►
Description
Quick overview of the features under the Secure SCA group:
- Intro 0:08
- Dependency Scanning: 0:49
- Container Scanning: 6:36
- License Management (being renamed License Compliance): 13:06
- Vulnerability database: 20:39
- Misc: 25:37
B
It
should
be
recording
right
now,
yeah,
it
is
another
worry
everyone.
This
is
a
secure,
subtracting
position
and
Eligius
features
of
a
view,
so
the
plan
is
to
go
through
all
the
group
features
that
you
can
see
on
the
product
page
for
our
group,
which
are
dependency,
scanning
container
scanning,
license
management
or
maybe
student,
license
compliance
and
very
vulnerable
'ti
database,
and
we
also
have
some
other
functionality.
B
First,
one
is
security
reports,
but
we
also
might
have
the
dependency
list
coming
soon,
so
starting
with
dependency
scanning
here,
the
documentation
for
it
explaining
how
to
set
it
up.
What
are
the
supported
language
and
packages
managers
package
managers,
because
when
you
talk
about
dependency
for
a
given
language,
we
can
have
several
package
managers,
for
example,
for
JavaScript
we
have
in
PM
and
yawn.
Both
flying
at
the
same
type
of
package
is
anyone.
B
We
also
have
some
ways
to
customize
it
by
overriding
some
of
the
variables,
the
global
level
or
just
for
the
job
itself
like
here,
I'll
skip
the
older
definition.
You
get
the
output,
the
cheesin
format
of
the
report
that
is
generated
there.
Some
explanations,
the
fact
that
it
is
displayed
on
the
security
dark
road
way
to
interact
with
the
vulnerabilities
like
dismissing
opening
an
issue
and
for
your
vulnerability,
opening
a
merge
request.
If
there
is
a
a
patch
of
so.
B
B
You
have
also
yeah
some
definite
some
of
the
cognition
about
the
dependency
list
and
how
to
contribute
seniority.
Database
we'll
go
back
to
those
items
later
so
talking
about
dependency
scanning.
The
project
is
here
so
dependency
scanning
is
one
of
our
feature,
relying
on
a
specific
architecture
which
involves
an
orchestration
layer,
so
the
dependence
and
scanning
job
itself
is
not
as
well
or
that
will
look
at
your
project
and
based
on
some
rules.
B
We
try
to
detect
which
packages
and
package
manager
your
project
is
using
and
based
on
this,
it
will
spin
new
docker
containers
with
the
dedicated
analyzers.
So
we
also
have
a
bunch
of
analyzers,
which
are
shared
I
mean
we
can
find
here
analyzer
for
sass,
but
also
for
defensive
scanning.
So,
for
example,
we
have
retired
GS
advanced
is
cutting
and
gymnasium
so
dependency
scanning
job
itself.
Don't
do
much.
It
detects
the
technology
and
spin
of
spin
up
some
new
containers
for
with
the
analyzers
for
each
technology.
B
You
have
some
way
to
configure
it
obviously,
and
there
is
one
specific
thing
about
dependency
scanning
is
in
case
you
want
to
disable
the
remote
checks.
This
is
for
the
usage
of
gymnasium,
because
jamia
zoom
is
a
client-server
application
and
it
scans
the
dependencies
on
your
project,
but
the
vulnerability
is
remote,
so
we
know
Beauty
databases
remote,
so
it
will
extract
the
list
of
packages,
not
the
exact
version,
but
the
list
of
packages
name
that
you
are
using
and
ask
the
gymnasium
several
database.
B
Do
we
have
some
advisories
for
those
packages
and
then
it
will
compare
we'd,
get
back
the
advisories
and
compare
if
one
of
the
version
of
the
version
of
this
package
you're
using
are
impacted
by
the
advisories
or
not.
If
you
don't
want
this
to
happen,
you
can
disable
it
so
talking
about
dependency
scanning
analyzers.
B
B
B
B
B
Alright,
moving
to
containers
candy
now
so
continue
scanning
is
a
different
set
up
a
different
architecture.
We
don't
have
an
Orchestrator
here.
We
are
relying
on
one
unique
tool,
which
is
claire
scanner,
which
is
an
open
source
tool
that
embed
a
daily,
updated
database
of
clear
so
that
you
don't
have
to
spin
up
a
clear
database
and
update
it
every
time
you
are
executing
the
container
scanning
job
so
always
checking
that.
B
B
The
user
workflow
is
that
in
the
previous
depth
of
the
probe
of
the
of
the
pipeline,
we'll
be
building
your
application
and
generating
a
docker
image,
and
this
is
what
will
be
passed
as
input
to
this
scanner.
So
here
you
can
use.
You
can
see
that
we
are
passing
to
your
application.
Illiteracy,
abdication
tag
which
the
default,
which
are
filled
by
the
default
values
from
the
auto
devops
pipeline,
or
if
you
use
the
basic
definition
we
provide
for
building
your
application.
This
is
what
will
be
built
by
each
time.
B
D
B
D
B
C
If
you
think
of
it
for
future
like
if
there's
a
particular
image
that
I
T
were
giving
everybody's
laptop,
we
would
be
checking
that
before
they
installed
it
on
their
laptop
and
then
the
defend
team
would
be
looking
for
changes
to
that.
So
we're
kind
of
before
you
go
and
place
this.
As
your
you
know,
production
thing
are
there,
CV
ease
that
we
know
about
now,
turn
that
don't
change
configuration,
that's
and
we'll
have
to
look.
E
B
You
don't
get
it
sorry,
okay,
let's
move
on,
then
next
one
is
license
management's
going
to
be
renaming,
license
compliance,
so
this
this
feature
is
also
based
on
one
unique
tool
which
is
license
finer
and
is
some
pretty
wide
support.
We
have
one
rapper
project
around
Isis
management
that
we
are
maintaining,
which
is
you.
B
For
example,
we
want
to
do
some
criminal
setup
before
running
the
tool
to
adapt
to
the
project,
and
we
want
to
manipulate
the
output
reports
to
adapt
it
to
our
common
reports,
because
we
want
to
have
a
common
report
structure
for
every
type
of
analysis
that
we
are
doing
so
what
we
want
in
that
the
output
of
the
job
itself
is
directly
a
common
report,
a
compatible
common
report.
So
that's
why
we
are
wrapping
this
into
separate
project.
This
is
not
the
case,
as
I
said
before.
This
is
not
the
case
yet
for
container
scanning.
B
So
this
is
why
all
the
logic
is
into
the
script
job.
This
is
a
bit
complicated
to
to
debug
and
and
to
work
with,
whereas
having
a
dedicated
project.
We
are
aware
more
flexibility
and
it
is
your
maintenance
and
we
can
have
a
dedicated
release
cycle
and
extra
extra.
So
a
lot
of
benefits
of
doing
this
so
like
full
access
management,
we
do
have
so
it's
basically
a
shell
script
that
will
do
a
lot
of
different
things
and
finally
execute
the
license.
Finder
application
on
it
so
license
management
is
producing.
B
You
also
can
configure
it
different
various
waves
and
there
are
some
definition
about
the
way
to
define
policies
at
the
project
level
for
your
licenses,
so
you
can
whitelist
or
backlit
or
blacklist
some
well-known
licenses
and
bite
on
this.
In
the
merge
request,
when
you
are
introducing
new
dependencies
and
we've
scanned
the
licenses,
you
will
be
flagged
if
those
are
compatible
with
your
policies
on
that.
B
Don't
have
a
lot
of
knowledge
about
the
underlying
tool.
To
be
honest,
so
I
won't
be
able
to
provide
you
an
accurate
answer.
My
guess
is
that
they
ever
have
to
look
at
the
dependency
repository
itself.
If
it's
bundled
or
look
at
the
remote
curl
or
eventually,
the
possibility
can
also
look
in
the
in
the
package
registry,
because
sometimes
it's
metadata
is
available
there.
So
there
are
a
lot
of
different
ways
to
achieve
this
and
I'm
pretty
sure
it
can
also
depend
what
technology
is
being
scanned.
B
This
is
an
example
of
the
report
for
the
pipe
I'm
you
so
I
said
before
the
job
is
training
for
each
report
each
pipeline.
Sorry,
so
you
get
a
report
on
the
pipeline
view
itself,
but
if
your
pipeline
is
attached
to
a
branch
that
you're
going
to
merge
and
there
is
an
open,
merge
request,
the
report
will
also
show
up
in
the
merge
request
and
if
you're
running,
that
on
your
default
branch,
it
will
also
show
up
in
the
project
dashboard
and
the
group
that
wrote
a.
E
C
E
B
I'm,
just
I
just
made
some
things.
This
is
not
a
security
report,
so
it
won't
show
up
in
the
security
dashboard.
Thank
you
thumb
for
thinking
this
happy
yeah
totally
right.
This
is
not
a
security,
so
it
doesn't
probably
repeat
so.
It
won't
show
up
into
a
group
part
of
the
project
bot.
Sorry
about
that.
B
One
last
thing
that
I
wanted
to
press
I
hear
is
that
this
this
job
doesn't
require
Dorian
Locker.
We
are
not
spinning
a
docker
Kentucky
container.
Instead,
we
are
leveraging
the
image
property
of
the
job
to
directly
provide
the
license
management
docker
image.
So
what
happened
in
that?
The
job
itself
will
be
in
a
container
of
that
image,
so
the
script
will
execute
within
the
context
of
the
image.
C
B
Okay,
next,
one
is
the
vulnerability
database,
so
we
recently
done
some
work
on
this
alright,
so
it's
just
a
small
section
here
in
the
dependency
scanning
documentation
about
it.
So
this
is
about
the
hint
house,
gymnasium
scanner
that
is
relighting
on
an
internal.
The
Venerable
database
like
I,
was
explaining
before
so
what
this
database
was
previously
private
and
what
we've
done
is
to
open
it
into
that.
Also,
you
know:
I
have
a
public
access
to
the
database.
B
This
is
not
the
real
database
used
by
the
tool.
We
are
maintaining
this
repository,
the
single
source
of
truth.
So
the
process
is,
we
are
checking
external
sources,
adding
advisories
to
this
repository
and
once
it
gets
merged
into
master,
it
gets
published
on
the
gymnasium
for
SQL
database,
and
this
is
PostgreSQL
database
that
is
being
queried,
but
by
the
gymnasium
client
in
the
generation.
Alliance
analyzers
in
the
dependency
scanning
job
make
sense.
B
The
thing
the
reason
why
we've
done
that
is
all
the
architecture
of
gymnasium
and
and
the
database
has
been
made
private
and
private
source,
so
it
was
easier
to
just
open
the
database
itself
before
we
make
sure
we
want
to
open
the
tools
code
itself,
so
another
approach
would
have
been
to
provide
a
new
endpoint
in
the
API
to
just
provide
search,
feature
and
things
like
that.
But
we
also
wanted
to
allow
people
to
contribute
to
the
database.
So.
B
C
B
B
What
can
we
say
about
the
very
database?
Oh
yeah,
there
are
currently
discussion.
There's
a
plan
to
make
this
turn
a
rigid
database
out
of
our
own
responsibility,
but
a
state.
We
will
hand
this
over
to
a
security
researcher
team
from
the
security
department
that
will
be
responsible
for
maintaining
this
database
up
to
date,
but
also
contribute
to
other
scanners
other
open-source
tool
to
improve
the
capabilities
of
all
those
tools
that
we
are
providing,
so
that
our
own
security
team
can
leverage
tools.
B
And
then
I
had
to
misspell
analyzer,
but
I
actually
already
talked
about
the
analyzer.
When
talking
about
the
orchestration
layer
of
dependency
scanning
one
important
point:
it's
a
bit
more
technical,
but
it
also
had
to
understand
a
bit
how
things
are
going
with
our
different
features.
Is
we
have
two
different
kind
of
data
sources?
So
this
a
lot
another
diagram
that
I
made
when
implementing
the
first
feature
leveraging
the
data
base,
depending
on
what
part
of
the
UI
you
are
viewing,
the
data
might
come
from
different
sources.
B
So,
if
you're
looking
at
the
group
dashboard,
that
I
would
come
from
the
data
base
and
you
will
show
you
the
current
state
of
your
application,
which
is
the
vulnerability
that
we
found
on
your
dip
at
the
differ
branch
on
your
projects
with
12.0,
we
are
switching
the
project
dashboard
to
the
same
source
of
data,
but
currently
before
1200.
The
project
dashboard
was
relying
on
the
artifacts,
like
the
merge
request
widget
and
the
pipeline
jus,
which
is
the
the
the
UI,
is
fetching
the
raw
reports
produced
by
the
job
in
the
pipeline.
B
B
The
goal
here
is
to
make
all
the
sorts
of
data
going
through
different
process
so
that,
at
the
end
it
gets
out
with
clean
api's,
with
the
same
which
isn't
for
money.
So
whatever
the
place
you're
looking
at,
you
will
have
the
same
structure
of
data.
I
should
have
the
API
also
here,
because
we
now
have
a
API
public
API
to
download
the
venerable
add
the
reliabilities
from
your
project,
so
so.
C
B
B
What
you
can
see
in
a
branch
so
in
a
merge
request,
is
what
will
eventually
be
added
to
your
project
to
a
lot
of
application,
but
until
you
click
on
the
merge
button,
it's
not
a
real
sweat,
it's
not
a
real
vulnerability.
So
there
is
no
point
in
adding
this
a
data
to
the
database
and
showing
in
the
group
dashboard
I
mean
we
could
still
add
it
to.
The
rise
is
a
more
technical
matter,
but
there's
no
point
of
showing
it
in
the
group
dashboard.
So
what
we
have
today
is
until
get
merged.
B
This
is
something
just
potential,
so
you
can
still
deal
the
set
of
feature
we
have
today
can
still
rely
purely
on
the
artifacts
and
that's
fine
from
a
performance
point
of
view.
But
if
you
want
to
achieve
more
high
level
features
aggregate
the
data
do
some
statistics.
We
need
to
leverage
the
database
and
that's
why
we're
doing
for
everything
happening
on
the
devel
branch.
C
Right,
okay,
because
yeah
I'm
sort
of
thinking,
eventually
people
might
wonder
how
many,
for
example,
vulnerabilities
were
prevented
by
people
seeing
stuff
and
something
eventually
they
might
want
to
be
able
to
query
that.
So,
even
if
we're
not
sending
maybe
full
information,
we
may
want
to
think
about
that
in
the
future.
Yeah.
B
You
think
about
it.
We
already
have
something
related
and
feedback
because
on
the
Murdoch,
where,
as
people
can
dismiss
a
false
positive
in
reality
or
create
an
issue
from
there
or
measure
quality,
physicists
a
true
positive,
so
we
have
small
feedback
there.
We
don't
have
the
raw
statistics,
but
we
already
have
some
feedback
all
right
anything
else.
We
can
say
about
this.