►
From YouTube: Secure::Static Analysis weekly meeting for 2021.01.25
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Happy
monday
so
hope
everybody's
had
a
good
weekend
and
your
week's
starting
well
so
there's
a
there
are
a
few
announcements,
and
I
kept
adding
to
this
as
I
was
getting
the
agenda
prepared.
So
this
this
grew
on
me
a
good
bit
and
I'll
pause.
If
there's
questions
at
the
end
of
it
sit
cats
out
to
so,
we
know
who's
got
out
today.
Who's.
B
A
This
week,
so
it's
only
sick
out
this
week
and
he's
out
today
should
be
back
tomorrow.
13
9
is
officially
underway,
so
with
since
january,
22nd
is
in
our
rearview
window.
That
means
what
we
have
prioritized
to
that
planning
issue
is
what
we're
act,
what
we're
working
towards
so
just
I'm
pretty
sure
everybody
was
aware
of
it,
but
just
worth
calling
out
the
ux
department-
and
I
pulled
a
few
things
from
the
engineering
week
in
review.
A
Sassed
findings
came
up
as
something
that
was
discovered,
and
so
it's
just
worth
noting
that
they,
I
thought
this
you
all,
might
be
interested
in
seeing
what
others
are
the
work
that
is
done
to
review
what
happens
to
within
an
mr,
and
so
I
thought
that
was
worth
worth
calling
out
and
I
think
I'll
link
to
the
ux
retro.
A
A
Staging.Gitlab.Com
geo
is
going
to
do
an
experiment
a
week
from
today
on
maintenance
mode,
which
makes
it
read
only
for
a
period
of
time,
so
link
to
the
epic
and
the
work
involved
with
that
is
available
there,
and
so
assuming
that
this
is
going
to
be
a
new
feature
that
will
eventually
come
to
production
as
well.
A
So
this
is
something
this
is
a
state
to
be
aware
of
and
how
it
might
impact
us
is
worth
following
and
last,
but
certainly
not
least,
a
few
weeks
ago,
when
we
all
came
back
from
the
new
year
end
of
year
festive
break,
we
noted
that
we
wanted
to
continue
happy
hours
and
we
were
interested
in
having
the
monthly.
A
It
is
now
on
the
secure
stage
calendar
with
the
first
one
starting
next
week
february
3rd,
I
believe,
is
that
wednesday,
it's
wednesday
evenings
continuing
on
with
that,
so
those
are
available
for
so
those
are
the
announcement
items.
Any
questions
on
those
before
continuing
on.
C
You
know
just
I
think,
with
that,
in
particular
communicating
with
the
family,
I
think
helps
yeah
just
saying
like
if
I'm,
if
I'm
gonna
say
a
half
hour,
I'll,
probably
be
like.
A
B
C
Have
making
sure
I
understand
the
expectations
on
that
I'm
happy
one
way
or
the
other.
A
I'll
schedule
it
for
an
hour
wednesdays
are
my
work
night,
everybody
can
come
as
you
are
came
come
when
you
can
come
off
as
you
can
we'll
be
here.
Some
we'll
do
some
games
we'll
do
some
chalking
we'll
do
we
can
rotate
who's
hosting?
If
y'all
want
to
do
this,
I
was
entertaining
the
idea
in
earlier
conversation
day
I
mean
we
could
rotate
into
actually
some
conversations
on
some
serious
non-work
related
things.
A
If
you
all
are
interested
because
I
mean
let's,
let's
face
it,
it
has
not
been
a
quiet
time
in
u.s,
current
events,
and
so,
if
we
wanted
to
get
into
some
of
that,
we
could
and
try
to
solve
world
peace
over
beer,
which
is
always
entertaining
I'm
happy
to.
I
mean
open
forum
and
we'll
figure
out
more
what
we're
doing
when
we
get
closer
to
time.
A
All
right,
let's
get
into
the
retro,
so
this
is
something
I
neglected
to
do
last
time,
but
since
we're
continuing
to
do
these
at
the
group
level,
as
opposed
to
the
sub
department
or
stage
level
with
me,
it's
always
important.
It's
always
fun
and
important
to
kind
of
set
the
tone
and
what
we're
trying
to
do
with
retros,
and
that
involves
talking
about
the
retro
prime
directive,
which
states,
regardless
of
what
we
discover.
A
We
understand
and
truly
believe
that
everyone
did
the
best
job
they
could
given
what
they
knew
at
the
time,
their
skills
and
abilities
the
resources
available
and
the
situation
at
hand
at
the
end
of
a
project
or
a
release.
Everyone
knows
so
much
more.
Naturally,
we
will
discover
decisions
and
actions
we
wish
we
could
do
over.
This
is
wisdom
to
be
celebrated,
not
judgment
used
to
embarrass,
and
that
is
from
norm
kurth
on
project
retrospectives.
A
A
And
we
had
enough-
or
we
have
a
few-
we
we
have-
we
don't
have
so
much
commentary
that
I
think
we
can
talk
about
everything
that's
here,
so
I
was
going
to
go
in
chronological
order
unless
someone
would
like
to
object.
Okay,
daniel
gear
up.
C
C
You
know
the
secure
stage,
but
I
don't
know
that
we
actually
fully
decided
where
we
were
going
or
how
we
were
going
to
use
or
not
use
the
feature,
and
so
it's
kind
of
been
all
over
the
place
and
I
think
some
of
my
requests
for
reviews
kind
of
slip
through
the
cracks
until
I
like.
Oh,
I
better
use
the
older
process.
D
I
think
there
was
a
global
issue
about
this
and
it
would
make
sense
to
sort
of
try
and
align
with
with
the
company-wide
strategy
here,
and
I
think
I'll,
try
and
dig
out
the
issue
that
I'm
thinking
of,
but
I
think
the
the
summary
was:
let's
continue
using
the
assignees
feature,
as
we
always
have
and
kind
of
just
ignore
the
reviewers
feature
or
use
it
if
you
want,
but
it's
just
an
addition,
rather
than
a
replacement
of
the
assignings
feature.
C
You
just
added
the
link.
Thank
you.
It's
kind
of
interesting
that
we
added
a
feature
that
we're
not
wanting.
The
dog
food
seems
a
little
surprising
I'll.
All
read
into
that,
though.
Oh.
E
D
There's
in
that
issue
somewhere
there's
a
description
of
how
how
they
see
how
people
see
the
design
of
the
reviewers
feature
going
forward
and
there's
a
bit
of
overlap
between
the
approval,
the
approvals
mr
widget
and
the
reviewers
widget,
and
the
idea
is
to
merge
them
at
some
point.
So
you
can
see
who's
reviewed,
who
hasn't
approved
and
who
has,
and
it's
to
use
it
more
as
an
order.
Trail.
D
Which,
I
think
is
pretty
neat
but
yeah.
C
A
A
Of
discussion
in
this,
and
I'm
going
to
take
the
time
to
read
this
asynchronously,
hopefully
later
today
as
a
brainstorm
and
I'd,
be
willing
to
put
this
in
an
mr.
A
Would
it
be
worth
approaching
approvers
versus
reviewers,
where,
if
you
put
someone
in
the
approvers
field,
you're
requesting
them
to
review
and
merge,
whereas
a
reviewer
is
an
fyi
like
if
you
have
somebody
that
would
be
impacted
by
your
work,
but
they're
they're
working
in
a
related
but
not
same
area,
you
want
to
let
them
know
the
change
is
coming
through.
It's
an
fyi.
C
I
it
could
be
could
be
we'd
want
to
document
that
on
our
team
page
right.
I
think
the
only
issue
I
see
with
that
is
that
we
already
see
how
many
different
ways
team
members
like
to
receive
notifications
right
either
they're
following
their
emails,
or
they
say
only
mention
me
in
all
replies
to
everything
or
you
know,
and
there's
all
these
different
ways
to
communicate
and
notify
people,
and
it's
kind
of
a
similar
thing
in
that
you
know
it's
multiple
ways
to
notify.
C
B
E
D
I'm
not
sure
I've
passed
your
question
quite
right,
but
my
feeling
is
that
we
should
aim
to
do
exactly
what
the
consensus
is
with
the
rest
of
the
company,
because,
as
soon
as
you
send
a
review
to
another
team,
you're
going
to
have
friction.
If
you
don't
have
the
same
expectations.
E
I
I
was
more
advocating
for
that.
My
question
was
more
to
thomas
on
since
thomas
suggested,
a
way
we
could
use
it,
I'm
I'm
more
wondering
if
we
have
a
compelling
reason
to
use
it
in
a
different
way
than
the
rest
of
the
company.
A
I
was
brainstorming
to
use
it.
I
wasn't
brainstorming
as
a
suggestion
to
supersede
how
the
rest
of
the
company
was
using
it.
I'm
writing
this
up
as
a
comment,
the
retro
issue
now
and
I
want
to
find
in
the
handbook
how
we
say
we're
using
it
as
a
company
and
I
wanna,
and
I
think
it's
worth
calling
out
explicitly
within
the
static
analysis
section
of
the
handbook
saying
for
reviews:
here's
how
we
do
it
and
it's
just
pointing
to
the
global
to
to
global
kit
lab.
C
C
A
So,
if
we're
looking
for
guidance,
I
see
us
as
an
override,
but
it
should
not
be
the
default.
We
should
not
be
defaulted
difference
from
the
rest
of
the
company
at
all
to
work
sports
we
should
be-
and
I
think
we
have
some
differences
that
do
work
for
us,
but
we're
this
is
not.
I
don't
see
it
anything
compelling
yet.
A
B
Yeah
sakat
mark
and
yannick-
and
I
did
did
some
mob
programming
past
couple
weeks-
a
couple
different
times
and
I
I
certainly
enjoyed
it.
It's
nice
to
not
just
work
alone.
Sometimes-
and
it
was
you
know,
learn
new
stuff-
definitely
not
advocating
doing
it
all
the
time,
but
when,
when
opportunities
are
appropriate,
it
was
good.
A
E
Yeah,
so
changing
default
branches
had
some
surprises.
That
was
just
setting
the
default
branch
to
main,
instead
of
master
for
the
modules
that
we
broke
out
for
our
analyzers.
Just
a
couple
surprises
like
our
danger
file.
Looked
for
branch
master
instead
of
using
the
ci
default
branch
environment
variable.
So
abstraction
is
useful
and
good
reminder
to
do
that
when
we
can
yeah
and
just
nice
to
get
those
unexpected
changes,
because
it
helps
us
realize
that
things
are
different.
E
So
this
is
more
of
a
plus
a
thumbs
up,
slash
in
ways
we
can
improve,
but
yeah
positive.
Any
comments
on
that
one
or
jumping
to
the
next.
E
No
this,
this
is
purely
because
these
are
like
brand
new
projects,
so
it's
a
really
easy
change
to
make.
Okay,
that
makes
sense
yeah.
This
is
pretty
off
the
books.
It
was
just
mostly
a
quick
test
to
see
what
would
break
with
minimal
consequences,
since
no
projects
are
actually
using
these
modules,
yet
either.
All
of
our
analyzers
need
to
be
updated
to
use
the
individual
modules.
A
Do
we
need
to
document
some
for
lack
of
a
better
term
best
practices,
like
not
hard-coding
branch
names,
don't
assume
that
the
default
branch's
master
would
certainly
be
a
best
practice.
E
E
It
gets
to
the
point
where
I
wonder
how
much
of
our
docs
have
things
like
use,
descriptive
variables
and
other
kind
of
general
programming
best
practices.
We
could
do
that
in
style
guide,
but
I'm
not
really
sure
where
the
boundaries
are
of
documenting.
Everything
is
I'm
sure
if
other
people
disagree
with
that,
I'm
happy
to
hear
opinions.
C
C
That's
got
over
a
decade
of
you
know
solidity
to
it
where
it's
changed
this
last
year,
so
probably
unforeseen
in
some
regards
felt,
safe
and
possibly
you
know
done
before
the
ci
var
was
created.
So
I
don't
know
if
this
is
necessarily
lucas.
Would
you
agree
with
the
statement
that
this
wasn't
necessarily
bad
practice
when
it
might
have
been
created
but
could
be
going
forward
like
hey,
you
have
a
variable
now,
let's
use
the
variable.
E
Yeah
I
mean,
I
think
that
this
I
think
the
variable
is
older
than
our
dangerbot
integration
is
but
yeah.
I
don't.
I
don't
think
it's
necessarily
bad
practice.
It's
something
that
hasn't
changed.
E
A
Well,
yeah,
and
I
would
agree
with
the
sentiment
that
the
first
time
something
happens,
taking
outcomes
of
that
to
a
style
guide
is
certainly
an
overreaction
and
I
would
argue
that
it's
still
an
overreaction,
the
second
and
third
times
that
it
occurs.
But
if
the
covers
beyond
that,
then
it
becomes
a
signal
that
we
should
document
it
in
some
source
of
truthy,
some
source
of
truthiness
location,
colbert
reference
intentional.
A
E
Yeah,
I
think
it's
a
good
question
just
for
now.
No
action
is
needed,
okay,
cool,
so
the
next
one,
ci
templates
test
coverage
or
lack
thereof.
We
have
linting
to
make
sure
that
our
yaml
files
are
yaml,
but
that's
more
or
less
it.
So
editing,
rci
templates
is
pretty
high
risk.
It's
annoying.
E
E
You
a
lot
of
that
requires
our
analyzers
to
depend
on
the
the
default
branch
configuration.
So
that
means
that
we
have
to
merge
things,
run
down
streams
and
see
if
they
blow
up,
and
that
is
far
from
ideal.
E
E
A
A
I'm
not
trying
to
pass
the
buck,
but
I'm
honestly
struggling
with
how
to
respond
as
far
as
what's
the
what's
the
improvement.
So
I'm
knowing
that
we
have
software
engineers
and
tests
and
the
quality
department
that
we've
done
was
seeking
their
input,
and
this
is
something
that
doesn't
just
impact
us
and
we're
all
we're
not
just
impacted
by
us
we're
impacted
by
anyone
who
uses
and
modifies
these
templates.
B
A
A
That
world
doesn't
revolve
around
the
us,
we'll
just
put
it
that
way.
However,
that's
what
most
of
this
team
is
most
aware
of
all
right.
Is
there
anything
else
right
from
any
other
retro
commentary
supposed
to
like
to
bring
up
live
while
we're
on
the
call.
A
Okay,
close
it
out
all
right.
Thank
you
all
for
doing
that.
Thank
you
for
being
a
part
of
it.
This
is
something
that
we
will
do
as
documented
in
our
handbook.
We're
going
to
do
this
as
our
weekly
for
the
very
first
tuesday
after
the
22nd.
So
so
that
way
you
can
just
count
on
it.
It'll
be
at
this
time
and
I'll
keep.
A
I
think,
13
9
retro
issue
is
open
and
I'll
give
make
sure
that
it's
linked
in
for
multiple
places,
and
so
thank
you
all
for
doing
this.
Thank
you
for
being
a
part
of
it
and
we'll
get
this
we'll
figure
out
how
we
respond
to
this,
make
sure
that
we're
doing
the
best
we
can
and
making
sure
that
we're.
A
A
All
right:
well,
thanks
everybody
for
your
time
and
attention.
I
appreciate
it
I'm
going
to
stop
the
recording
taylor
if
I
could
borrow
you
for
about
five
minutes
for
a
conversation,
I'd
appreciate
it
and
if
anybody
else
wants
to
stick
around
here,
you're
welcome
to
do
so.
So
thank
you
we'll
see
you
soon.