►
From YouTube: Threat Insights Weekly Group Discussion
Description
Weekly meeting for the Secure:Threat Insights group.
Includes milestone kick-off for 13.12.
A
A
So
in
the
last
couple
of
milestones
we
have
experimented
with,
but
I
wouldn't
say
successfully
timed
a
retrospective
discussion
during
these
group
meetings,
so
we're
going
to
go
through
the
front
end
and
back
end
issues
that
are
currently
slated
for
1312
and
I
am
going
to
ask
individuals
from
those
teams
to
go
down
the
list
for
us.
There
is
a
link
in
the
agenda
to
take
you
to
a
board.
That's
pretty
easy
to
view
we're
going
to
look
at
the
ready
for
development
and
blocked
issues
and
summarize
to
to
your
best
degree.
A
A
You
like
to
share,
or
should
we
just
do
this.
B
No,
that's,
okay.
I
think
I'm
sharing
the
right
screen
yeah
this
one
right.
Can
you
see,
can
you
see
my
screen.
B
Okay,
so
I
think
I'm
going
through
this,
the
ready
for
development.
A
B
Okay,
so
it
seems
like
we
are
working
on,
add
ability
to
search
instance,
security,
dashboard
projects,
graphql
query,
so
we
are
at
a
blocker
for
a.
A
B
Should
I
go
for
the
next
one?
Ignore
the
unnecessary
columns
from
the
security
findings
table
seems
like
an
easy
one
like
and
perform
audit
identity
and
address
underperforming.
Sql
queries,
some
sql
queries,
that's
needs
some
attention,
I
don't
know,
is
the
it's
refined
right.
So
maybe
we
had
all
the
sql
queries.
We
just
need
to
audit
them.
B
D
Just
just
the
question
here
the
vulnerabilities
are
so
there
is
a
one
one
to
one
relationship
with
the
with
the
findings
right.
So
how
come
that
we
generate
vulnerabilities?
If
there
are
no
findings,
do
we
know
this?
D
C
We
shouldn't
that.
That's
that's
why
we
have
to
clean
them
up,
because
we
should
not
be
creating
vulnerabilities
with
the
missing
finding.
D
But
yeah
that's
the
question.
So
if
maybe
does
this
issue
also
tackle
with
with
the
root
cause
of
this,
because
we
shouldn't
have
vulnerabilities
if
we
don't
have
findings
so
clearly
somewhere
in
the
code,
we
have
something
that
generates
vulnerabilities
that
have
no
findings
right.
C
Back,
where
yeah,
where
it
was.
B
And
fix
the
bug,
I
think
it's
it
was
for
csv,
not
loading
because
of
the
missing
vulnerability
as
missing
findings
or
something
you
fixed
that
jonathan.
C
Well,
it
was,
it
was
looking
for.
It
was
trying
to
pull
data
for
findings
that
weren't
there
and
it
was
throwing
an
error.
I
think
what
was
creating
the
vulnerabilities
without
the
findings
has
also
been
fixed.
E
A
Just
curious,
yeah
add
a
comment
to
the
issue.
If
you
want
to
confirm
savash,
sorry
lindsey,
you
should
feel
free
to
add
a
comment
to
the
issue
asking
that
question.
If
you'd
like
to
confirm
yeah.
C
C
F
C
Okay,
and
and
along
those
same
lines,
I
think
I
mentioned
before,
is
like
we're:
gonna
have
to
figure
out
like
because
a
finding
has
to
have
a
pipeline,
and
so
we're
gonna
have
to
figure
out
how
to
the
vulnerability
has
to
have
a
finding
a
binding
has
to
have
a
pipeline.
But
if
it's
manually
created,
it's
not
gonna
have
a
pipeline,
so
we're
gonna
have
to
deal
with
that.
A
little
idiosyncrasy.
C
C
Right
today,
yeah
today,
it's
it's
not
possible,
so
we
have
to
work
that
out.
C
B
Okay,
the
next
one
is
restrict
vulnerability
pages
for
reporter
and
below.
I
think
there
is
some
leaking
going
on.
The
vulnerability
pages
are
shown
to
not
expected
users
or
something
so
we
need
to
restrict
then
and.
A
B
B
Discover
project
security
link
is
not
visible
in
sidebar
discover
project
security.
I
have
I
don't
it's
not.
I
think
it's.
D
Yeah,
the
sidebar-
I
think
it
needs
to
contain
a
discover
project
security
link,
which
is
not
visible
right
now.
I
had
hard
time
to
to
show
it.
I
remember
that
I
used
to
work
on
something
related.
B
B
B
A
B
C
These,
no
that
one
is
actually
that
one
it
was
block.
I
had
that
one
in
my
backlog
or
in
my
in
my
list
of
issues
for
a
while,
while
we
were
trying
to
get
some
other
issues
that
was
blocking
that
that
one
finally
came
unblocked,
but
I
was
also
in
the
middle
of
doing
some
other
things.
So
that's
why
it's
back
in
the
list.
B
Thanks
thanks
introduce
present
on
default
branch
boolean
to
vulnerability
model.
I
think
it
came
from
the
discussions.
That's
to
get
rid
of
the
feedback
model
or
something.
B
Remove
always
now
kills
from
vulnerabilities
okay.
B
C
B
D
Sorry,
regarding
the
one
above
are
we
going
to
remove
those
fields
from
the
from
the
database?
Yes,
yes,
okay,
so
this
may
also
have
front-end
changes
if
we're
pulling
those
fields
in
graphql.
B
So,
are
we
talking
about
adding
a
robocop
room
for
migration
or
something.
B
Another
migration
creator-
okay,
we
can
check
later
include
additional
information
in
binary
report.
Export
date
detected
and
location.
Two
more
fields
seems
like
straightforward
and
enable
jira
for
vulnerabilities
feature
flag
activity
activity,
filter
on
vulnerability
report,
close
error
in
group
level,
dashboard.
C
So
that
one,
that
one
is
specifically
to
figure
out
where
our
major
slowdowns
are
coming
from
the
vulnerability
finder.
Well,
it's
in
the
vulnerability
thing
then
I
listed
all
the
ones
to
check
the
the
queries.
The
scopes.
C
A
A
One
right
there
that
that
you
just
had
the
go
up
a
little
bit.
Sorry,
the
jira
one
is
actually
a
mislabeled
front,
end
issue,
so
someone
on
node-
oh
you
already.
A
It
was
the
use,
vulnerability,
external
issue,
link
creation
mutation
for
creating
issue
on
vulnerability,
details
page
the
really
catchy
titled
one
was
is
a
front-end
issue
that
was
created.
The
the
graphql
endpoint
already
exists
and
we're
just
not
using
it
yet
on
the
details
page,
and
so
it
looks
like
yannick
from
neil's
team
has
already
picked
it
up.
It
was
a
list
identified
of
work
that
if
they
had
bandwidth,
they
could
grab
and
work
on
in
the
next
couple
milestones.
So
I'm
correcting
that
right
now.
B
Okay,
thanks
thanks
are
we
also
discussing
blocked
issues
as
well.
B
Okay
findings
evidence
details.
C
A
A
D
Is
it
this
one?
It's
yes,
exactly!
Okay,
so
here
are
the
front-end
issues.
Basically
they
we
just
been.
We
just
went
through
these
with
linsei,
so
I
know
that
they're
grouped
the
first
ones,
for
instance,
are
grouped
by
the
pipeline,
so
this
is
regarding
migrating.
The
pipeline
security
to
graphql,
so
this
use
graphql
enables
this
for
pipeline
security
tab
and
then
use
vulnerable
details
component
for
pipeline
security,
tab
vulnerabilities
model.
D
So
basically
this
one
is
just
using
the
vulnerability
details
page
inside
the
the
model
that
appears
in
the
pipeline,
and
there
is
yeah.
We
need
to
enable
the
feature
flag
here
on
top
and
then
we
have
use
onvolume
with
the
details.
Page
change
fetching
a
vulnerability
to
graphql
fetching
your
phone,
oh
yeah,
right
now.
This
is
this-
is
injected
to
dom.
We
need
to
change
that
to
graphql
and
then,
as
part
of
the
cleanup,
since
we
will
be
removing
the
so
we
will
be
migrating
to
graphql.
D
We
can
remove
the
view
x
version
of
the
vulnerability
list.
As
a
cleanup,
then
we
have
the
feature
flag,
removing
the
we're
just
enabling
the
feature
flag
for
every
user.
I
guess.
A
F
D
So
it's
regarding
that
one
and
then
we,
the
couple
of
we
have
a
few
issues
regarding
the
gener
generic
report
schema.
All
of
these
are
basically
creating
new
components.
So,
for
instance,
this
one
is
creating
a
table
component
for
the
generic
report
schema.
This
one
is
creating
the
value
type
so
which
which
will
display
a
string
in
integer
or
boolean,
and
then
we
have
the
markdown.
A
Of
those
components
we
broke
them
down,
one
issue
for
each
data
type,
the
rest
are
in
refinement
and
they're
all
very
small.
So
the
hope
is
that
they'll
all
still
fit
in
1312
once
the
refinement
is
done.
D
And
then
we
have
a
couple
of
bugs,
so
this
one
is
basically
error
when
loading
results
showing
in
the
my
files
scanning
is
in
progress,
but
displays
correctly
when
pipeline
completes.
The
title
is,
I
think,
it's
pretty
explanatory,
and
then
we
have.
This
can't
dismiss
vulnerability
from
mr
widget.
A
D
And
then
we
have
what
three
of
them
of
these
issues
are
blocked,
but
they're
all
blocked,
because
the
the
the
back
end
counterparts
are.
They
still
need
to
be
implemented.
So
as
soon
as
the
back-end
is
implemented,
we
should
be
able
to
work
on
these
features.
A
I
don't
think
we're
very
consistent
about
our
blocked,
workflow
state
versus
blocked.
You
know
if
something's
blocked
by
an
issue
there,
you
know
just
call
that
out,
but
thank
you
savage.
I
don't.
I
hope
that
that
was
helpful
for
everyone
to
understand
what
we're
working
on
coming
into
1312.
A
C
A
A
A
If
you
put
a
blocker
on
the
issue
like
say,
this
is
blocked
by
issue
one
two,
three
at
least
the
person
will
see
that,
but
they
have
to
click
into
it
and
probably
grab
it
before
they
see
that
they
might
miss
it.
So
I
I
kind
of
want
to
say
both.
It
feels
a
little
redundant
and
like
extra
work.
But
what
do
you
guys
think.
C
A
That
issue
is
closed.
It
still
shows
that
little
circle,
so
you
say
I'm
blocked
on
issue
one
two:
three:
it's
gonna
immediately
show
that
you
know
indicator
on
the
issue
board,
but
then,
when
issue
one
two
three
gets
closed.
That
indicator
still
shows
there.
There's
no
visual
indicator
that
that
blocking
issue
is
now
resolved
either.
So
it
would
be
a
nice
product
enhancement.
A
C
A
That
it
wouldn't
be
clear
to
the
person
that
was
looking
at
it.
So
that's
a
good
question
and
I
don't
know
if
we
should
make
that
part
of
our
process
or
just
assume
that,
once
if
we
did
both
once
it's
blocked
right,
if
we
both
put
the
workflow
state
on
and
the
blocker,
we
would
eventually
just
start
to
ignore
that
visual
indicator
of
something
being
blocked
once
it's
in
the
ready
for
dev
column,
because
you
wouldn't
move
it
back
to
ready
for
dev
until
the
blocked
issue
was
resolved.
The
manual.
B
C
A
C
I've
tried
to
move
them
from
block
to
link
just
so
it
gets
rid
of
that
blocked
like
so
that
there's
it
doesn't
show
it's
blocked
by
something,
because
it's
no
longer
blocked.
You
know
and
it'd
be
nice
if
it
automatically
went
and
the
workflow
as
well
as
soon
as
that
issue's
closed,
then
it
you
know,
moves
out
of
the
block
by
column
or
the
little
icon
removes.
A
Yeah
one
of
the
two
I
mean
it
almost
feels
like
either
would
work
I'm
going
to
take
a
minute
this
morning
and
see
if
I
can
find
an
issue
that
exists
around
that
jonathan,
because
I
feel
like
this
is
something
we've
talked
about
quite
a
bit.
A
D
Yeah
so
since
we
still
have
a
couple
of
minutes,
I
think
I
can
share
my
screen
and
then
describe
the
problem
that
I
was
going
through
today.
So
basically,
I'm
working
on
this,
not
this
one,
but
this
one,
this
one.
So
I'm
implementing.
Okay,
I'm
just
gonna-
hold
on
move
this
zoom
bar
somewhere
else.
So
I
can
see
so
I'm
just
adding
the
the
dismissal
reason
to
the
vulnerability
details
page
I
did
that
it
works
and,
as
you
can
see
here,
the
vulnerability
object
receives
the
dismissal
feedback.
D
It
took
me
a
while
to
figure
out
the
backend
data
structure,
but
I
thanks
to
john,
I
was
able
to
figure
out
that
the
dismissive
reason
is
inside
the
dismissal
feedback
object
and
it
just
shows
pops
here,
but
the
problem
is
with
with
graphql.
So
when,
when
I
change
this
the
status
and
then
I
change
it
back
to
dismissive
reason,
we're
here
we're
using
graphql
to
fetch
the
new
version,
and
I
was
not
able
to
populate
that
field
using
graphql.
D
So
this
is
one
part
where
I
need
help
with
the
backend
and
the
second
one
is
when
I
dismiss
it.
The
dismissal
reason
doesn't
seem
to
populate
it's
always
nil.
I
had
to
go
to
the
database
and
then
manually
change
the
field
in
order
to
get
this
false
positive
here.
So
this
is,
I
think
this
could
be
a
bug,
or
maybe
I
don't
know
how
to
populate
that
using
the
ui.
G
G
If
you
dismiss,
then
you
should
get
an
ui
option,
at
least
that's
what
we
wanted
to
implement
at
some
point,
when
you
dismiss,
you
should
be
able
to
set
a
reason
for
this
missile
and
we
have
pre-made
dismissal
reasons
and
you
should
be
able
to
set
them,
but
I
am
not
aware
myself
like
where
should
they
show
up
in
the
user
interface,
because
I
I'm
currently
working
with
translations
for
dismissal
reasons
and
when
you're
actually
dismissing
a
vulnerability,
you're
creating
a
feedback
using
graphql?
G
D
Okay,
so
that's
why
I
was
not
able-
because
I
thought
so
somewhere
here
in
the
graphql-
I
see
that
we
send
the
comment.
Okay,
this
is
this
one
is
yeah,
so
we
we
send
the
comment,
but
I
assume
this
comment
is
not
the
value
that
the
beckham
expects
or.
D
B
For
dismissal
reason,
it's
like
pre-populated
five
dismissal
descriptions
that
we
are
sending.
I
think
we
are
exposing
in
the
this
page,
which
is
not
confined
with
I.
I
don't
think
it's
within
the
dismissal
feedback.
It's
outside
of
yeah,
these
five
reasons,
yeah
exactly.
D
So
I
I
would
need
to
send
this
these
values
when
we
dismiss
actually
right.
I
remember
that
we
have
an
issue
for
the
for
this
and
then
in
the
front
end
to
have
a
sub
drop
down
here,
which
you
can
choose
the
the
okay.
So
that's
why
it's
not
appearing
right
now:
okay,.
G
The
common
field
itself,
I
think
it's
getting
populated,
but
we
don't
like
expose
it.
So
what
you're.
G
Yeah,
that's
a
different
thing.
The
dismissal
reason
itself
should
be
populated
once
you
send
something
in
the
dismissal
reason
argument
to
the
graphql
mutation.
B
I
think
we
are
also
exposing
comment.
I
think
it's
a
it's
a
part
of
common
details
or
something
the
details
I
can
see.
We
are
exposing
a
comment.
B
D
It's
this
one,
okay,
because
I
remember
that
we
had
the
comment
payload
beforehand,
but
then
we
added
this
piece
of
reason
and
I
just
remember
some
conversation
around
having
both
of
them,
which
basically
is
doing
the
same
thing
so
kind
of
a
backward
comp
compatibility.
D
I
think,
but
maybe
I
was
wrong,
okay,
so
now
it's
it's
all
clear,
but
I
still
need
help
from
a
backender
to
generate
this
field
in
graphql.
G
G
G
D
We're
using
the
get
query,
but
maybe
we
can
continue
this
yeah.