statements/JLS-40.md

@@ -0,0 +1,20 @@
+---
+level: 1.1
+normative: true
+references:
+  - type: project_website
+    url: "https://github.com/nlohmann/json/security/policy"
+    description: "Security policy describing how to report vulnerabilities for the nlohmann/json library"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/security/advisories/new"
+    description: "Well-defined process for issuing a vulnerability or bug report for the nlohmann/json library"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://github.com/nlohmann/json/security/advisories/new"
+      - "https://github.com/nlohmann/json/security/policy"
+---
+
+The manual process for reporting vulnerabilities in the nlohmann/json library is well defined and documented in the project's security policy and vulnerability reporting template.

TSF/trustable/statements/JLS-41.md

@@ -0,0 +1,10 @@
+---
+level: 1.1
+normative: true
+references:
+  - type: project_website
+    url: "https://json.nlohmann.me/community/contribution_guidelines/#write-tests"
+    description: "Contribution guidelines describing the test policy and requirement to maintain 100% coverage"
+---
+
+The manual process for extending the nlohmann/json library's test suite is well-defined and documented, such that code coverage remains at (or close to) 100% when fixes or other non-trivial changes are proposed.

TSF/trustable/statements/JLS-42.md

@@ -0,0 +1,23 @@
+---
+level: 1.1
+normative: true
+references:
+  - type: project_website
+    url: "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#describe-your-changes"
+    description: "Contribution guidelines requiring manual pull requests to describe the rationale behind non-trivial changes"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#reference-an-existing-issue"
+    description: "Contribution guidelines requiring manual pull requests to link to an existing issue"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/pulls"
+    description: "GitHub pull requests showing review discussions, approvals, and merge/close status"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md"
+      - "https://github.com/nlohmann/json/pulls"
+---
+
+All manual pull requests to the nlohmann/json repository that introduce non-trivial changes are expected to explain the rationale for the proposed change and to link to an existing issue, in accordance with the project's contribution guidelines.

TSF/trustable/statements/JLS-43.md

@@ -0,0 +1,20 @@
+---
+level: 1.1
+normative: true
+references:
+  - type: project_website
+    url: "https://github.com/nlohmann/json/discussions/categories/ideas"
+    description: "Feature request discussions showing that feature requests are actively investigated and answered"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
+    description: "Definition of responsible owners and reviewers for the nlohmann/json repository"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://github.com/nlohmann/json/discussions/categories/ideas"
+      - "https://github.com/nlohmann/json/blob/develop/.github/CODEOWNERS"
+---
+
+Feature requests for the nlohmann/json repository are raised in the project's GitHub discussions and are actively reviewed and answered by the maintainer.

TSF/trustable/statements/JLS-44.md

@@ -0,0 +1,20 @@
+---
+level: 1.1
+normative: true
+references: 
+  - type: project_website
+    url: "https://github.com/nlohmann/json/blob/develop/.github/ISSUE_TEMPLATE/bug.yaml"
+    description: "Bug report issue template for the nlohmann/json library"
+  - type: project_website
+    url: "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#reporting-issues"
+    description: "Contribution guidelines describing how to report bugs and issues for the nlohmann/json library"
+evidence:
+  type: https_response_time
+  configuration:
+    target_seconds: 2
+    urls:
+      - "https://github.com/nlohmann/json/blob/develop/.github/ISSUE_TEMPLATE/bug.yaml"
+      - "https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#reporting-issues"
+---
+
+The manual process for reporting bugs in the nlohmann/json library is well defined and documented in the project's contribution guidelines and bug report template.