►
A
A
This
is
high
technology
for
your
hair,
so
at
the
a
while
ago,
I
can't
even
remember
when,
beginning
of
the
year
and
last
year,
I
was
asked
to
kind
of
put
together
a
definition
of
what
does
moving
to
complete
mean
for
dependency
scanning
and
I,
basically
went
and
looked
at
a
bunch
of
commercial
dependency
scanning
software.
I
looked
at
the
software
types
that
our
customers
were
using.
Github
customers
were
using
that
are
popular
just
it
on
the
internet.
A
In
general,
I
looked
at
the
company
initiatives,
I
looked
at
UX,
benchmark,
I,
looked
at
a
whole
bunch
of
things,
and
the
end
result
is
this,
which
I'm
planning
to
put
in
the
epic
but
I
had
wanted
to
review
it
with
David
first
to
see
if
I
had
even
gotten
close
to
kind
of
what
the
objective
was.
This
is
not
written
in
stone.
This
is
things
that
I
think
based
on.
All
of
those
inputs
are
important,
so
feedback
definitely
welcome,
but
basically
what
I
thought
was.
First
are
something
that
the
competitors
always
say.
A
Is
it's
really
easy
to
integrate
us,
and
one
of
the
gate.
Lab
selling
points
is
that
we
have
tight
integration
into
the
SDLC,
so
I
figured
that
we
currently
have
it.
We
continue
to
maintain
it,
and
that
is
like
a
checkbox.
We
need
to
continue
to
maintain
that
I
want
us
to
cover
the
top
languages
and,
when
I
say
top
languages
again.
That
was
input
from
what
are
the
top
languages
at
get
lab
today,
which
the
data
team
put
together
a
report.
A
For
me,
what
are
the
top
languages
I
get
hub
and
on
internet
reports
in
general?
These
are
not
necessarily
in
order
here,
but
I
did
put
the
ones
that
are
dug
bootable
up
at
the
top,
but
this
is
kind
of
the
ones
that
are
the
most
popular.
We
have
JavaScript.
We
have
PHP,
we
have
Python,
we
have
Java,
so
those
we
can
already
have
I
already
have
ruby
gems
and
then
the
ones
that
the
red
stop
signs
we
don't
yet
have,
and
then
the
yellow
exclamation
points
are
like.
We
have
some
bugs
reported
there
slash.
A
There
are
some
technical
shenanigans.
I
know
it
go,
there's
like
a
way
that
people
do
the
libraries
that
it's
hard
to
kind
of
necessarily
track
things
so
that
one
I
think
needs
a
whole
separate
conversation,
but
I
think
having
some
kind
of
go
support,
we
need
to
we're
just
gonna
I
think
run
into
a
bunch
of
technical
shenanigans.
The
next
point
is.
B
B
A
B
A
B
Thing
that
we
have
that's
listed
there-
and
this
is
I've
been
already
requested.
It
is
it's
not
exactly
the
same
topic,
but
its
system
dependencies
like,
for
example,
it
could
be
so
interpreters
like
we
don't
tell
if
Ruby
itself,
version
of
Ruby
you're
using
into
your
project
is
inaudible
or
not.
We
could
do
that.
This
is
a
kind
of
information
that
is
also
publicly
released
and
she
is
so.
A
A
B
A
So
like
when
I
was
looking
at,
like
I,
specifically
called
a
JavaScript
NPM,
because
when
I
looked
for
what
is
the
top
provider
of
JavaScript
dependency
is
like
I
googled
around
and
most
places
we're
saying.
Npm
is
the
most
popular,
so
I
know
that
there
are
multiple
providers
for
these,
but
the
reason
why
I
called
out
some
specific
providers,
not
that
I
don't
want
to
support
other
providers,
but
I
feel
that
we
need.
A
These
are
the
top
providers,
at
least
as
of
today,
according
to
internet
searches,
and
so
I
want
to
make
sure
those
are
solid,
but
so
yeah
expanding
the
language
coverage
and
then
the
next
point
is
trying
to
get
some
more
dogfooding
going
trying
to
improve
our
regression
testing
for
our
top
supported
languages
and
then
trying
to
figure
out
like
how
do
we
benchmark
performance.
I
know
that
we
have
an
issue
for
this
already
I
just
want
to
like
call
that
out
as
I
know.
A
That's
marked
as
like
a
backstage
issue
right
now,
but
even
though
it's
not
a
quote-unquote
customer
feature,
I
think
that
that
work
to
benchmark
and
monitor
and
look
at
our
limits
is
important
and
then
some
other
things
like
how
fast
our
analyzers
on
a
particular
test
project
and
does
that
change
over
time.
So
I'm
not
looking
at
a
speed,
I'm
looking
at,
does
our
speed
change
when
we
do
an
update
drastically
like
from
twelve
ten
to
thirteen?
A
Oh,
do
we
go
from
X
number
of
minutes
on
this
one
particular
test
project
that
hasn't
changed
to
twice
as
many
minutes
type
situation,
and
can
we
do
concurrency
and
just
things
like
that?
Are
there
other
areas
kind
of
in
like
the
reliability
/,
not
making
it
a
miserable
experience,
you
think
are
worth
calling
out
that
we
haven't
started
looking
at
or
that
we
are
looking
at
and
I
should
call
out
specifically.
B
A
B
C
A
A
So
then,
the
next
one
is
easy
to
use
and
that's
UX
scorecard
so
I
should
probably
find
a
link
to
the
scorecards,
Kyla
and
I
are
going
through
and
possibly
making
some
additional
UX
scorecards.
Well,
we
have
some
pretty
not
great
scores
right
now
and
I
think
we
are
fully
aware
of
that
like
right
now,
the
process
of
setting
up
is
rough
and
it
requires
like
being
technical
copy
pasting
like
once.
Everything
is
configured
and
set
up
and
you
have
a
result.
A
A
The
next
one
is
being
able
to
do
the
suggested
solutions
for
at
least
three
of
our
top
languages,
so
these
being
our
top
languages,
do
it
for
at
least
three
of
them.
I
don't
have
a
particular
preference
about
which
three
I
think,
whichever
ones
engineering
like
wants
to
do
a
proof-of-concept
and
decide
like
this
is
the
most
valuable
where
this
is
the
easiest,
or
as
long
as
it's
in
one
of
our
top
languages
does
three
sound
crazy
for
the
next,
like
six
to
nine
months,.
B
The
problem
with
those
is
again
dealing
with
different
package
manager.
We
can
have
a
lot
of
I
mean
once
we
have
one
down.
We
have
a
lot
of
logic
that
we
can
reuse.
Then
it's
just
a
matter
of
figure
out
how
to
stick
to
this
particular
package
manager,
so
I'd
say,
depend
on
the
rest
of
the
roadmap,
but
yeah
sounds
reasonable
trip
three
and,
depending
on
how
easy
it
is,
we
can
even
go
further
than
that.
I
mean.
A
B
A
Of
concept
or
whatever
or
I,
think
I
actually
do
have
an
issue
in
13:1
for
us
figuring
out
what
language
we
want
to
do
next
and,
however,
we're
going
to
do
that,
everyone
I
do
like
little
test
projects
and
goof
around
for
a
month
and
then
say
hey.
This
is
what's
necessary
for
this
and
we
thought
it
was
going
to
be
easy,
but
it's
not
so
let's
look
at
something
else.
Instead,
that's
fine.
A
A
So
custom
restrictions,
sure
you've
heard
this
from
customers
and
account
managers
and
slack
people
want
to
be
able
to
place
restrictions
on
their
dependencies
and
right
now
we
have
the
merge
request
approvals
only
for
critical
and
high,
and
so
I
want
to
work
with
Kyle
on.
Could
we
let
somebody
say
for
this
project
I'm
only
going
to
want
a
merge,
request,
approval
and
a
critical
and
on
this
other
project
I
want
it
on
a
critical
and
high
on
this
other
project.
A
I
want
a
critical
high
in
a
medium,
so
they
can
kind
of
pick
my
project
where
they
want
there
and
I
know
that's
going
to
require
a
bunch
of
changes
to
happen,
but
I'd
like
us
to
look
at
that,
because
I
think
people
are
gonna
want
that
more
as
the
compliance
team
starts
upselling
the
compliance
integration
story,
this
is
kind
of
a
partner
to
that
is
once
you
start
talking
appliance
people
are
like.
Oh
I
need
to
be
able
to
restrict
certain
things
from
certain
projects.
A
So
I'd
like
to
start
on
the
prerequisite
work
to
identify,
if
we're
out
of
date
by
a
minor
or
a
major,
and
maybe
even
if
we're
a
oal
and
once
we
can
start
identifying
that
maybe
start
allowing
restriction
of
it,
but
I
think
it
at
least
being
able
to
identify
that,
hopefully,
over
the
next
nine
months
and
again,
this
could
target
like
we
could
start
with
one
cop
language.
If
that's
easiest,
because
I
know
this
is
probably
going
to
be
based
on
the
way
that
they're
pulling
stuff
in
the
framework.
B
There
are
lot
of
also
ongoing
discussion
about
the
internet
aspect
of
this,
because
it
requires
to
be
aware
of
new
version
available,
so
it
might
come
with
a
lot
of
prerequisites
in
did
a
good
thing
is
well.
The
Tunisian
team
did
it.
So
you
already
have
knowledge
about
that
domain.
It's
just
a
matter
of
figuring
out.
What
is
the
best
approach
to
put
that
into
github.
B
Tools
is
not
only
plenty
of
a
purse
was
stolen
variable
today
that
will
just
create
you
tons
of
magic
quests
as
soon
as
they
know
there
is
a
newer
version
available
for
one
of
your
dependencies.
So
if
this
is
something
you
wanna
do
we
can
just
integrate
those
ones
and
voila
you
get
something,
but
is
this
something
this.
A
A
Do
they
want
it
to
just
update,
based
on
some
of
the
discussions
we've
had
for
the
suggested
solution
on
a
remediation
stuff,
I'm,
not
sure
people
really
want
it
to
just
update,
or
at
least
so
all
people
want
it
to
just
update
some
people
just
want
to
be
aware
and
then
come
up
with
their
own
plan,
and
so
I
mean
now.
If
you
tell
me
it's
a
lot
easier
to
start
with
just
random
updates.
Maybe
that's
the
MVC
and
you
know.
Obviously
people
would
opt
in
I
want
all
of
our
features
to
be
opt
in.
A
B
We're
about
to
find
a
good
term
about
this
yeah
and
there's
plenty
of
areas
to
dig
into
like
hey.
Maybe
this
is
not
the
most
use
dependency
right
now
there
are
new
ones
available
that
can
replied
that
there
were.
You
know
there
are
very
thorough
increment
to
be
made
there.
There
is
a
big
overlap
on
this
way
of
the
remediations,
because
remediation
are
often
about
upgrading
the
dependency.
So
once
you
have
the
remediation
in
place,
which
sounds
to
be
operating
against
one,
you
will
already
have
the
logic
to
update
the
dependency.
B
You
would
just
need
to
know
hey.
Do
you
have
a
aerial
derision
in
a
more
recent
version,
and
but
you
want
to
oblique
to
it.
So
it's
basically
sitting
places
like
I
want
to
always
updates
the
neck
special
or
just
a
minor
or
it's
a
major,
and
then
we
use
the
same
existing
logic
about
updating
the
dependency
so
yeah.
A
And
I
did
not
want
to
get
into
that
workflow
engine,
yet
I
wanted
to
just
start
with
letting
people
know
about
the
freshness
or
age
of
their
stuff
and
then
find
out
what
the
next
most
important
thing
was,
and
if
the
next
most
important
thing
is
I
want
you
to
Auto
remediated
cool.
If
the
next
most
important
thing
is
I
want
you
to,
you
know
like
send
alerts
out
to
people
or
whatever,
like
you
know,
I,
don't
know
how
proactive
or
reactive
they
want
like.
A
A
A
The
next
one
is
manage
things
at
a
instance
and
group
level,
because
self-hosted
versus
SAS,
obviously,
but
right
now
all
settings
are
per
project
and
there's
been
people
saying
like
I
want
to
be
able
to,
at
my
instance,
or
at
my
group,
make
sure
license
scanning
is
on
dependency.
Scanning
is
on
find
out.
You
know,
like
make
sure
merge,
request.
Approval
groups
are
set
up
and
everything
so
we're
gonna
start
talking
to
customers
about
that
and
again,
this
kind
of
pairs
with
a
lot
of
the
compliance
stuff.
A
The
motivation
for
this
is
partially
compliance
based,
but
it
is
about
kind
of
knowing
what
security
scanners
are
happening
and
that
there's
restrictions
or
merge
request
approval
restrictions
in
there.
So
that's
kind
of
a
big
one
that
we've
got
plans
to
start
talking
to
customers
about
maintaining
offline
we've
got
it
where
you
just
have
a
couple.
Languages
left
with
license
compliance,
but
I
think
we've
identified
some
pain
points
that
kind
of
slowly
over
the
next.
A
However,
many
releases
will
start
trying
to
make
the
process
a
bit
less
technical,
but
I
believe
that
any
customer
running
an
offline
environment
is
going
to
have
to
have
a
technical
team
like
in
order
to
have
that
situation.
They
do
have
to
have
a
technical
team,
so
this
does
not
need
to
be
like
push-button
WYSIWYG
wizard.
It
just
needs
to
be,
hopefully
not
bounce
like
to
ten
different
parts
of
the
documentation.
A
The
first
is
some
people
for
industry
reasons,
for
compliance
reasons
for
audit
or
reasons
have
to
run
a
certain
brand
of
scanner
for
a
certain
type
of
scan,
and
they
will
not
want
to
choose
gitlab
if
we
don't
have
a
way
for
other
scanners
to
integrate,
you
know,
whatever
the
reason
is
they
signed
a
10-year
contract,
they're
obligated
by
their
industry.
You
know
like
maybe
one
of
their
scanners
has
to
be
X,
but
their
other
scanners
can
be
ours,
and
so
I
want
to
continue
for
us
to
slowly
move
forward.
A
Our
support
of
having
third-party
scanners
be
able
to
integrate
again.
I.
Don't
want
us
to
do
integration.
Work
like
that
is
up
to
the
vendor.
That
is
up
to
the
customer,
but
I'd
like
us
to
like
make
sure
our
documentation
is
good,
identify
anything
that
we
feel
needs
to
kind
of
be
available
like
a
linter
or
a
checker.
So
you
can
check
your
artifact
or
whatever
things
like
that
and
then
stuff
that
I
specifically
am
not
including
in
complete,
because
I
expect
it
to
fall
after,
like
the
end
of
this
year.
A
Education
like
right
now,
we
just
linked
to
like
third-party
sites
like
this
is
what
a
cross-site
script
is,
so
it
would
be
nice
if
we
found
like
you
know,
Wayne
did
that
little
blog
post
on
like
what
are
the
top
faults
so
like
for
dependency
scanning,
could
we
find
what
the
top
industry
practices
are?
I'm
just
gonna
make
one
up
the
top
industry
practices.
Don't
have
an
end
of
life
dependency
like
that.
Probably
is
a
thing
and
be
able
to
kind
of
explain
to
you
like
hey
we
identified
in
the
next
90
days.
A
A
If
you
want
a
test
NMR
with
with
an
upgrade
to
you,
know
the
next
version
up
or
whatever,
but
because
right
now
we're
just
very
factual
like
this
as
this,
where
this
has
that
and
so
I'd
like
to,
where
possible
and
reasonable
for
top
issues,
be
able
to
kind
of
provide
a
little
more
context
to
a
developer
along
with
pointing
them
at
the
next
step
industry.
Standard
mappings
I
want
us
to
work
with
the
compliance
team
about
like.
Can
we
map
mitre,
o
else,
PCI
HIPAA?
Any
of
those
things
like
certain
CVS
or
cwe's?
A
There's
been
the
malware
topic.
Kicking
around
I'm,
not
sure
with
dependencies.
I
think
where
malware
might
come
in
is
like
has
someone
hijacked
a
dependency
which
happens
fairly
regularly?
So
if
there
were
a
way
for
us
to
notice
that
a
particular
dependency
was
hijacked,
we
could
say,
hey
warning,
you
use
this
dependency
and
it
was
identified
as
hijacked
which
isn't
necessarily.
A
We
don't
know
that
your
code
is
vulnerable.
Maybe
we
could
I,
don't
know,
but
we
can
say
there's
a
risk
here,
because
this
was
the
ownership
of
hijacked
or
men
in
the
middle
source.
Reuse
like
hey
by
the
way
it
looks
like
you
are
using.
You
know
this
stuff
SourceForge
that
might
fit
better
into
sassed.
It
might
fit
better
into
us,
I
don't
know,
but
basically
you
are
reusing
code.
A
You
know
it
is
a
dependency,
it's
not
your
custom
code,
but
you've
done
it
in
an
insecure
way
and
then
notifications
and
Rhys
cans
like
by
the
way
we
recommend
you
scan
once
a
month
whether
or
not
you
do
a
branch
just
so
you
can
get
an
update
on
any
dependencies.
That's
that
are
stale
or
whatever,
but
those
I
kind
of
put
here,
because
I
thought
these
were
more
important
all
right.
So
what
did
I
miss
or
what's
crazy.
B
What
interesting
thing
we
will
under
a
reduction
of
house
positives
as
what
has
been
recently
mentioned
by
Fabian
and
credit
industry,
but
this
is
try
to
find
an
overlap
between
sass
and
dependency
scanning
and
I.
Think
this
is
something
also
mentioned
by
the
analyzing.
The
report
is
yes,
you
are
able
to
tell
that
the
project
is
using
this
library,
but
I
were
able
to
tell
that
this
specific
project
is
using
the
specific
method
of
that
library
that
contained
the
renovate
itself.
You
could
have
this.
B
You
could
use
that
venerable
version,
but
not
already
the
code
that
contained
different
remedy
itself.
It's
I
think
it's.
Yes,
it's
laudable,
because
it
includes
a
lot
of
digging
into
the
variety
itself,
how
you
can
use
it
and
then
be
able
to
retrain
that
used
are
not
being
used
or
not
used
in
the
project
itself,
which
is
why
I'll
talk
about
overlapping
recessed,
but
yeah
I
think
you
agree
that
this
is
under
facility
predictions
and.
A
A
B
We
have
the
license
list,
at
least
the
dependencies
that
are
using
those
licenses,
so
focusing
on
hey
here
is
the
list
of
components.
I
think
we
also
have
certain
description
about
the
Bill
of
material
and
thing
like
that,
and
this
is
clearly
a
intersection
between
the
two
I
would
like
to
see
us
moving
more
into
that
direction
some
over
to
because
this
is
what
the
customer
will
be
more
interesting
in
and
what
it
would
be
more
actionable
like
this
given
component
is
something
I
can
easily
and
where
come
it
licensing
issue
our
mobility,
so.
A
Unfortunately,
because
of
where
the
company
wants
us
to
hit
with
dependency
scanning,
that
is
not
gonna
happen
this
year,
but
I
agree
with
us.
Bomb
is
becoming
a
big
thing
and
that's
a
big
part
of
it
is
I
need
to
know.
Third
ability
is
I
need
to
know
if
there's
license
issues
I
need
to
see
that
all
in
one
view
so
I
pop
that
down
into
lovable.
Maybe
that
will
change
based
on
the
importance
that
s
bomb
is
picking
up,
but
if
not
like,
we
definitely
do
need
to
do
that.
A
A
So
if
you
think
that
may
be
the
order
here
is
a
little
bit
off
or
wrong,
or
if
it
would
be
easier.
If
one
came
before
another,
you
can
always
let
me
know,
and
if
there's
no
major
problems
with
this
I
will
go
put
it
into
the
epic
today
with
like
a
little
more
explanation
and
wording
and
everything
else,
and
then
we
can
kind
of
move
all
comments
and
tweaks
there
going
forward.
A
B
I,
don't
see
any
objection
about
looking
at
the
things
in
this
order,
like
just
stop
by
looking
at
all
these
languages
before
studying
remediation,
doing
remediation
on
the
known
language
and
the
supported
language
we
have
today.
I
just
want
this
to
not
be
a
blogger
like,
while
requirements
strong
requirement,
we
have
to
sue
pro.
Defense
is
coming
for
a
given
language
is
well
to
have
a
publicly
known
source
of
and
rebellious
forces
kind
of
dynam
I'm
saying
something
stupid.
B
A
A
If
we
find
that
there's
a
big
gotcha,
if
we
can
start
working
on
the
gotcha
like
we
should
do
that,
but
if
it's
waiting
on
some
other
team
or
some
other
thing
to
exist
that
just
doesn't
exist,
we
can
just
stick
a
blocker
on
it
and
be
like
we
can
revisit
this.
You
know
we'll
look
at
it
again
in
three
months
to
see
if
anything's
change,
but
as
of
right
now
it's
it's
on
hold.
B
B
A
I
read,
you
know
our
competitors,
I
read
all
sorts
of
stuff
and
those
were
the
recurring
themes
of
what
mattered
to
companies
that
they
were
selling
on
what
mattered
to
users
that
they
were
buying
on,
and
so
that's
kind
of
where
in
my
mind,
we
need
to
go
to
be
complete
because
the
definition
definition
of
complete
is
we
can
compete
with
a
standalone
product,
and
so
this
is
what
they're
selling
on
and
we
can
compete
on.
These
then
I
consider
as
competitive.