github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/docs/community/maintainer/triage.md (about) 1 # Triage 2 3 Triage is an important part of maintaining the health of the trivy repo. 4 A well organized repo allows maintainers to prioritize feature requests, fix bugs, and respond to users facing difficulty with the tool as quickly as possible. 5 6 Triage includes: 7 8 - Labeling issues 9 - Responding to issues 10 - Closing issues 11 12 # Daily Triage 13 Daily triage has two goals: 14 15 1. Responsiveness for new issues 16 1. Responsiveness when explicitly requested information was provided 17 18 It covers: 19 20 1. Issues without a `kind/` or `triage/` label 21 1. Issues without a `priority/` label 22 1. `triage/needs-information` issues which the user has followed up on, and now require a response. 23 24 ## Categorization 25 26 The most important level of categorizing the issue is defining what type it is. 27 We typically want at least one of the following labels on every issue, and some issues may fall into multiple categories: 28 29 - `triage/support` - The default for most incoming issues 30 - `kind/bug` - When it’s a bug or we aren’t delivering the best user experience 31 32 Other possibilities: 33 - `kind/feature`- Identify new feature requests 34 - `kind/testing` - Update or fix unit/integration tests 35 - `kind/cleanup` - Cleaning up/refactoring the codebase 36 - `kind/documentation` - Updates or additions to trivy documentation 37 38 If the issue is specific to a driver for OS packages or libraries: 39 40 **co/[driver for OS packages]** 41 42 - `co/alpine` 43 - `co/amazon` 44 - `co/debian` 45 - `co/oracle` 46 - `co/photon` 47 - `co/redhat` 48 - `co/suse` 49 - `co/ubuntu` 50 51 **co/[driver for libraries of programming languages]** 52 53 - `co/bundler` 54 - `co/cargo` 55 - `co/composer` 56 - `co/npm` 57 - `co/yarn` 58 - `co/pipenv` 59 - `co/poetry` 60 61 62 **Help wanted?** 63 64 `Good First Issue` - bug has a proposed solution, can be implemented w/o further discussion. 65 66 `Help wanted` - if the bug could use help from a contributor 67 68 69 ## Prioritization 70 If the issue is not `triage/support`, it needs a priority label. 71 72 `priority/critical-urgent` - someones top priority ASAP, such as security issue, user-visible bug, or build breakage. Rarely used. 73 74 `priority/important-soon`: in time for the next two releases. It should be attached to a milestone. 75 76 `priority/important-longterm`: 2-4 releases from now 77 78 `priority/backlog`: agreed that this would be good to have, but no one is available at the moment. Consider tagging as `help wanted` 79 80 `priority/awaiting-more-evidence`: may be useful, but there is not yet enough support. 81 82 83 # Weekly Triage 84 85 Weekly triage has three goals: 86 87 1. Catching up on unresponded issues 88 1. Reviewing and closing PR’s 89 1. Closing stale issues 90 91 92 ## Post-Release Triage 93 94 Post-release triage occurs after a major release (around every 4-6 weeks). 95 It focuses on: 96 97 1. Closing bugs that have been resolved by the release 98 1. Reprioritizing bugs that have not been resolved by the release 99 1. Letting users know if we believe that there is still an issue 100 101 This includes reviewing: 102 103 1. Every issue that hasn’t been touched in the last 2 days 104 1. Re-evaluation of long-term issues 105 1. Re-evaluation of short-term issues 106 107 108 ## Responding to Issues 109 110 ### Needs More Information 111 A sample response to ask for more info: 112 113 > I don’t yet have a clear way to replicate this issue. Do you mind adding some additional details. Here is additional information that would be helpful: 114 > 115 > \* The exact `trivy` command line used 116 > 117 > \* The exact image you want to scan 118 > 119 > \* The full output of the `trivy` command, preferably with `--debug` for extra logging. 120 > 121 > 122 > Thank you for sharing your experience! 123 124 125 Then: Label with `triage/needs-information`. 126 127 ### Issue might be resolved 128 If you think a release may have resolved an issue, ask the author to see if their issue has been resolved: 129 130 > Could you please check to see if trivy <x> addresses this issue? We've made some changes with how this is handled, and improved the trivy logs output to help us debug tricky cases like this. 131 132 Then: Label with `triage/needs-information`. 133 134 135 ## Closing with Care 136 137 Issues typically need to be closed for the following reasons: 138 139 - The issue has been addressed 140 - The issue is a duplicate of an existing issue 141 - There has been a lack of information over a long period of time 142 143 In any of these situations, we aim to be kind when closing the issue, and offer the author action items should they need to reopen their issue or still require a solution. 144 145 Samples responses for these situations include: 146 147 ### Issue has been addressed 148 149 >@author: I believe this issue is now addressed by trivy v1.0.0, as it <reason>. If you still see this issue with trivy v1.0 or higher, please reopen this issue. 150 > 151 >Thank you for reporting this issue! 152 153 Then: Close the issue 154 155 ### Duplicate Issue 156 157 >This issue appears to be a duplicate of #X, do you mind if we move the conversation there? 158 > 159 >This way we can centralize the content relating to the issue. If you feel that this issue is not in fact a duplicate, please re-open it. If you have additional information to share, please add it to the new issue. 160 > 161 >Thank you for reporting this! 162 163 Then: Label with `triage/duplicate` and close the issue. 164 165 ### Lack of Information 166 If an issue hasn't been active for more than four weeks, and the author has been pinged at least once, then the issue can be closed. 167 168 >Hey @author -- hopefully it's OK if I close this - there wasn't enough information to make it actionable, and some time has already passed. If you are able to provide additional details, you may reopen it at any point. 169 > 170 >Here is additional information that may be helpful to us: 171 > 172 >\* Whether the issue occurs with the latest trivy release 173 > 174 >\* The exact `trivy` command line used 175 > 176 >\* The exact image you want to scan 177 > 178 >\* The full output of the `trivy` command, preferably with `--debug` for extra logging. 179 > 180 > 181 >Thank you for sharing your experience! 182 183 Then: Close the issue. 184 185 ## Help Wanted issues 186 187 We use two labels [help wanted](https://github.com/devseccon/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) 188 and [good first issue](https://github.com/devseccon/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) 189 to identify issues that have been specially groomed for new contributors. 190 191 We have specific [guidelines](/docs/community/maintainer/help-wanted.md) 192 for how to use these labels. If you see an issue that satisfies these 193 guidelines, you can add the `help wanted` label and the `good first issue` label. 194 Please note that adding the `good first issue` label must also 195 add the `help wanted` label. 196 197 If an issue has these labels but does not satisfy the guidelines, please 198 ask for more details to be added to the issue or remove the labels.