►
From YouTube: 2020.08.31 - Secure::Static Analysis team meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
All
right,
let's
go
ahead.
We've
got
a
relatively
short
agenda,
as
I
mentioned
for
those
that
were
able
to
attend
office
hours
this
past
thursday.
I
want
to
take
five
to
ten
minutes
and
go
project
by
project.
Whatever
has
the
highest
critical
highest
criticality
of
vulnerabilities.
Now,
let's
figure
out
what
to
do
with
them.
This
is
the
tie-in
to
the
dog
fooding
aspect
of
this,
so
I
was
going
through
looking
at
only
so
breakman
and
secrets.
A
B
C
A
C
I
ask
real
quick
about:
oh
wait,
nope,
never
mind
for
a
moment
there
I
thought.
Yes,
lint
was
node.js
scanner,
where
we're
going
to
revamp
how
it's
done
never
mind.
Yeah
no
continue.
A
A
A
C
C
A
C
C
I'm
not
sure
go
ahead.
Please
could
create
an
issue
as
like
good
initial
upstream
contributions
label
of
some
sort.
You
know
what
I'm
saying
like
you
know.
We
have
one
that's
like
open
for
you
know.
First
time
contributors
like
I
know
we
want
to
potentially
find
ways
to
be
contributing
to
the
open
source
projects,
and
maybe
this
is
a
good
light
lightweight
way
to
like
look
into
okay.
Well,
you're,
not
digging
too
deep
into
eslint
you're,
just
trying
to
update
some
dependencies
to
fix
security
patches,
and
maybe
it's
easy.
Maybe
it's
not
but.
C
C
A
C
C
A
C
Okay,
I'll
tell
you
how
you
figure
it
out,
so
we're
looking
at
the
dependencies
and
then
they
they
that
you
know
list
out
their
dependencies.
You
need
to
search
for
kind
of
kind
enough
is
in
here,
so
keep
searching
for
kind
of
keep
going
until
you
find
out
it's
entry
and
it'll.
Tell
you
what
version
it's
it's
locked
too,.
A
D
A
D
A
D
A
This
may
be
a
bug
and
it's
the
technological
which
version
of
this
dependency,
we're
using
so
yeah
I'll,
write
I'll,
write,
something
up.
I'm
going
to
dismiss
this
as
a
false
positive,
with
the
with
the
link
straight
back
to
the
yarn
lock
file,
that's
in
question
that
were
already
on
the
version
6.03,
which
was
the
remediation
suggested
remediation
for
this
particular
item.
A
C
C
E
A
A
C
A
C
C
C
A
Okay,
all
right!
That's
what
I
wanted
to
do.
I
wanted
to
go
through
some
of
their
high
quality
stuff,
and
so
thank
you
all
for
entertaining
this
premise.
We
will
become
more
efficient
at
this
and
I'm
going
to
do
better
at
calling
out
what
project
I
want
to
investigate.
I'm
going
to
try
to
get
this
on
the
agenda
end
of
day
thursday.
A
E
Yep
so
this
morning,
actually
like
around
8,
am
I
got
an
issue
and
get
leaks
where
there
was
someone
from
a
company
called
giant
swarm
and
they
were
like
hey
your
kit.
Leaks
action
and
github
is
scanning
our
entire
repo.
When
really
it
should
be
scanning
just
commits
in
a
certain
pr
which
is
a
big
no-no,
because
that's
you
know
it
was
timing
out
on
the
github
actions.
I
think
you
get
15
minutes
of
scan
time,
so
they
had
a
huge.
E
Scanning
for
15
minutes,
which
sometimes
happens
if
you
have
a
large
repo,
that's
not
the
intended
behavior
of
get
leaks
in
the
context
of
running
against
apr
or
mr
and
the
way
that
git
leaks,
the
scanner
was
doing.
That
was
you,
provide
a
commit
from
in
a
commit
to
and
go
get
the
get
engine
and
get
leaks
would
figure
out
what
commits
to
scan,
and
so
it
essentially
just
does
a
git
log.
E
But
there
is
a
reachability
issue
where,
if
you
have
a
a
a
from
commit
that
is
like
cherry-picked
or
like
a
part
of
a
merge,
commit
there's
some
rich
ability,
issues
where
like
it
will
never
reach
the
to
commit
until
it's
gone
through
like
the
entire
repo
or
like
a
chunk
of
the
repo
or
sorry
a
chunk
of
the
commits
just
the
way
that
I
mean
gets
kind
of
a
it's
a
graph.
It's
not
you
know
just
one,
you
don't
go
from
just
one
commit
down
it
branches,
so
there's
some
issues
there.
E
E
You
just
provide
a
list
of
commits,
so
instead
of
providing
two,
you
provide
all
the
commits
that
you
want
to
scan
so
that
this
is
like
you,
don't
have
the
potential
to
scan
an
entire
repo
worth
of
commits
you
just
have.
This
is
what
I
want
to
scan
and
that's
it.
E
So
I
created
an
issue
because
this
relates
to
to
the
secret
detection
template
which
is
live
right
now,
and
I
haven't
heard
any
issues
come
up
from
it,
but
the
like
get
lab
org
project,
which
is
huge
that
is
still
using
secret
sas.
So
that
is
not
using
the
commit
ranges.
So.
E
You
know
hold
up,
mrs
on
this
big
project,
so
I
created
an
issue
there
and
proposed
a
solution.
We
could
either
update,
get
leaks
with
the
most
recent
version
and
update
the
template,
or
we
can
do
a
quick
fix
right
now,
which
is
just
remove.
The
range
like
commits
the
it's
like
secret
detection,
job
and
just
use
the
secret
detection
default
branch,
but
change
it
back
to
the
like
old
secret
sas.
E
So
it
essentially
mirrors
that
behavior,
which
is
like
the
the
quick
solution
that
gives
us
some
time
so
that
we
can
update
and
fix
this
and
scope
this
for
another
release.
But
I
just
wanted
to
bring
that
up,
because
it
is
kind
of
a
big
issue
that
hasn't
exposed
itself
on
gitlab.
Yet
so.
B
B
E
No,
it's
it's
traversing
extraneous
commits,
so
it's
because
you're
supplying
just
two
two
commits
right
now,
that's
how
it
is
right
now,
but
there
there
is
no
guarantee
that
there's
a
linear
path
between
these
two
commits-
you
know
you
could
just
put
in
whatever
two
commits.
E
E
E
B
E
Well,
there
is
like
you:
can
you
can
change
the
order
that
you
want
to
traverse,
but
again,
there's
no
guarantee
that
the
from
commit
is
going
to
end
up
in
the
to
commit
without
going
from
like
a
merge
branch
or
something
you
know,
so
it
could
take
a
detour.
It's
just
that
there
is
no.
There
is
no
guarantee
essentially.
B
E
I
mean
this
is
kind
of
getting
into
the
internals
of
git
log,
which
I
am
not
an
expert
in
and
the
again
the
get
engine
that
get
leaks
is
using
is
is
not
the
full
game,
so
it
doesn't
have
all
the
options
for
git
log.
I'm
sure
there's
a
way
in
the
like
pure
get
get
log
to
check
and
make
sure.
But
again
it's
the
the
engine
that
I'm
using
is
limited
and
I'm
using
it
because
performance
benefits
and
stuff,
rather
than
shelling
out
gate
commands
so
yeah,
okay,.
E
C
C
And
that's
partially,
due
to
how
we
were
starting
to
think
about
how
to
do
fuller
scans,
rather
than
just
the
commits
in
an
mr
and
or
I
guess
latest
commit,
maybe
is
how
it
worked.
C
Yeah
at
the
latest
right
we
were
extending
that,
but
we
did
that
in
a
way
that
does
open
up
the
possibility
of
accidentally
then
well
to
to
get
from
a
to
b.
We
need
to
traverse
all
of
the
whole
history
and
now
that's
untenable
to
do
in
ci,
and
so
we've
got
a
quick
fix,
which
is
a
little
dirty,
but
not
awful.
It
gives
us
time
and
we
have
a
more
thorough
fix
as
well
proposed.
C
C
Of
that
is
probably
is
that
taylor's
choice,
thomas,
how
we
I
mean,
I
mean,
I
think
it
sounds
like
both
are
technically
viable
options.
So
it's
really
about
prioritizing
some.
Some
of
that
secret
feature
work
and
completeness,
so
to
speak,
because
the
the
quick
fix
is
taking
a
step
back
right.
It's
just
saying:
okay,
we'll
just
always
just
do
the
one
commit,
rather
than
the
the
range
of
commits.
Is
that
correct.
E
A
A
C
C
A
C
A
C
All
right,
someday
you'll,
have
to
do
a
brown
bag
digging
deep
into
your
design.
Decisions
on
get
leaks,
that'd
be
a
fun
brown
bag
for
what
it's
worth,
and
it
probably
would
be
really
informative
to
those
who
want
to
dig
deeper
into
go
as
well.
So
just
throwing
that
out
there.
C
Cool,
it
looks
like
you
already
answered
me
so
I'll,
just
I'll
just
verbalize
for
the
video,
though
what
is
the
status
of
the
issue
that
has
to
do
with
our
tests?
Wow,
there's
a
weird
backtick
in
that
link
and
then
zach.
You
said
all
mrs
related.
This
you
have
been
merged
waiting
for
milestones,
released
so
yeah,
so
I'm
just
wondering,
as
we
say
now,
when
does
it
reach
true,
true
prod
or
true
pride.
True,
I'm
trying
to
remember
the
term.
C
Than
true
thank
you
yeah,
I'm
just
wondering
if
anyone
has
seen
if
it's
been
deployed
or
not,
this
is
probably
a
good
opportunity
for
me
to
go
dig
into
the
internals
to
see.
How
can
I
know
what
version
of
gitlab's
deployed
just
really.
D
So
the
the
environment
name
is
gprd
for
get
lab
prod.
I
guess
it's
not
not
completely
obvious,
if
you're
in
a
hurry
and
there's
also
there's
also
a
chat
ops
way
that
you
can
check
a
specific
commit
to
see
if
it's
on
gitlab.com,
I
I
usually
rely
on
what
almost
referred
to
as
looking
in
the
mr,
but
it's
another
way
you
can
do
it.
C
D
C
A
C
Okay,
cool
yeah-
I
do
know
that
I
had
it
fail
eight
hours
ago,
so
I
don't
know
when
it
went
to
production
but
I'll
go
test.
It
we'll
see
it
really
isn't
the
end
of
the
world
if
it's
still
blocking.
I've
got
a
lot
of
work
to
do
so,
but
just
trying
to
like
understand
because
well
thomas
thomas,
I
know
you've
got
some
things
in
flight
too,
and
we've
got
some
coordination
things
we're
open
to
get
to
to
on
today.
E
Desktop
so
it's
it's,
I'm
just
showing
you
well
yeah.
I
guess
that
is
demo.
So
this
is
the
custom
rule
set
password,
and
so
there's
there's
a
issue
that
I'm
working
on
and
we're
doing
a
very
simple,
first
iteration,
where
we
want
to
add
a
gosek
rule,
and
so
I
went
with
the
original
design,
which
is,
let's
provide
a
tamil
file
that
has
a
pass
through.
So
essentially,
this
is
right
here.
This
is
the
sas
rules.tamil.
So
this
is
going
to
contain
all
the
custom
rule
sets.
E
So
if
we
wanted
to
add
a
you
know,
eslint
custom
rule
you'd
have
a
top
level
eslint
table
and
then
you'd
have
descriptions
and
the
pass
through
table
as
well
and
you'd.
Specify
okay.
Is
it
a
file
or
is
it
I
think
raw
where
you
would
actually
put
in
the
config
that
you
want
to
pass
through
right
there,
but
for
each
analyzer
the
implementation
of
how
it
parses
those
rules
is
going
to
be
a
little
bit
different.
So
so
here's
the
structure
right,
you
know.
E
So
this
is
the
go
test
file
or
the
go
test
project
oops,
and
if
you
want
to
take
a
look,
it's
on
the
no
dnd
or
yeah
dnd
freeze,
custom
rule
set
branch.
So
then
we
have,
I
guess
the
pipeline.
This
is
just
showing
okay
loading
config
from
custom
rules
that
pass
through.
So
this
is
just
the
info
that
I
have
or
a
log,
rather
that
I
have
in
the
actual
analyzer
and
like
in
the
code
what
this
looks
like.
E
So
this
is
the
gosek
analyzer,
and
so
here's,
where
we're
loading
in
the
rules.
So
we
have
rules.load
rule,
we
give
it
a
path
and
then
an
analyzer-
and
this
gives
you
a
rule
which
can
then
be
down
here
where
I'll
clean
this
up,
but
essentially
we're
overriding
the
config
path
to
use
the
rule
that
we
specified
the.
I
guess
more
interesting
part
where
this
is
kind
of
where
some
of
the
bulk
of
the
work
is
is
like
here
is
the
actual.
E
This
is
in
common
right
now,
and
so
we
have
a
struct
representing
a
rule
and
a
load
rule
function
which
is
used
by
or
will
be
used
by.
E
All
the
analyzers,
so
you
give
it
a
path
again
analyzer
string
and
then
you
get
returned
a
rule,
so
essentially
the
analyzers
kind
of
just
figure
out:
okay,
like
down
here
again
I'll
clean
some
of
this
up,
but
it's
like
okay,
if
there's
a
rule
pass
through,
then
we
want
to
override
the
config
path
with
this
rule
and
use
that
for
the
config
for
the
gosak
scan.
E
So
that's
that's
a
little
demo
of
it
working
right
now
I
haven't
opened
any
mrs,
but
this
is
kind
of
just
a
very
basic
first
iteration
for
gosak.
So
yeah
I
don't
know
anyone
got
any
questions.
A
E
Correct
yeah,
so,
basically
yeah
and
and
what
it
does
is
that
load
rules
function
detects
okay.
Is
there
a
git
lab
file
or
sorry
directory,
and
is
there
a
present
like
rules
and
if
there
is
use
that
so
yeah?
That's
that's
where
it's
at.
E
I'll
be
opening
some
of
ours
for
this,
but
probably
after
the
secret
stuff.
E
E
B
C
E
E
Yeah
and
so
there's
there's
a
discussion
in
the
I
think
in
the
epic
remora's
issues
where
I
brought
up
okay,
what
about
merging
configs
yeah.
B
E
C
Yeah,
it's
basically
effectively
an
escape
hatch
for
you're,
saying:
oh,
I
can
see
what
they're
doing
they
can
they're
they're
going
deep
into
the
internals
of
the
wrapped
scanner
at
that
point.
So
here
we
dragons
kind
of
an
idea,
allows
them
to
escape
hatch
I'd,
say
so
and
then
we'll
continue
to
layer
on
and
ideally
less
and
less
folks
should
ever
need
to
use
that
escape.
Hatch,
I
think,
is
the
hope
right
yeah,
so
keep
it
simpler
for
now
merging
would
be
pretty
complex.
B
A
Yeah
that
always
comes
out
best
tongue
firmly
planted
in
cheek
with
that
all
right
we're
well
over
thanks.
Everybody
very
much
appreciate
you.
I
hope
you
have
a
good
rest
of
your
week.
I've
got
a
question
that
I
added
super
late,
I'm
going
to
move
that
over
to
our
channel
because
a
week
from
today
is
a
holiday.
A
So
so
what
do
we
want
to
do
yeah
yeah
three
day
week
weekend?
So
that's
great!
So
what
do
we
do
with
this
meeting?
Do
we
cancel
or
do
we
or
do
we
move
this
to
tuesday,
so
we'll
do
a
poll
over
in
static
analysis
channel
and
we'll
go
with
whatever
wins?
So
thank
you.
We'll
talk
soon
see
you
soon.