►
From YouTube: Secure::Static Analysis weekly meeting for 2020.11.09
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Monday,
so
we've
got
a
decent.
We
have
a
decent
agenda
here,
so
we'll
go
ahead
and
get
started
a
few
announcements.
It
is
a
federal
holiday
on
wednesday
in
the
united
states,
it's
veterans
day.
So
there's
a
number
of
folks
that
are
going
to
be
out.
If,
if
you
haven't
booked
time
off,
please
consider
it.
It
is
a
holiday
that
weekly
sinks.
B
So
if
you're
interested
in
attending
that
you
can
find
those
on
the
secure
stage
calendar
and
the
last
announcement
is
office,
hours
backlog
requirement
office
hours,
I'm
canceling
those
this
week
and
I'm
beginning
the
process
to
transition
those
to
open
it
up
to
be
more
of
a
field,
enablement
type
of
exercise,
so
that
there's
a
place
for
folks
to
get
live
support
and
that
doesn't
preclude
us
from
having
conversations
about
refining
issues.
There
just
know
that
we're
broadening
the
scope
of
it
intentionally.
B
So
those
are
the
announcements
and
ross
you've
got.
First,
though
this
looks
to
be
largely
handled.
A
Yeah,
I
was
just
gonna
say
I
added
the
the
item,
but
zach
took
care
of
it
if
he
has
anything
he
wants
to
add,
but
it's
not
much.
C
Yeah,
don't
need
to
add
anything
earlier
than
it's.
It's
released
a
nice
community
contribution
so
this
this
actually
did
and
I
need
to
create
this
issue.
But
when
I
was
looking
at
the
modbus
up
code-
and
I
know
sakai
you're
working
on
the
integration
test,
but
we
don't
have
unit
tests
either.
So
that's
something
that
needs
to
be
added
which
I'm
not
sure
if
that's
captured
anywhere
in
a
issue.
But
that's
on
my
agenda,
so
I'm
just
gonna
create
that
after
this
meeting.
D
B
D
D
And
there's
a
there's,
an
issue
I
think
zach
already
mentioned
in
in
that,
mr
for
tracking,
the
integration
test.
A
Yeah,
I
don't
know
I
I
don't
know
if
there
is
a
an
issue
for
for
unit
tasks,
but
is
something
we're
you
know
very
aware
of,
and
one
of
those
accepted
risks
of
releasing
it
under
the
beta.
So
but
yes
definitely
needs
to
be.
B
B
This
is
my
best
interpret
impersonation
of
taylor,
so
just
giving
everybody
a
heads
up
on
13
7
priorities,
two
things
they
shouldn't,
I
don't
think
they're
surprises
number
one,
better
licensing
for
sas
and
secret
detection.
This
is
a
decompositions
story,
because,
right
now,
licensing
is
for
the
category.
It's
not
for
the
individual
features
that
make
up
the
category.
B
So
that
should
enable
a
lot
of
things
if
we
were
to
start
decomposing
that
and
make
things
more
granular
the
second
one
mono
repo
support-
and
we
talked
in
office
hours
last
week
about
how
there's
two
classes
of
monorepos-
it's
the
one
where
there's
multiple
discrete
projects
in
a
repository
of
the
same
framework
or
language
that
we
need
to
improve
because
there's
a
lot,
there's
there's
a
lot
of
deals
that
are
either
suddenly
in
the
pipeline
or
have
always
been
in
the
pipeline
that
are
they're
being
escalated.
E
B
B
Okay,
all
right
last
one
for
me,
so
I
have
okrs.
I
have
not
written
them
yet
because
there's
been
a
lot
going
on
both
from
well
country-wide
context
as
well
as
within
git
lab
itself.
So
but
any
case,
the
thematically
there's
two
of
them
that
I'm
looking
at
number
one
dog
fooding.
B
B
And
secondarily,
if
we
do
find
security
issues
within
them,
we
should
contribute
back
to
patch
those
based
off
of
what
we
find
so
we're
gonna.
So
we'll
see
exactly
what
that
looks
like
that's
the
direction
of
it.
B
The
other
one
is
field
enablement
that
is
directly
related
to
the
office
hours
change,
with
the
objective
of
trying
to
make
the
rate
of
ad
hoc
requests
from
sales
and
solution,
architects
and
professional
services
slow
down
or
stop
and
redirect
them
into
an
area
where
they
can
get
support,
and
that
would
also
provide
us
with
an
opportunity
to
or-
and
I'm
willing
to
do
this
demo
new
features
provide
live
demos,
so
they
can
see
it
and
start
asking
questions
and
begin
to
understand
it
and
have
seen
it
worked,
seen
it
work,
which
is
a
good
thing
as
well
so
anyway,
just
want
to
give
you
know
inside
of
what
I'm
planning
to
write,
but
I'm
not
probably
not
gonna,
be
able
to
write
them
until
wednesday.
E
So,
on
the
note
of
planning
issues,
we've
been
doing
this
now
for
quite
a
few
releases.
I
personally
like
them.
I
find
them
very
useful,
we're
to
a
point
where
I
am
now
far
enough
ahead-
that
I
actually
have
plans
for
more
than
one
release
out.
So
I'm
to
the
point
where
I'm
ready
to
put
that
somewhere
and
I
want
to
see,
would
y'all
prefer
individual
pre-opened
planning
issues.
E
Or
would
we
like
to
see
that
in
a
single
issue
that
we
split
out
so
like
one
thought
would
be
to
have
sort
of
an
upcoming
releases
issue
that
we
just
keep
going?
That
has
the
next
in
number
of
releases
so
that
you
can
kind
of
see
it
all
on
the
same
page
and
then,
when
we
finalize
what
we're
planning
for
release,
pull
it
out
into
its
own
planning
issue.
F
E
Part
of
what
I'm
trying
to
reconcile
here
is
to
figure
out
how
to
edit
less
things,
and
that
would
kind
of
be
my
answer
for
linking
this
off
the
direction
page
would
just
be
here's
our
upcoming
releases
issue,
rather
than
this
sort
of
continuous
13.x
issue
that
has
to
be
updated.
Monthly.
F
Yes,
I
don't
100
know
what
that
would
look
like,
but
that's
probably
because
we're
trying
to
figure
that
out.
E
There
is
one
other
thing
that
I'm
working
on,
which
is
me:
writing
ruby
code,
so
be
scared,
I'm
trying
to
get
the
direction
pages
to
do
the
issue
filtering
the
way
it
does
on
our
release
pages,
the
ruby
code
that
we
have
that
generates.
That
is
just
the
biggest
mess
you've
ever
seen,
so
I'm
just
trying
to
get
it
to
where
each
individual
category
direction
page
would
show
upcoming
issues
rather
than
us
having
to
maintain
a
manual
list,
which
is
what
we
do
today.
D
E
So
y'all
already
started
engaging
in
the
removals
issue
that
I
opened
and
chatted
about
earlier.
That's,
I
think,
got
good
discussion
on
it.
I
think
we'll
finalize
which
of
those
things
we
actually
want
to
deprecate
in
14.0
and
then
we'll
back
into
it
thomas,
and
I
have
already
started
looking
at
some
of
that
info
in
terms
of
this
planning
issue
like
it
would
work
just
like
any
other
that
we've
used
it'll,
be
a
proposal.
Sort
of
a
work
in
progress
continuously
updated.
F
B
I
like
the
planning
issues
I
like
them,
but
I
will
say
that
I,
like
the
planning
issues
like
the
structure
I
like,
that
it's
not
planning
out
individual
issues
so
much
as
identifying
what
our
epic
priorities
are
and
that
we
should
be
able
to
respond.
According
to
that.
G
F
Yeah,
I
guess
the
only
issue
I
I
completely
agree
with
that.
The
only
issue
that
I'm
not
sure
about
that
may
be
thomas's
covers
is
I
like
seeing
per
release
but
understanding
what
long-term
themes
are
and
they're
having
some
visibility
into
like
what?
F
E
Okay,
this
is
helpful.
I
will
put
something
together
and
if
y'all
hate
it,
let
me
know.
C
Cool,
I
will
share
my
screen
then-
or
I
guess
I'll
I'll
first
kind
of
get
the
motivation
for
this.
So
I
think
it
was
thursday
I
was
working
with
daniel
and
there
was
a
discussion
on
well.
How
do
we
test,
like
a
local
version
of
changes,
you'd
put
into
common-
and
I
think
this
was
specifically
for
the
disabled
man
of
rule
sets.
C
So
this
is
something
that
I've
had
to
google
three
times
and
you
know
by
the
rule
of
three.
This
should
probably
be
documented
or
automated
somewhere.
So
I
put
a
mr
into
common
just
for
the
readme,
so
folks
don't
have
to
google
and
figure
out
how
to
do
it
themselves,
but
anyway,
I
will
share
my
screen
and
do
the
demo.
C
So,
let's
see
I
have
the
node.js
scan
analyzer
right
here
and
right
now,
it's
using
locally
version
2.19
of
common,
but
you
know
what
happens
when
we
want
to
like
point
to
our
local
version
of
common.
How
do
you
do
that?
Well,
luckily,
gomod
supplies
a
replace
keyword
that
you
can
use,
so
you
can
say
okay,
I
want
this
dependency
to
be
loaded
from
this
path,
and
so
this
is
where
I
have
comment
loaded
from.
So
if
we
just
save
this
and
then.
C
Let's
see,
I
think,
go
install
so
it
does
need
to.
Actually
I
don't
know
if
you
even
need
to
go,
install
or
like
build.
I
think
it
should
automatically
point
to
the
correct
thing,
but.
D
C
So
right
I'll
show
you
the
the
local
change
that
I
have
in
my
version
of
common.
So
in
this
second
shell
right
here.
C
Reports
go
so
I
just
added
real,
simple,
a
new
field
to
the
report
struct,
and
we
want
to
see
that
reflected
in
the
code
that
we
are
using
for
node.js
scan
so
easy
way
to
do
this.
Just
look
at
the
convert
file
here
are
the
definition
of
new
reports
follow
it
through
to
report
and
boom?
We
see
new
field,
which
is
what
we
added
so,
and
we
can
also
verify
this
by
looking
at
the
path.
So
we
can
see
it's
loaded
from
our
local
path
to
common.
G
C
Let's
see
if
we
don't
even
need
to
go,
install
so
go
back
to
convert
report.
Okay,
so
yeah
you
see
right
here,
it's
it's
loaded
from
where
go
modules
import
their
dependencies.
So
this
is
what
we
would
expect.
So
this
does
not.
If
we
go
to
report
definition
report,
this
does
not
have
the
new
field
so
verifying
that
works.
C
Let's
see,
so
that's
that
that's
using
the
replace
keyword,
there's
also
something
else
that
you
can
do,
which
is
useful,
so
say,
you're
reviewing
an
mr
and
you
want
to
you're
viewing
an
mr
to
a
dependency
like
comment
that
you
want
to
test
like
locally
right
instead
of
like
having
to
you
know,
pull
down
that
that
commit
what
you
can
do
is
you
can
just
again
in
the
go
mod
file,
update
on
this
line
where
it
says
require,
so
you
can
actually
specify
a
commit.
C
So,
for
example,
let's
see
I
think
I
was
looking
at
this
one,
so
lucas
opened
mr,
and
if
we
want
to
test
out
this
commit
we
can
copy
the
sha
and
just
paste
it
right
there.
So
you'll
notice!
This
is
invalid.
Right
we're
getting
a
warning
here.
C
It's
saying
this
is
the
wrong
syntax,
but
if
we
let's
see
put
out
and
do
go
mod
tidy
and
then
look
at
it
again,
we'll
see
that
this
formats
it
to
a
friendly.
I
guess
version
that
that
gomod
can
read.
So
what
this
does
is.
C
It
formats-
I
guess
the
what
this
does
go,
go
mod
it.
It
figures
out
what
the
latest
version
with
the
latest
tag
version
from
that
commit
that
we
pasted
in
is,
and
then
it
will.
C
Format
it
with
a
timestamp,
so
you'll
notice
that
this
part
right
here.
That
is
a
time
stamp.
That's
20,
20,
11,
00
6.,
that's
the
time
of
the
commit,
and
then
this
is
the
12
character
commit
sha.
So
it's
not
the
full
commit
shaw.
So
there's
a
specific
syntax,
which
I
tried
doing
my
own
and
that
did
not
you
know
that's
time
consuming,
so
you
can
just
copy
the
commit
sha
and
then
go
my
tidy
and
boom.
C
You
have
the
changes
remotely
or
the
changes
from
remote
loaded
locally,
where
you
know
go
mod
handles
all
that.
Basically,
so
all
that
to
say
you
know,
when
you're
developing
we
pretty
much,
you
know
we
would
be
able
to
see
this
long
time,
debug
change
using
this.
So
anyway,
that's
that's
the
demo.
I
know
this
is
something
that
I've
had
to
do
and
I
figured
probably
others
will
have
to
do
this
and
I
didn't
see
it
documented
anywhere.
So
that's
why
I
created
the
mr
and.
F
Yeah,
I
had
one
question
on
this,
so
this
is
super
useful
and
I
can
never
ever
remember
how
replace
works.
So,
thank
you
so
much
for
doing
that
and
writing
that
down.
How
does
this
affect
our
workflow
with,
like
multi-stage
docker
builds?
I
I
was
just
talking
with
daniel
the
other
day
about
it
gets
kind
of
awkward
having
to
do
like
a
volume
mount
to
use
a
replace
directive.
Yeah.
C
So
my
strategy
is
for
local
development-
I
don't
I
don't
use
docker.
C
G
Yeah
my
my
approach
has
been.
I
do
have
a
couple
of
scripts,
one
to
build
and
one
to
like
run
against
a
test
project
when
building.
If
you
have
that
directive
in
there,
unless
you
add
your
local
common
in
at
the
correct
path,
it's
going
to
fail
to
build,
so
you
would
have
to
build
before
adding
the
replace.
G
Once
once
you
have
like
a
good
build
of
like
the
the
image
that
you're
using,
then
you
can,
you
know,
create
an
interactive
shell
into
you
know
say
bandit
for
example,
or
no
js
scan
like
he
like
a
zac
had
and
then,
as
long
as
you
also
mount
a
volume,
then
you
can,
you
know,
run
with
capital.
Glos
equals
linux.
G
G
So
that
that
worked
pretty
well
also,
one
other
way
that
I
found
to
point
at
a
specific
commit.
F
G
I
think
the
difference
betw
for
me
at
least
and
zach.
You
can
speak
to
this
from
your
perspective.
For
me,
the
commit
pointing
at
a
commit
is
like
validating
stuff.
That's
already
pushed
up
like.
Does
this
work
with
this
or
I'm
trying
to
like
now
work
with
this
newer
version,
etc
or
testing?
You
know
reviewing
an
mri
at
a
deeper
level
versus
when
I
was
having
to
do
the
replace
I
was
actually.
G
B
It
I'm
going
to
use
this
as
an
opportunity
to
plug
that.
We
have
a
group
for
tools
and,
since
this
demo
sparked
conversation
about
other
tools
that
folks
have
here
to
help
with
their
local
developments,
can
we
get
them
created
as
a
project
and
uploaded
there
for
others
to
use
and
standardize
some
of
this
stuff.
G
Do
you
mean,
like
the
scripts
that
I'm
using
yeah,
oh
yeah,
okay,
I
can
share
my
scripts.
Where
is
that
like
get
lab
org
tools
or
is
it
something
more
secure,
focused.
B
There's
a
link
within
our
agenda
doc
for
this
meeting.
Oh.
B
And
if
folks
have
other
scripts
and
tools
that
you
use,
please,
let's,
let's,
let's
make
sure
that
that
we're
all
that
we're
helping
each
other
here.
This
is
great,
so
excellent.