►
From YouTube: Secure::Static Analysis weekly meeting for 2021.01.04
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Happy
new
year
so
hope
everybody
had
a
great
week,
a
great
holiday
period
and
got
some
time
off
as
well,
arrested
and
and
we're
gonna
get
into
it
now
with
the
2021,
not
that
we
weren't
before
so.
I've
got
the
bulk
of
the
agenda
so
I'll
get
into
it:
announcements,
friends,
family
and
friends
day.
A
Next
one
is
is
friday,
the
15th
sounds
ominous,
but
that's
an
off
by
two
error,
and
it's,
and
so
just
as
a
as
a
pro
tip,
especially
here
in
the
us
martin
luther
king
jr
day,
is
the
following:
monday
sounds
like
a
nice
four
day
weekend
for
everyone,
hint
so
retrospectives
we're
changing
these
because
we've
been
getting
less
and
less
participation,
sub-department-wide
the
leading
theory
between
managers
and
everyone
else-
is
that
it's
just
too
big.
It's
too
big
of
a
retrospective
group.
B
A
C
Yeah,
where
do
we
put
our
retro
items.
A
Thirteen
eight
sorry,
I've,
I've,
I've
blanked
out
the
calendar,
so
I've
lost
my
cheat
sheet
so
for
thirteen,
eight
and
beyond
we're
going
to
go
into
group
specific
retro
projects,
so
we'll
have
a
retro
issue
for
ourselves.
B
A
And
as
a
heads
up
for
everybody
next
week,
so
so
a
week
from
today
and
beyond
one
on
one,
so
I'm
going
to
be
changing
them
all
to
be
an
hour,
a
piece:
it's
because
of
content.
The
amount
of
content
we're
going
to
cover
so
annual
reviews,
we're
clear
to
start
sharing
all
of
the
documentation.
That's
been,
that's
been
corralled
for
it.
It's
not.
Everything
is
done,
but
every
all
of
the
data
is
a
lot
of
the
share
the
results
of
the
calibration
sessions
and
so
forth.
A
So
that
data
is
coming
to
you
in
our
one-on-ones
next
week
and
so
man
because
of
the
amount
of
information
that
was
corralled,
and
I
want
to
make
sure
you
have
an
opportunity
to
ask
questions
about
it.
I
would
figure
we'd
just
go
ahead
and
make
the
ones
an
hour
a
piece,
and
so
those
are
all
the
announcements.
A
A
Okay,
we'll
go
with
my
so
we'll
start
and
we'll
start
february,
so
we'll
do
it
the
first
we'll
do
it
the
first
wednesday
of
the
month,
if
that
works,
for
everybody
and
I'll
put
it
on
the
secure
stage
calendar
as
a
item
to
do
and
we'll
do
it
monthly
and
we
could
rotate
who
the
host
is.
If
people
want
to
do
that,
or
we
will
figure
it
out,
but
not
to
be
highly
prescribed
just.
I
just
thought
it
was
fun.
A
Okay,
all
right!
So
we'll
do
it
that
way,
and
I've
got
the
last
item
here
so
part
of
the
work
I've
been
doing.
I
think
you
all
saw
this
is
mirroring
our
open
source
dependencies.
Our
primary
ones,
so,
like
we've
got
get
leaks,
is
mirrored
spot
bugs
is
mirrored
cube,
sec
is
mirrored
et
cetera,
et
cetera,
et
cetera.
The
idea
being
is
to
subject
those
dependencies
against
our
very
own
tooling
and
see
and
see
what
happens.
A
It
was
part
of
my
okrs,
the
next.
The
next
key
result
for
this
is
to
start
submitting
some
security
patches
back
upstream
to
those
open
source
projects.
I'm
planning
to
start
this
later
this
week.
Is
anyone
interested
in
partnering
with
me
on
this.
A
Okay,
calendar
invite
coming
I'm
thinking
thursday,
so
just
because
we've
got
stuff
on
the
calendar
for
thursday
anyway
might
as
well
go
ahead
and
get
adjacent
to
it
and
we'll
go
from
there.
Okay,.
A
C
A
If
we
need
to
collaborate,
backup
options
can
include,
we
open
up
a
bridge
on
zoom
and
just
email.
It
out.
Email,
old-fashioned,
email
can
also
be
the
way
I
mean.
If
we
need
it.
We
also
have
git
lab
issues
and
the
ability
to
contribute
through
communicate
through
comments
and
mentioning
books.
So
there
are
some
backup
methods.
A
I'm
presuming
that
I
am
projecting
that
everyone
is
like
me
and
is
bombarded
with
a
number
of
emails
and
to-do's
and
issues
and
everything
else
to
go
through.
So
that's
predominantly
what
I'm
going
to
be
working
on,
so
that
seems
appropriate
is
to
use
gitlab
itself
as
a
communication
tool
if
you're
doing
like
I
am.
D
There's
also
zoom
and
there's
email
to
all
and
whatnot
about
that
in
the
handbook
page.
So
one
other
thing,
I
would
I'll
mention
I'll
put
a
link
in
the
agenda.
D
I
dug
deep
into
the
flaw
finder
issue
with
codec
stuff
and
have
determined
that
the
way
they're
handling
it
actually
probably
the
correct
way,
but
I
have
some
ideas
and
solutions
in
the
most
recent
comment
in
that
issue
and
I'll
post
a
link
to
the
agenda,
but
if
you're
interested
in
that
or
have
thoughts
or
other
perspectives
and
whatnot
I'd
like
to
have
some
some
unity
on
our
approach.
So.
C
And
for
that,
there's
also
the
encoding
issue
for
spot
bugs
as
well,
and
I
don't
know
if
that's
completely
unrelated
or
similar,
but
it'll
be
good
to
have
some
kind
of
unified
approach
to
how
we
think
about
encoding
across
the
different
products.
I
was
gonna
mention.
B
That,
because
yeah
I
similarly
I
dug
deep
on
that
and
it's
it's
seems
that
it's
a
the
solution
that
I
presented
was
just
like.
Well
update
your
your
gradle
file
and
you
know
because
it's
like
I'm,
not
really
sure.
If
it's
a
you
know
we
want
to
handle
it
in
the
analyzer
when
it
can
be
configured
out
so
yeah.
I
can.
I
can
link
to
that
as
well
in
that
discussion.
D
Yeah,
my
my
thought
so
far
is
better
documentation
about
how
to
fix
it
and
possible
solutions,
as
well
as
like,
possibly
sensing
when
you
run
into
that
issue
and
providing
better
logs
in
the
output
when
it
blows
up.
Saying,
hey,
go
read
over
here
how
to
fix
this
or
something
along
those
lines
being
more
helpful,
rather
than
I
think
it's
pretty
hard
to
understand
what
happened
at
first,
especially
if
it
with
one
of
the
cases
where
it
was
a
sub-module
that
had
a
bad
encoding.
It
just
kind
of
died
without
any
any
response.
D
D
A
I'll
word
spit
this
in
a
bit
I'm
showing
my
ignorance
here
and
I'm
also
showing
my
python
roots.
I
I
work
under
the
assumption
that
utf-8
is
what
we
support,
but
I
don't
remember
us
actually
articulating
that
here.
Does
anyone
know
if
we
have
and
if
we
have
it,
what
we
should
be
supporting
across
the
board.
D
I
think
most
languages
and
stacks
have
moved
that
direction,
but
if
you're
working
on
a
language
in
a
stack
that
has
a
different
standard,
you
know
I
don't
think
we
should
prescribe
that.
I
think
we
should
let
the
tooling
and
the
analyzer
do
that.
But
that's
my
perspective.
A
A
Uniformity
of
what
we
do,
support
what
we
do
and
don't
support
and
making
that
a
sparse
matrix
is,
has
its
own
risks
as
well,
and
so
that's
why
I'm
asking
the
question-
and
this
is
a
business
requirements
question,
and
I
don't
know
if
we've
ever
thought
about
it.
It
seems
kind
of
pedantic
I'll
appreciate
that
as
well.
F
E
Yeah
so
yeah,
let
me
variabilize,
so
there
is
a
race
condition
for
token
revocation.
Whenever
we
get
is
whenever
we
found
this
secret
aws
secret,
so
we
took
help
from
infrastructure
team
to
track
why
this
is
happening.
E
This
is
still
happening.
So
we
may
need
to
create
another
mr
to
resolve
this
issue
so.
E
F
Yeah,
I
just
encourage
us
to
let's
keep
the
coordination
issue
updated
with
any
developments.
I
think
aws
for
the
most
part
is
fine
with
this.
The
call
we
had
with
them,
I
think,
on
the
19th
or
the
20th
went
fine.
We
discussed
this,
it's
something
they
want
to
see
fixed,
but
it's
by
no
means
sort
of
a
critical
fire
or
anything
like
that,
but
let's
definitely
keep
them
updated
in
that
coordination
issue.