►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Cool
well
thanks
for
everyone
joining
on
short
notice
here
I
just
wanted
to
chat
about
the
recent
issue
that
michael
brought
up
about,
allowing
the
hello,
michael
about
allowing
the
container
scanning
analyzer
to
detect
application
level
vulnerabilities
and
some
of
the
pros
and
cons
on
that.
So
I
think
the
biggest
point
of
confusion
here
on
the
engineering
side
is
about
where
we
want
that
to
show
up,
and
I
believe
we
actually
want
that
to
show
up
on
the
vulnerability
report
and
in
the
merge
requests.
A
That's
really
what
we're
talking
about
here,
and
I
think
I
mean
maybe
I'm
reading
the
issue
wrong,
but
I
think
this
issue
that
we've
had
open
for
about
four
months
now
is
really
about
that.
It's
about
having
these
show
up.
You
know
on
that
security
and
compliance
vulnerability,
report,
tab.
Of
course,
the
challenge
in
doing
that
is
you
know
the
whole
reason
we
are
blocking.
A
Those
in
the
first
place
is
because
there's
potential
duplication
with
any
findings
from
our
dependency
scanning
job,
and
so
you
know
there's
some
things
that
dependency
scanning
finds
that
we
don't
find,
there's
some
things
that
are
duplicative,
and
so
it
just
gets
a
little
bit.
You
know
the
reason
we
haven't
done
this
before
is
just
for
the
user.
Experience
is
the
biggest
reason
I
know
coming
back
in
the
history
here
I
know,
nicole.
You
basically
said
you
know
for
the
mvc.
A
B
Added
yeah,
that's
still
the
case.
I
added
a
note,
and
I
can
add
it
into
this
discussion
as
well.
My
preference
would
be
we
absolutely
enable
customers
either
through
a
feature
flag
or
a
variable
to
turn
this
on.
I
don't
want
it
to
be
on
by
default.
We
can
put
out
a
blog
post,
saying
if
you're
looking
for
log4j,
you
can
turn
this
on,
but
as
a
result
of
this
being
minimal
right
now,
the
following
things
happen:
you
may
end
up
with
duplicate
vulnerabilities,
listed
and
you're,
going
to
have
to
deal
with
that.
B
So,
if,
if
that
is
worth
it
to
you,
please
turn
on
this
variable
or
this
feature
flag
or
whatever
it
is.
So
that's
kind
of
my
thing:
I'm
100,
okay
with
customers
opting
in
to
be
extra
noisy.
I
a
thing
that
I
am
looking
at
doing
soon
and
maybe
I'll
have
to
do
it
sooner
than
later.
If
this
goes
out
is
I
don't
want
to
necessarily
hardcore
dedupe
results
like
we're
doing
now
between
our
analyzers?
B
I
want
to
do
more,
like
aggregation,
so
dust
right
now
does
where
like,
if
a
vulnerability
shows
up
they
list
all
the
urls
type
thing.
If
you
all
have
seen
that,
I
want
to
kind
of
come
up
with
some
kind
of
similar
thing
either
you
know
look
at
what
how
derek
visually
displayed
that
and
like
have
that
for
customers
like
hey.
B
We
found
this
in
these
three
or
four
spots,
or
maybe
just
have
all
three
of
them,
but
have
them
linked
in
some
way
that
you
could
close
them
all,
but
I
need
a
way
for
customers
to
easily
address
the
quote:
unquote:
noise,
which
they
call
false
positive.
I
call
noise,
otherwise
they're
going
to
be
cranky
pants,
but
if
we
warn
them
about
that
and
then
they
turn
it
on
that's
on
them.
B
I
I
have
some
charts
that
I
could
make
one
or
two
tweaks
like
I
have
a
chart
right
now
that
says
which
people
run,
what
scanners
or
by
people
I
mean
name
spaces.
I
could
reduce
that
down
to
just
the
two
and
see
how
much
you
can
overlap.
There
is
there's.
Actually
it
seems
to
be
on
two
ends
of
the
spectrum
of
name
spaces.
Just
with
the
spread
of
all
of
them.
They
either
run
one
or
they
run
like
a
ton
like
there
is
not
a
middle
ground
in
the
bell
curve.
D
So
so,
can
I
clarify
a
few
things,
real,
quick,
because
I
think
there's
some
confusion
about
what's
the
intended
behavior
for
some
of
these
features
so
so
for
container
scanning,
the
the
the
terms
are
kind
of
confusing
now,
because
container
scanning
has
dependencies
getting
in
and
out
so
I'll.
Just
call
that
dependency
scan
and
retribute,
but
container
scanning
itself
is
not
supposed
to
detect
language
vulnerabilities
dependency.
D
Scanning
trivia
is,
is
that
right
and
but
the
thing
is
is
right
now
you
know
we
just
we
just
about
this
like
last
week
or
something,
and
I
think
right
now
it
only
outputs
the
dependency
list.
The
inventory
right,
not
the
actual
vulnerabilities,
it
doesn't
create
vulnerabilities
of
it.
C
It
does
with
the
flag
that
machia
created
it
might
actually
create
the
vulnerabilities
there.
Yes,.
C
Okay,
so
so
on
at
the
technical
level,
just
to
clarify
that
if
michael
has
been
looking
at
the
running
manually,
exactly
so
von
type,
os
looks
at
the
os
package
metadata.
So
you
look
at
a
yum
database
or
apt
or
whatever
it
is
that
your
distribution
uses
the
other
one
lists
all
packages.
C
We
look
at
all
the
known
package
metadata
so
for
python,
you're,
looking
in
valid
site
python
site
something
same
thing
for
ruby,
so
you
can
detect
some
of
these
libraries
and
then
you
it'll
just
do
it,
but
we
don't
know
what
installed
it
there.
We
just
know
that
it's
there
now.
B
C
C
C
Exactly
and
then,
if
you
don't,
if
you
don't
don't
know,
maybe
you
should
run
dependency
scanning
as
part
of
the
build.
The
problem
here
is
that,
if,
if
I'm,
if
I'm
using
an
image
that
has
dependencies
pre-installed,
I
can't
run
the
dependency
scanner
without
building
that
image.
Myself
so
say,
I
do
from
python3
that'll
pull
that
image
from
from
docker
hub
and
whatever
vulnerabilities
are
in
there
that
they're
installed
as
python
packages.
A
A
The
challenge
for
us
in
doing
that
with
container
scanning
is
that
now
we
have
two
different
states
for
the
location,
so
it's
not
enough
to
just
categorize
those
as
the
same
scanner.
It
gets
a
bit
tricky
because
we've
got
you
know
potentially
multiple
locations
and
multiple
scanners
that
have
found
the
same
vulnerability.
A
So
that
gives
us
the
unfortunate
choice
and
again
you
know
michael.
This
is
why
we
haven't
done
this
before
is
because
now
you
know
suppose
someone
goes
through
and
says
you
know
this
particular
vulnerability
is
not
applicable.
We
don't
use
that
area
of
code
now
they
have
to
go
in
they're,
going
to
have
that
vulnerability
listed
twice
in
their
vulnerability
report
and
they
have
to
go
manage
that
twice.
B
Yeah
and
at
least
like
either
have
an
option
like
close
both,
for
example,
if
we
didn't
want
to
hard
combine
them,
but
we
wanted
to
do
some
kind
of
linking
or
aggregation.
We
could
say,
like
close,
both
of
them
like
take
this
action
against
both.
B
B
This
is
duplicating
and
and
like
there's
a
million
different
ways
to
slice
it
so
and
that's
because
we
haven't
settled
that
conversation
is
why
we
haven't
really
dug
into
this
one.
So
I
think,
like
I
said,
if
we're
introducing
this
or
pushing
this
out
now
as
long
as
people
have
to
turn
on
some
kind
of
variable
or
something,
and
we
say,
here's
exactly
what's
going
to
happen
to
you
and
you
may
have
to
close
things
twice
if
you're,
okay
with
that
go,
go
on
with
your
bad
self,
but
that
you
know.
B
B
C
Sam,
the
the-
what
are
you
talking
about
the
the
location
is
is
spot
on
just
just
in
case
michael
you.
You
probably
know
that
but
they're
four
frog
criteria
to
the
duplicate.
So
it's
the
it's
the
project
id
the
report,
type,
the
the
location,
there's
a
fourth
one,
the
primary
identifier
right
so
out
of
the
four
we
have
three
that
will
probably
match
depending
on
the
advisor's
database,
so
the
the
project
will
match
the
report
type
won't
match.
C
Sorry,
I
like
this
too,
the
project
the
report
type
will
match
because
one
might
be
depends
scan
the
other
might
be
container
scanning,
that's
kind
of
easy
to
fix,
maybe
but
it
it's
within
our
power
to
fix.
We,
we
could
put
these
in
the
container
scanning
report,
then
there's
the
the
the
location
that
that
that
that's
the
complicated
one
threatening
sites
will
not
be
in
a
good
position
to
support
that
sort
of
tracking.
C
I
want
to
say,
after
february
march,
probably
in
february,
sast
is
collaborating
with
threat
insights
to
to
to
do
some
work
around
that
area,
and
but
it
it's
very
early
days.
I
don't
know
what's
going
to
happen
there,
but
but
it
it's
the
sort
of
thing
that
would
enable
us
to
do
go
hey.
C
A
Yeah-
and
at
that
point
you
know
once
we
have
that
kind
of
grouping
or
whatever
we
decide
to
do
with
it
once
we
have
a
better
solution
there.
That
might
be
a
good
point
to
turn
that
feature
flag
on
by
default,
but
so
yeah
for
now.
I
think
the
main
issue
at
hand
is,
as
I
understand
it,
it's
really
just
giving
customers
the
option
to
remove
this
flag
right
here.
B
B
You
know
pile
of
things
to
triage,
because
we
have
not
gotten
to
some
kind
of
cleaner
way
of
grouping
these
or
or
bulk
actioning
these
for
you,
and
by
choosing
to
turn
this
on,
you
acknowledge
like
you're
about
to
get
more
so,
but
I
think
that
first
one
is
pretty
clutch
where,
like
you
have
to,
depending
how
you're
using
your
container,
you
have
to
build
your
container.
If
you
want
to
detect
everything.
D
So
there
is
two
different
things:
number
one
container
scanning
is
restricted
to
one
type
os,
adding
a
variable
to
configure.
That
would
be
an
enhancement.
Number
two
is
the
dependency
scanning.
Does
not
output
the
language
packages
right
now?
That
is
a
bug,
and
that
is
because
of
the
how
we
are
the
report
format.
B
A
D
Yeah
yeah,
my
comment
is
about
the
dependencies.
We
do
need
to
double
check
and
make
sure
that.
D
That
the
report
format
for
the
language
specific
packages
is
in
the
format
that
we
expect,
because
I
did
notice
that
some
of
the
fields
are
different
for
java
packages,
which
is
kind
of
odd,
but
yeah.
We
need
to
make
sure
we
need
to
make
sure
that
we
always
have
data
with
all
the
different
languages
because
it
looks
like
it
doesn't
always:
output
the
same
fields.
C
So
brian,
thank
you
for
that
comment,
explaining
the
changes
that
we
need
to
make
on
the
dependency
list
converter.
Are
we
looking
to
to
pull
that
into
the
current
milestone
sam?
C
A
B
All
the
account
managers
are
going
to
be
asked
about
it,
so
if
I
can
also
bump
something
to
help
out,
I'm
willing
to
bump,
like
a
couple
of
my
bugs
that
will
I
already
had
to
bump
so
much
stuff.
So
everyone's
already
angry
at
me.
C
C
This
is
a
matrix
thing.
I
don't
think
it's
been
broken
for
a
while.
I
don't
know
if
it's
huge
to
fix
the.
A
C
C
A
C
D
Yeah,
you
know
what
I'll
create
a
new
issue
for
it,
because
I
think
I
think
it
ought
to
be
documented
in
an
issue.
So
I
do
that
and
but
it's
not
it's
a
problem
on
the
container
scanning
side.
So
there's
nothing
wrong
with
railroads
dependency
reports.
B
D
A
B
I
think
I'm
at
50
for
for
next
time
I
will
try
and
slim
down
my
stuff
feel
free
to
ask
people
for
help
with
like
testing
things
or
poking
things
or
reviews.
If
that
would
be
helpful
to
y'all,
I
will
warn
them
just
because
I
know
log4j
is
going
to
be
everyone's
going
to
be
asking
about
it,
and
if
we
have
time
at
the
end
of
this,
I
actually
have
a
question
about
workspaces.
If
you
all
have
started
that
work
or
not
yet
because
sort
of
related.
D
I
know
I
know
they
answer
this
one
so
for
for
the
workspace
stuff,
we're
blocked
right
now,
because
the
workspaces
team
is
still
trying
to
complete
what
they
call
namespaces,
so
they're,
creating
like
a
container
that
can
have
a
workspace
or
a
group
or
a
project,
and
that's
not
done
yet
okay.
So
that's
like
the
scaffolding
that
yeah
the
workspace
features
will
go
into
and
it's
not
complete
yet
so
wait
for
them
to
finish.
That.
B
A
B
A
Okay,
cool
thanks
thanks
for
logging
that
issue
brian
go
ahead
and
put
that
in
14
6
as
well,
once
you
log
that
other
display
issue,
I
think
in
tiago's
list
of
issues
we'll
put
that
as
number
three
in
the
list
and
we'll
see
if
we
can
get
it
done
in
this
milestone
and
if
not
we'll
ship
early
next
milestone.
E
Thanks
and
if,
if
I
can
help
with
testing,
I
would
also
love
to
to
help
out
if,
if
needed,
for
the
blog
post,
this
will
be
like
pushed
out
today,
but
we
can
always
update
it
later
on,
like
keeping
it
as
the
single
source
of
truth.