►
From YouTube: Bill of Materials brainstorming
Description
Secure group brainstorming about the Bill of Materials upcoming feature.
https://gitlab.com/groups/gitlab-org/-/epics/858
A
A
So
the
starting
point
is
that
I've
got
a
feeling
that
I've
repeated
the
same
things
a
few
times.
We
just
totally
fine
I
mean
it
happens,
but
at
that
point,
I'm
yeah
I
thought
that
maybe
it
would
be
my
fish
and
have
a
conversation
yeah,
maybe
starting
with
you,
Andy
I,
don't
know
if
you
had
the
time
to
read
my
comments.
Okay,
we
have
any
questions
at
this
point.
B
A
A
B
A
Well,
I
shouldÃve
yeah,
it's
oh,
it's
been
a
bigger,
we
say
package
well
in
the
either
in
the
game.
Ruby
we
save
gems,
because
why
not
I
mean
it's
NC,
they're
all
devalue,
yeah,
okay,
and
so
we
say
we
think
that
we
say
these
were
there's
some
kind
of
ambiguity.
We
say
that
rails
is
a
package
and
it
has
versions,
but
you
can't
consider
only
when
you
look
at
the
technical
details
with
technical
implementation.
A
version
of
rails
is
fetched
as
package.
It's
a
gem
file.
A
Yes,
some
kind
of
archive
containing
all
the
files
source
code,
because
it's
it's
not
a
compiled
language
that
it
yourself
is
a
package
because
it's
self
contain,
and
it
contains
the
thing
the
library
ready
to
be
used
with
its
manifest
files,
depending
on
the
perspective,
depending
on
the
perspective
raises
package
of
in-house
versions.
Oh,
oh
all
raise
enough
5
to
1
another
version.
Since
is
it
a
package
in
itself
too
loaded
by
a
package
manager
depending
on
the
best
bit?
Ok,
but
so,
but
in
the
case
of
Ruby,
the
package
manager
is
bender.
A
The
packages
are
the
chance.
Now
they
are.
They
loaded
from
muskie
really
rubygems.org,
because
this
is
the
main,
the
big
registry
for
open
source
packages
and
but
it's
it's
possible
for
single
project
compartment
to
combine
multiple
sources,
the
Pentagon
and
of
this
rubygems.org
registry
and
then
some
of
our
private
registries.
Yeah.
B
So
the
core
disconnect
in
this
issue
is:
what
do
we
have
as
columns
in
the
list,
because
we're
just
gonna
have
a
flat
of
estar
MDC
and
you
can
download
it
that's
great,
but
the
core
is
what
what
do
we
label
a
each
column
in
the
list
and
what
is
the
list
going
to
be
composed
of
right
exactly
yeah?
Now,
that's
a
that's.
C
A
C
A
A
The
fire
and
the
package
type,
but
in
some
cases
it
doesn't
make
sense
to
use
a
package
type
language
makes
more
sense.
So
we
will
avoid
this
discussion
on
the
proper
name
of
a
column
like
biggest
our
language
package
manager.
Just
it's
a
name
of
five,
because
that's
something
we
know
for
sure
it
comes
from
the
file.
A
That's
one
thing,
but
also
because
the
list
is
likely
to
be
pretty
long
and
if
we,
if
we
expose
the
file
in
the
case
well,
with
most
package
managers,
we've
got
to
face.
We've
got
sets
of
two
files,
the
main
fire
where
developers
explicitly
list
the
dependencies
of
the
project,
the
other
one
maintained
by
the
developers
and
another
one
usually
called
a
log
file
containing
all
the
dependencies
and
that
one's
didn't
really
buy
the
packet
loader
when
solving
the
salting,
the
graphs,
not
even
a
treating
and
solving
the
graphic
trying
to
find
the
answer.
A
A
The
developers
just
have
a
look
at
the
main
at
the
main
dependency
files,
the
tan
Phi
in
the
case
of
a
burner
and
if
you
filter
on
the
other
one
you'd
have
all
the
other
dependencies,
maybe
not
at
the
top
level,
maybe
really
nested
in
the
in
the
graph.
You
know
far
from
the
top-level
dependencies,
so
we
would
have
this
feature.
A
This
capacity
of
is
ability
for
users
to
to
filter
on
on
the
on
the
main
dependencies
on
the
top
of
Independence
is
just
just
because
they
can
hide
the
log
file
and
focus
on
the
under
main
dependency
file
right
now.
That's
all
it
guards,
because
right
now
in
the
given
really
parts
intact,
we
use,
we
don't
know
the
relationships
between
any
given
dependency
and
and
and
all
the
top-level
differences.
A
A
It's
not
unusual
I
mean
maybe
it's
not
the
mask
on
this
case
must
common
case
or
even
it
happens,
and
if
you
don't,
if
we
think
is
that
complicated
enough
complexion
of
sorry,
the
things
are
complex
enough,
given
that
we
got
all
all
the
the
packages
not
officially
required
by
the
users.
Next,
we
see
that
explicitly
requested
by
the
developers.
We
should
have
make
the
things
even
more
confusing
by
in
a
way
managing
all
the
files
in
a
single
list.
B
B
A
A
Well,
if
you've
got
multiple
files,
if
you've
got
two
projects
in
the
same
repo,
that's
the
only
way
to
know
which
is
which
that's
that
answer
we
only
doing.
A
Now
there
are
no
restrictions,
meaning
that's
down
with
gymnasium,
because
we're
gonna
use
the
passer
gymnasiums
passer.
There
are
multiple
thighs,
we
have
the
multiple
files
in
the
output,
okay
and
if
it's
it
makes
and
just
to
gain
some
perspective,
that
it
makes
things
more
complicated
because
man
we
got
to
deal
with
our
you
know
this
multi
project
repo,
but
choosing
which
project
mount
two
or
three
is
where
one
is
even
harder.
I
think.
A
A
So
I
can
illustrate
this,
but
in
the
context
of
dependency
scanning
you
know,
but
it's
it's
not
what
we
are
aiming
at.
We
want
so
a
dependencies
list.
Differentially,
sorry,
but
that's
something
we
can
I
mean
we
can.
We
can
find
a
project
and
I
can
generate
the
output
for
you.
You
got,
helps
yeah
yeah
with.
A
Also,
what
you
may
have,
what
would
be
comparable
to
false
positives?
Let's
imagine,
and
it's
it's
not
it's.
It's
not
there's
nothing
crazy
there.
Let's
imagine
that
you've
got
one
made
project
in
your
repo
and
something
else
in
a
Center
in
another
directory,
which,
in
fact
is
easy,
is
a
test
project
like
like
your
project.
You
main
project
in
the
repo
is
a
server
and
somewhere
you
gotta
test
times.
A
They'll
get
two
projects
and
you're
not
interesting
in
your
in
the
second
one,
because
when
the
second
one
is
not
going
in
our
projection,
it's
not
deploying
there's
nothing.
I
mean
you,
don't
you
don't
care
much
and
in
that
way,
if
you,
if
you
expose
the
thighs,
it's
easy
to
just
ignore
what
corresponds
to
the
client.
B
A
D
D
Person
may
be
thinking
if
we
have
a
project
that
has
multiple
technologists,
like
you
know,
back
and
in
front,
and
you
have
Ruby
and
node,
for
example,
or
Ruby
and
JavaScript,
and
you
want
to
consider
all
the
dependencies
of
the
packages
for
one
single
application
instead
of
one
single
file
so
which
is
the
rather
having
the
file
explicitly
exposed
as
part
of
the
list?
That's
what
I'm
not
getting
yeah.
A
That's
because
to
me
this
is
a
it's
great
as
a
first
tape.
That's
a
first
step!
Sorry,
because
we
cover
so
many
cases
in
KC.
We
don't
even
me
not
even
thinking
about
the
cheap
projects
from
salt
very
long
file
very
long
list
because
of
a
lock,
lock
files
with
many
many
many
list
nested
dependencies
from
salt,
because
we
can
ignore
that
file.
D
D
D
As
one
single
entity-
and
then
maybe
you
can
work
on
director-
is
instead
of
files.
This
will
allow
us
to
have
you
know
a
simple
way
to
recognize
multiple
applications,
because
I
expect
multi-up
projects
to
have
one
directory
for
each
of
the
projects
for
each
of
the
apps.
They
are
they're
containing
that
make
sense.
Yeah.
A
Yeah
it
does,
it
totally
does
and
we
eventually
we're
gonna
be
going
there,
because
it's
needed
in
the
context
of
auto
or
indeed
actually
you've
got
to
consider
the
set
of
files
to
shoot
to
fix
the
dependency
available,
all
the
fancy
but
anyways.
Yes,
we
can,
we
can
yeah.
We
can
do
that.
But
it's
not
this
point.
It's
not
something.
D
D
Because
I
see
no
people
that
say
oh,
this
is
a
dependency.
I
want
to
know
where
this
dependency
is
defined
because
I
want
to
remove
it,
for
example,
so
they
can
see
the
file
they
can
click
on
the
file
and
jump
to
the
web
ID
or
something
like
that
that
they
can
remove
the
dependency.
They
can
update
information
about
the
version
or
whatever
is,
but
still
it's
not
for
me
to
understand.
If
customers
will
go
to
the
list
and
we'll
see,
okay,
I
want
to
see
what
is
in
the
gem
file.
D
Then
I
want
to
see
what
is
in
the
yarn
configuration
it's
more
like
I
want
to
know
what
is
part
of
my
application
that
the
main
goal
of
the
be
of
the
bomb
is
having
a
list
a
full
list
of
your
application
components.
So
that's
why
I
see
application
is
probably
more
fitting.
The
idea
of
I'm
organizing
this-
and
this
will
make
a
flat
list
most
of
the
cases
where
just
one
application
is
defined
into
the
project
into
the
repository
and
we
can.
As
said,
we
can
support
that.
That's,
maybe
not.
D
The
embassy
is
not
needed
in
the
embassy,
the
fine,
which
is
then
the
folder.
The
appears-
and
this
may
be
my
lack
of
knowledge
of
how
does
technologies
work,
but
I
expect
that
if
you
have
multiple
ruby
apps
in
one
single
repo,
you
will
have
multiple
gem
files,
one
for
each
sub
directory,
where
the
apps
are
are
storing
their
code.
Is
it
correct,
yeah,.
D
My
my
possible
approach
is:
is
that
let's
collect
the
information
about
the
file
while
doing
the
disk
Anton
process
so
on
on
the
backstage
part,
gymnasium
analyzer
and
let's
link
this
information
to
each
of
the
dependencies
like
an
attribute
like
they
have
the
version
number
and
then,
when
we
presented
the
UI,
it
will
be
a
secondary
attribute,
let's
say
not,
grouping
better,
but
we
can
use
the
path
of
the
file
to
recognize
subdirectories
and
so
on
so
group
by
them.
If
you
want
to
do
that.
A
A
Knowing
that's
in
the
same
yarn
file,
you
can
have
multiple
currencies
on
the
same
package,
so
it's
like
it
would
be
yeah.
It
would
but
would
go
crazy,
like
in
a
project
like
this
one,
but
yeah
I
was
thinking
about
something
else.
Over
I
mean
the
path
in
the
end,
the
path
doesn't
matter
if
you're
you've
got
just
you.
Sorry,
you've
got
just
one
set
of
projects
of
our
files,
all
right,
I'm,
getting
tired,
I
guess
yes,
I
mean
if
you've
got
only
one
set
of
files
either
in
the
root
directory.
D
Actually,
we
can
expose
that
you
know
as
a
secondary
one,
so
if
people
want
to
see
excel
at
the
line
where
the
file
and
so
I
just
started
just
saving
the
file,
we
can
also
say
the
line
number
where
the
dependency
is
defined
inside
the
file.
So
we
have
the
link
like
we
have
four
vulnerabilities,
that
you
can
click
and
jump
XL
e
to
the
X
online,
where
the
vulnerability
is
we
can
do
the
same.
D
You
can
jump
to
except
file
that
gen
file
or
the
Y
on
file
where
the
pendency
is
defined,
and
this
could
be.
You
know
something
more
that
you
can
show.
What
I
see
bearable
is
that
if
we
have
multiple
apps,
we
can
organize
two
different
bombs
with
the
two
different
apps
and
you
can
consider
them
independently.
So,
even
if
you
export
them,
you
still
have
the
information
that
allows
you
to
recognize,
which
is
one
and
which
is
the
other.
If.
B
D
Not
we
can
just
show
one
single
default
app
or
we
can
just
show
nothing
and
just
a
flat
list
and
that's
the
default
if
you
don't
have
multiple
applications
that
Andy
and
Kyle
can
think
about
that,
but
and
say,
let's
keep
the
information
flat
information
in
the
file
without
organizing
in
any
way
they'll
just
organize
like
what
we
want
to
show
in
the
UI.
Only
so
we
can
change
it
later.
D
We
don't
need
to
change
the
format
of
the
file
because
it
will
contain
file
name
and
line
number
anyway,
and
the
UI
we
can
iterate
so
just
to
be
clear.
I,
like
the
conversation,
obviously
just
want
to
be
sure
that
this
is
not
a
blocker
for
the
first
iteration,
because
probably
the
need
for
multiple
apps
support
on
these
kind
of
things
is
not
a
very
minimal
requirement
for
the
Bill
of
Materials.
The
very
minimal
requirement
is
that
the
list
is
available
with
version
numbers
and
you
can
export
them
in
somehow.
A
D
D
D
Yeah
I,
probably
some
cases,
so
we
can
show
Excel.
You
know
the
name
and
the
details
about
the
app
and
you
can
provide
this
information.
As
you
know,
part
of
the
report
itself,
and
so
you
can
see
in
the
Bill
of
Materials
the
app
with
these
URLs.
Maybe
you
can
expand
the
section.
You
can
see
the
details
about
that
specific
application
and
then
the
components
so
the
Bill
of
Materials
will
be
very
focused
on.
D
You
know
the
app
with
all
the
information
you
can
see
there
and
if
you
have
multiple
apps
and
are
able
to
recognize
them,
you
can
find
them.
As
you
know,
this
is
the
the
list
of
apps
and
then
you
can
expand
and
see.
Excel
is
a
bound
for
for
each
of
them,
because
I'm
thinking
in
the
future,
we
may
want
to
support
group
level
Bill
of
Materials.
So
in
that
case
we
have
for
sure
to
address
multiple
applications,
because
there
will
be
one
application
for
each
repository
in
the
future
project
in
the
group.
A
Yeah,
that
would
be
great
I
mean
having
a
UI
that's
already
compatible
with
that.
But
already
is
for
the
use
case
of
other
fastball.
That's
that's
amazing.
Yeah
I
mean
I'd
to
go
back
to
your
a
suggestion.
If
you
got
a
flat
list,
no
information,
no
visible
information
on
the
file,
but
if
you
ability
to
to
jump
to
the
file
in
the
case,
there's
some
ambiguity
as
NVC.
Why
not
it
just
I'm
totally
aware
that
we
not
some
yeah
but
Milty
project.