►
From YouTube: Dependency Scanning Offline Environment Live Demo
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Thanks,
so
you
shall
see
my
screen
now:
I'm
sharing
the
scorecard
will
start
with
dependency
scanning
where
we
left
things
the
last
week,
so
we
have
already
proved
the
offline
setup
and
environment
I
will
just
go
back
to
explain
why
little
div
that
we
introduced
and
then
we
have
to
make
sure
that
the
documentation
is
fully
available
for
all
the
previously
validated
languages
which
for
and
we
have
to
go
through
Java
cradle.
It's
got
a
SBT
and
Python
set
of
tools
because
they
were
not
tested
previously
and
so
going
back
to
the
new.
B
The
latest
changes
that
we
made
to
the
environment.
You
have
an
environment,
we
upgraded
to
12.9
because
it
was
using
208.
So
this
has
been
done.
Thank
you
more
for
this,
and
we
also
had
several
issues
with
a
storage,
limited
storage
and
some
performance,
so
we
actually
changed
slightly
the
architecture.
So
we
know
how
to
dedicated
asked
for
the
runners
and
I've
slightly
dated
this
dock,
to
show
it
to
you.
Not
the
right.
One
sorry
will
fit
that
right
away.
B
B
All
right,
so
this
one
is
the
new
one,
so,
as
you
can
see,
we're
still
arranging
the
fashion
house
login
into
the
SSH
and
pull
the
creme
images
from
the
github.com
registry,
they're
saving
them
locally
into
some
tar
file
and
moving
them
into
the
offline
github
instance
or
SSH,
and
loading
them
into
the
offline
registry
from
there.
The
only
difference
is
that,
right
now
the
runners
are
running
on
a
separate
asked,
instead
of
being
at
the
same
asked.
B
So
we
need
to
open
connection
from
the
offline
runners
to
the
offline
with
them
instance,
so
that
it
can
fetch
the
images,
the
docker
images
that
are
stored
on
this
registry
when
it's
running
a
job.
Of
course,
the
offline
runners
doesn't
have
access
to
the
Internet
and
particularly
to
the
egg-cam
registry.
So.
D
B
So
this
is
a
render
I'll
store
it.
It's
disallowing
any
outgoing
call
and
any
input
on
any
IP
address
and
port
except
over
HTTP
sorry
over
SSH
HTTPS,
and
this
one
is
RDP
and
ingress:
it's
disabled
and
all,
except
on
this
internal
network.
So
in
that
communicate
you
can
communicate
with
the
air-gap
instance.
D
B
And
this
is
the
rules
for
the
I
get
up
off
like
us.
The
interest
traffic
is
disabled
on
all
products
and
IP
is
accept
again
as
a
stage
RDP
on
HTTP
and
GMP
it
and
from
the
internal
network.
It's
also
allowing
only
those
ports
and
this
additional
one,
which
is
for
the
continue
register,
II
and
egress
didn't
change.
Everything
is
disallowed
for
the
outside
world
and
the
internal
network
is
allowed
so
that,
for
example,
it
can
reach
out
to
the
by
P
and
NP
n
custom
registry
that
we've
set
up
and
separate
us
to
again.
B
Going
back
to
the
demo
about
the
set
up,
this
was
mostly
lacking
documentation,
so
the
good
thing
is
most
of
the
documentation
has
now
been
merged
and
available
and
github.com.
We
still
have
some
one
game.
Work
just
ensure
that
we
are
lining
all
the
documentation
between
the
different
security
features
that
most
of
the
deeds
to
sri
data
is
written
there.
B
So
it's
explaining
what
are
the
images
that
you
need
to
copy
over
your
install
your
offline
installation
of
get
clubbed
and
what
configuration
you
need
to
change
in
your
CI
ml
file
so
that
it
works
accordingly
and,
as
you
can
see,
we
have
a
lot
of
Perl
language.
Perfecting
manager.
Settings
obviously
will
try
to
improve
this
as
much
as
we
can
to
makes
it
more
a
turnkey
solution.
C
Think
the
one
thing
I'm
gonna
wanna
do
and
I
don't
know
whether
you
want
to
like
just
have
me:
do
it
or
you
want
to
like,
do
it
on
screen
slowly
and
make
everyone
suffer
as
I
just
want
to
make
sure
there
is
a
line
for
each
one
of
the
languages.
If
that
makes
sense,
if
I
could
read
as
fast
as
you
were,
scrolling.
B
C
B
B
Just
to
make
sure
so
we
had
yeah,
we
had
the
full
extent
just
for
each
ideas,
but
this
has
been
solved
in
the
crispin
except
the
way
the
the
week
after
then,
we
add
here
an
issue
with
replace,
but
this
is
not
specific
to
that
area.
Instance,
a
Flintstone.
Sorry
still,
there
attaches
theater
performance
concern
again.
This
is
not
related
to
our
offline.
B
C
Did
the
I
did
add
the
Mr
about
remediation
I
need
to
double
check
if
it
an
ick
got
it
pushed
in,
but
basically
we
explicitly
explained
in
the
documentation
that
remediation
will
only
work
under
these
specific
circumstances.
If
your
environment,
this
can
figure
that
way
and
Kevin
I
reviewed
them
are
cool.
So.
B
This
last
one
is
actually
addressed.
We
finally
have
completed
the
later
step
to
provide
all
the
breach
information
for
the
genome,
analyzer.
So
now
a
lot
of
inner
abilities
coming
from
the
dependency
scanning,
without
really
showing
up
in
to
all
the
UI
and
all
the
features
we
have,
so
that
that's
a
great
improvement
and
it's
shipping
in
2010
it's
already
available.
So
we
will
see
that
today,
so
we
can
basically
yeah
mostly
file
there
if
we
are
validating
the
dock
and
it's
working
for
all
of
the
languages,
so
I
would
go
directly
to
Java
kreidel.
B
We
are
using
system
play
project
here,
so
Java
credulous
gradualism
is
a
builder
for
the
java
language.
So
it's
leveraging
the
same
registry.
It's
currently
using
the
stem
maven
repository
that
is
built
in
within
github.
He
go
already
worked
on
setting
up
naughty
factor
instance.
He
has
some
project
working
I
haven't
had
time
to
integrate
it
into
the
demo,
but
if
this
is
something
that
is
blocking,
we
might
change
the
script
to
use
those
ones
and
make
sure
that
it's
testing
it's
just
it
accordingly
and
and
it's
already
working.
So
that's
a
great
news.
B
Okay,
we
know
that
jarrah
rattle
project,
so
it's
been
configured
to
leverage
this
crystal
maven
registry,
which
is
pointing
to
one
location
in
this
instance.
I
can
show
you
this
dependency
here.
So
this
is
one
peghead
maven
picket
we
aren't
using
inside
project.
So
it's
called
Indian
spike
and
you
can
see
it's
declared
here.
So
this
instruction
tells
that
the
gradall
builder
to
get
such
dependency
from
there
I,
will
open
the
web
IDE
and
set
up
a
new
kit,
Ramsey
IML
file
by
following
the
documentation
so
going
back
to
here.
B
So
the
official
documentation
says
to
just
take
that
template
after
there
so
with
including
the
typical
Pando
template
and
overriding
some
variables
again.
We
need
to
disable
talking
docker
to
have
this
support
for
affine
environment,
and
now
we
need
to
point
the
annoys
or
images
to
the
right
location,
which
is
inside
our
instance.
So
I
can
use
this
random
variable,
which
is
basically
be
replaced
by
this
URL
here
and
I
will
also
need
to
go
with
language,
specific
information,
so
for
all
languages.
B
B
Okay,
so
you
need
to
pass
enough.
Like--But
copy
of
the
kitchen
is
on
TV
at
the
holidays.
Again,
there
are
certainly
some
improvement
to
clarify
the
documentation.
There
are
very.
There
are
multiple
steps
to
make
it
run
into
another
fine
amendment,
and
we
are
kind
of
mixing
some
stuff
that
I'll
dedicated
to
offline
and
some
that
are
dedicated
to
supporting
custom
registries.
So
we
definitely
might
be
able
to
improve
that
and
then
cross
thing
to
tell
the
user.
B
What
are
the
different
steps
to
make
this
working
so
back
to
my
changes
here,
no
need
to
add
some
system
and
gradall
settings
so
here
for
Gretel,
we
need
to
liberate
the
custom
certificate
because
there
is
no
clean
way
to
disable
the
SSL
check.
So
what
we're
doing
here
is
we
are
your
version
of
default
script,
so
we
are
overriding.
B
The
jainism
maven
defenses
canning
job,
which
is
the
child
that
we
run
from
that
kind
of
project,
and
we
are
adding
a
B
for
script
here,
so
that
we
are
creating
a
specific
kind
of
certificate
which
is
compatible
with
Java
growl,
which
is
using
the
key
tool
command
here.
And
this
also
requires
us
to
setup
that
as
an
environment
variable.
B
So
this
is
a
generic
variable
that
allows
us
to
pass
just
some
certificates.
It
can
be
used
from
different
purposes.
We
can,
for
example,
use
it
to
add
such
decades
for
custom
registries
or
for
all
the
location
where
you
interface
the
databases,
but
the
problem
is:
it
needs
to
be
adapted
depending
on
the
underlying
toast,
so
for
some
tools,
just
putting
that
variables
would
make
it
working
out
of
the
box,
but
in
the
Java
world
we
cannot
use
it
exists.
B
C
B
B
B
Sitting
here,
because
this
is
kind
of
a
fake
dependency
that
we
are
using
here
and
to
make
sure
that
we
are
able
to
show
that
there
is
a
variability,
we
have
a
fake
mobility
that
have
been
added
to
this
database.
So
the
change
agent
database
is
a
repository
holding
all
the
the
definitions
of
the
non
room
abilities
and
we
just
added
a
new
branch
where
we
pushed
a
new.
B
B
If
you're
using
that
package
in
your
project,
if
I
love
that
we
should
be
good,
we
can
use,
get
a
cellar
verify
to
skip
the
because
some
said
you
take
a
check,
but
this
is
not
tested
here,
because
we
need
to
set
up
the
set
anyway
to
have
the
project
working
so
I'm
skipping
this
one,
because
we
have
a
set
already
set
up.
So
we
should
be
good.
Let's
kind
of
this,
as
you
can
see,
this
is
a
more
complicated
setup
than
for
other
simple
languages,
but
at
least
it
should
be
working.
B
B
So
as
a
reminder,
this
is
a
small
check
job
that
will
issue
W
get
come
into
the
registry
that
we
try
to
count
to
make
sure
that
this
is
not
reachable
and
thanks
to
whoever
sent
me
is
that
information
in
slack
I
just
got
the
notification.
I,
don't
know
who
sent
it
updates
I
configure
for
the
new
pipeline.
Oh
yeah,
another
issue
here,
I'm,
sorry,
so
this
is
something
that
needs
to
be
adapted
to.
So
here
we
need
to
make
sure
to
use
the
correct
address
here.
C
B
C
B
B
B
B
C
B
C
B
Think
we
need
to
discuss
that
further
with
the
QA
team,
but
we
already
have
a
lot
of
test
project.
I
mean
this
demo
project
derived
from
our
existing
test
project
that
we
are
running
on
there,
we're
gonna
about
this
one
pushing
changes
to
the
analyzers,
so
what
we
are
doing
often
is
adding
a
specific
branch
to
this
test
project
to
test
a
specific
configuration
of
arraignments.
So
we
could
have
a
new
brain.
Therefore,
alpha
environment,
that
has
a
specific
added
configuration
and
those
are
a
stat
on
github.com.
B
C
If
we
could
just
make
like
one
or
two
because
I
believe
that,
once
we
do
the
blog
post
announcing
this
feature,
people
are
gonna
want
to
see
how
it
works.
And
so,
if
we
had
like
one
project
in
our
most
popular
language
like
hey,
you
can
clone
this
to
a
local
self-hosted
and
follow
these
directions
and
experience
it
yourself.
That
might
because
I
don't
think
they
necessarily
want
to
muck
around
with
their
own
personal
self,
hosted
copy
at
first
just
a
thought
we
can
get
back
to.
F
B
B
Here
we
have
a
specific
configuration,
so
I
will
just
grab
what
I
already
set
up
for
a
double,
because
this
is
the
same
thing,
so
the
different
template,
disable
or
gradient
darker
use
custom
address
for
the
annoy
users
setting
up
the
change
and
database
and
the
system
we
have
to
use
now
from
there.
This
cat
is
busy.
Documentation
is
again
having
the
same
type
pools,
but
it's
required.
B
It
requires
to
override
the
job
again
this
before
script,
for
the
same
reason
using
the
custom
certificates
and
this
time
we
have
this
in
the
in
the
official
documentation
step
of
the
dot-com
example.
This
is
go
again.
It
is
going
to
be
fixed
with
the
merge
request.
I
will
try
to
find
and
show
so
yeah.
What
I
was
saying
is
indicate
of.
Skele
looks
like
we
still
need
to
bundle
the
some
scalar
content,
so
those
are
required
and
we
don't
have
a
clear
work
on
right
now.
B
B
We
also
have
this
really
specific
work
right
now,
which
is
extracting
some
of
the
component
that
are
currently
bundled
within
the
project,
because
the
way
it's
working,
usually,
these
components
are
fetched
at
runtime
when
building
the
project,
and
this
is
something
that
we
will
need
to
expose
within
our
own
custom
registry,
but
it
was
too
complicated
or
even
not
achievable.
Correct
me
if
I'm
wrong,
eager
to
put
that
into
the
built-in
maven
registry
of
gitlab
and
Igor
started
to
work
the
artifactory
external
registry,
because
it
was
a
bit
simpler
to
do
that.
E
E
Yeah
I
can
elaborate,
so
so
a
lot
of
it
has
a
limitation
with
our
offline
instance.
It's
quite
small.
The
Scala
is
very
dynamic,
so
it
bundles
in
this
called
language,
the
SBT
sort
of
dependencies.
So,
for
example,
I
think
we
would
have
to
push
into
our
offline
instance
like
200
megabytes
worth
of
dependencies.
So
that's
why
we
kind
of
chose
to
do
this,
because
it's
a
small
instance,
but
we
are
working
on
a
standalone
order,
factory
instance
of
a
much
larger
one.
B
One
less
override,
which
is
not
in
the
documentation,
because
this
is
an
ongoing
fix
shipping
into
2010.
Is
we
had
a
detection
issue
in
front
of
template
for
scale-up
projects,
so
the
job
wasn't
just
not
triggered
so
we
just
added
Scala
as
the
condition
for
the
detected
repository
language
is
and
I'm
just
writing
it
here,
because
we
are
using
12.9
and
at
12
to
10.
E
But
just
one
thing:
elevator:
if
we
could
mention
what
we
do
do
in
this
request,
as
we
do
pull
from,
we
do
have
one
package
that
we
pull
from
our
internal
maven
repo
to
demonstrate
that
that
it
is
working,
and
it's
just
that
that
one
package
that
you
saw
from
maven
and
if
you
click
on
the
repositories
file
you'll
see
that
we're
actually
pulling
in
from
that
same
maven
repo.
So
the
other
dependencies
that
basically
have
to
come
with
Scala
their
customer
would
have
are
bundled.
E
E
C
B
E
B
B
B
B
B
B
F
D
B
C
B
C
B
B
B
B
It
requires
some
very
odd
credit
stuff
into
the
setup
I
file
within
your
project,
to
specify
that
you
are
enriching
a
custom
registry
and
provide
a
Christian
certificate
into
a
dedicated
file
here.
So
these
are
some
steps
into
the
condition
that
explain
how
to
setup
your
project,
but
it's
more
about
setting
up
your
project
with
this
custom
registry
and
trusting
a
custom
certificate.
B
So
this
is
done
by
adding
those
statement
into
the
celebrat
pi
and
exploding
the
certificate
of
your
instance
into
this
in
solid
cat5e
r
that
you
are
specifying
to
be
picked
up
here
by
the
setup
tools,
and
this
also
requires
you
to
specify
the
full
URL
of
where
your
system
dependencies
will
be
served.
So
I
can
show.
B
So,
as
we
can
see
here,
we
have
declared
two
dependencies
by
parsing
and
requests
and
we
have
to
specify
that
they
are
served
over
those
URLs
here
which
are
pointing
to
our
custom
pipe
eregistry,
which
is
this
asked,
and
we
have
the
internal
that
CRT
file
being
specified
here.
As
you
can
see,
it's
that
part
of
the
repository
I
can
show
way
to
do
that.
B
B
B
E
B
D
C
B
Okay,
so
I'm
now
you're
doing
sis
christen
certificate
and
dropping
that
into
the
internals
here
T,
so
I
actually
don't
need
this
one
I,
don't
know
why
I
did
that,
but
I
don't
need
it,
because
this
is
here
that
we
are
using
the
crystal
certificate
from
the
registry
and
unless
I
need
to
underwrite
the
job.
Sorry,
because
this
is
before
script,
that
is
not
supposed
to
apply
to
all
that
to
all
the
jobs,
but
only
the
one
that
we
want
to
run
from
the
specific
case,
which
is
Jimmy's
in
Python.
B
So,
let's
go
back
to
which
one
with
it
skyla
yeah,
Scarah,
so
color
job
finished.
It's
guys.
Btw
is
now
down.
Looking
at
the
pipeline
security
tab
is
showing
our
custom
package.
Chris
tell
me
or
I
can
go
back
to
you.
The
merge
request.
This
is
this
visible
here.
This
is
the
same
way.
I
can
show
security,
dependents
latest
configuration
page
all
and
T
for
now,
because
nothing
is
running
on
different
branch,
so
I'm
merging
it
I.
B
C
B
B
B
D
So
it's
possibly
it
was
a
timing
issue
and
so
I
couldn't
Athena
Kate
against
the
registry,
so
the
job
ran,
get
lab,
run
or
had
the
token
the
get
lab
runner
then
called
the
registry
and
said:
can
I
download
this
Reggie
said
I,
don't
know
of
this
token?
So
this
is
speculation
but
haven't
been
able
to
trace
it.
So.
F
D
Token
didn't
change
so,
if
it's
a
stateless
token,
usually
there's
like
a
timestamp
that
says:
I
can't
not
before
this
and
not
after
this.
So
if
it
is
a
stateless
token,
it's
possible
that
our
NTP
servers
aren't
synchronized
between
our
hosts
and
within
this
network,
because
we
haven't
configured
NTP.
So
there
could
have
been
a
difference
in
time
or
if
it
is
a
stateful
toking,
meaning
like
the
register,
you
have
to
go
hit
a
token
introspection
endpoint
to
verify.
D
F
E
B
B
C
C
C
F
B
C
C
C
F
Need
a
closer
eye
on
that
one
next
time
around
and
but
for
the
rest,
we
need
Kevin
to
sign
up
and
make
sure
all
the
documentation
is
merged.
C
B
C
Clarity,
SBT
is
not
one
of
the
top
languages
that
the
first
user
of
the
product
has
expressed
interest
in
nor
the
potential
second
and
third
customers
who
are
going
to
be
using
it
of
them.
I
know
we're
putting
Scylla
in
their
top
languages,
I
mean
we
still
need
to
do
it
and
it
still
needs
to
work,
but
just
for
everybody's
context,.
B
B
B
Let's
sink
her
I
think
after
the
meeting
I'd
say
just
double
check,
Rihanna
my
skill
believe
it's
doable,
but
yeah
we'll
try
to
do
my
best
to
have
this
available
as
soon
as
possible,
or
maybe
someone
else
or
do
a
team
or
otherwise
license
compliance.
It
was
just
seeking
again
the
documentation
which
is
the
emerge
and
they
are
doing
the
demo
for
patent
peep
from
scratch.
It
needs
at
least
three
minutes,
I.
Think,
okay,.