►
From YouTube: Secure Brainstorming - Splitting Analyzers Common
Description
Brainstorming session on benefits and limitations to splitting the analyzers/common library into separate modules and reducing interdependencies between GL groups
- Agenda https://docs.google.com/document/d/179JL5RzbgSIz2XZewbYn79cuX7_vUtte_TcoLwUUC5o/edit#
- Issue https://gitlab.com/gitlab-org/gitlab/-/issues/211819
A
Cool
welcome
everyone
to
today
december
3rd
2020,
where
yeah
no
one
on
epic,
no
one
on
apac.
So
that
is
true.
So
far
today
we
are
talking
about
what
to
do
with
our
shared
common
library.
A
The
loose
name
for
this
is
splitting
common,
because
that's
the
primary
issue
we
will
be
discussing,
but
there
are
a
few
other
alternatives
and
because
it's
a
brainstorming,
maybe
other
things
will
come
up
so
issue
is
in
the
agenda
and
unless
anyone
has
anything
to
start
with,
we
can
just
start
running
down
the
agenda
cool.
A
So
fabian,
do
you
want
to
start,
or
should
I
paint
some
backgrounds
or
is
everyone
familiar
with
what
we're
talking
about
so
far.
A
A
C
A
Just
give
like
a
two
minute
one,
because
someone
might
watch
this
recording
later,
so
we
have
a
library
called
common
that
we
use
among
all
of
the
sassed
analyzers.
The
dependency
scanning
analyzer
is
currently
clear
for
container
scanning,
and
that's
and
fuzzing
also
uses
this,
so
we
currently
have
quite
a
few
different
groups
using
a
common
library
that
is
not
really
a
library,
so
much
as
a
collection
of
separate
go
modules
that
are
used
together.
A
C
Yeah
one
repo
and
one
change
log,
one
set
of
versions
and
into
me
that's
the
main
pinpoint
so
there
are.
There
are
many
packages
in
this
repo.
For
instance,
we've
got
one.
We
used
to
generate
our
reports,
security
reports
and
another
one
for
handing
cli,
analyzers
and
analyzers
sorry.
C
So
that's
one
aspect:
imagining
just
one
set
of
versions
and
also
it
makes
very
difficult
to
introduce
breaking
changes
like
we
want.
We've
got
ideas,
I'm
changing
the
issue
package,
renaming
the
issues
track
to
volumetry,
which
is
not
a
big
deal,
but
it's
a
pretty
major
breaking
change.
C
C
A
So
assuming
olivier's
responses,
oh.
A
Is
to
mine,
we
don't
technically
have
to
do.
Excuse
me
what
we're
doing
we
could
properly
use
tags
which
we
don't
currently
that
would
basically
involve
making
a
git
tag
that
matches
the
path
of
the
sub
module
in
that
repository,
but
there's
still
a
lot
of
reasons
why
it
would
be
more
flexible
to
treat
them
separately.
C
Yeah,
that's
something
we've
explored
in
the
issue
and
it
looks
like
no
one.
No
one
is
used
to
that.
It's
very
uncommon.
It
works
it's
been
tested
in
the
past
in
the
I
don't
know
in
which
project,
but
it
works,
but
it's
uncommon.
A
So
one
reason
that
we
didn't
immediately
start
doing
that
when
we
experimented
with
it
was
because
we,
while
we
would
need
to
consider
versioning
separately,
have
separate
change
logs
for
each
sub
module,
there's
a
bit
and-
and
that
gets
just
a
bit
complex.
I
think
the
primary
reason
that
was
just
it
doesn't
seem
very
common
and
we're
not
super
familiar
with
that.
A
E
C
B
On
my
side,
I
haven't
heard
that
we
complain
that
dealing
with
multiple
repositories
is
is
painful.
We
have
to
create
too
many
measure
quests
at
the
same
time,
and
and
I'm
wondering
how
much
of
the
split
will
increase
that
that
pain
or
if
we
consider
that
all
those
different
models
would
be
dependent
enough
to
avoid
that,
and
I
think
it
would
be
then
a
good
situation
to
split
into
separate
separate
repositories.
B
Another
concept,
obviously,
is
that
we
are
kind
of
putting
ourselves
in
the
in
the
situation
of
a
mono
repo
that
I
know
was,
for
a
long
time
a
painful
situation
to
handle
with
gitlab,
even
if
it's
getting
better,
as
mentioned
by
fabian,
the
git
libraries
is
one
more
feature
that
doesn't
work
well
with
mono
repo
approach.
So.
A
Yeah,
I
think
I
think
that
there
are
like
a
lot
of
like
assumptions
that
we
have
with
the
way
that
projects
work
at
get
lab
or
like
on
the
product
too.
So,
if
we're
talking
about
ownership,
we
have
the
rule
set
module
that
we
just
added,
which
is
only
used
by
sas.
Currently,
it
could
be
used
for
other
analyzers,
but
assuming
that
it
stays
with
fast,
then
having
a
separate
project
does
things
like
gives
the
sas
team
a
dedicated
security
dashboard
for
any
vulnerabilities
that
come
up
in
modules
we
own?
C
Yeah,
I
think
that's
a
great
example.
If
he
had
a
assass
library,
a
sas
common
library,
this
rule
set
package
would
stop.
There
would
stop
its
slide
there
and
then
possibly
can
extract
it
if
it's
relevant,
if
we
identify
that
it's
needed
by
other
teams,
but
it
would
start
in
the
sas
common
library.
C
Removing
the
need
for
reviews
by
everyone
I
mean
all
back
in
teams,
which
is
a
pain
which
slows
you
down
by
the
way.
That's
another
concern,
another
pain
point.
C
Yeah,
okay,
I
wanted
to
to
comment
on
what
you
said
about
all
the
risks
of
having
too
many
repos
and
possibly
the
the
need
to
coordinate
magic
quests
when
it's
related.
Hopefully
we
don't
have
to
to
to
create
like
what
six
six
reports
right
from
the
beginning.
We
can
extract
what's
more
real
event,
I
would
start
with
the
issue,
which
is
a
bad
name
for
what
it
is.
It's
well
the
package
we
used
to
to
create
reports.
C
I
would
start
there
a
bit
like
an
experiment,
because
we
can
learn
from
that,
but
also
because
we
are,
we
are
sure
that
it's
not
connected
to
the
others.
We
are
sure
we
need
specific
versions
in
order
to
introduce
breaking
changes
in
this
particular
package,
and
then
we
might
identify
other
repos.
We
would
extract
later.
B
It
might
be
possible
to
quickly
plot
the
dependencies
I
mean
these
dependencies
are
declared
in
each
package
with
the
import
statements,
so
there
might
be
a
quick
way
to
quickly
picture
out
which
packages
depend
on
each
other
to
highlight
what
is
really
independent
and
can
easily
be
extracted.
C
Yeah
one
note
on
on
this
path:
filter,
library
and
a
library
package-
that's
something
we
should
remove
in
the
future.
It's
not!
We
should
use
the
star
instead,
because
it's
what
we
use
for
the
rules
exists,
syntax,
so
that
there
are.
There
are
packages
we
should
remove
in
the
future.
But
there's
then
there's
no
need
to
extract
them
from
this
existing
common
repo.
They
can.
They
can
end
their
lives
there
and
no
need
yeah.
A
Yeah,
I
think
that
a
good
example
of
that
is
so
you
mentioned,
so
you
mentioned
path,
filter
and
search
and
walk.
So
it's
so.
C
A
C
Yeah,
because
we
won't
need
that
in
internet
scanning
in
the
future,
yeah.
A
Yeah,
so
so
I
think
that
I
listed
out
all
the
modules
I
think
all
of
them
on
0.5
just
to
have
an
overview
in
front
of
us,
and
I
would
kind
of
thought,
maybe
be
worth
color
coding
this,
but
maybe
I'll
restructure
this
in
terms
of
priority
or
shared
ones,
which
is.
A
C
With
one
exception,
though
it
doesn't,
it
doesn't
tell
it
doesn't
say
anything
about
the
other,
the
issues
that
are
blocked,
because
we
don't
want
to
introduce
breaking
changes.
C
That's
the
case
for
the
issue,
packager,
not
library
package.
There
are
things
we
we
want
to
do,
but
we
can't
do
them
just
because
it's
it's
shared
and
we
can't
introduce
major
versions,
but
yes,
otherwise.
Yes,
I
totally.
A
C
Yeah,
of
course,
this
this
one
could
be
specific
to
sas
and
then
scanning
until
we
we
no
longer
need
that
in
the
context
of
dividend
scanning,
because
and
by
the
way.
What
recently
you
we
introduce
rule
set
it's
needed
by
sas,
as
you
said,
before,
it's
not
needed
by
event
scanning,
but
we
had
to
review
the
code
nevertheless,
because
it's
in
the
command
command
package,
so
one
thing
and
also
introduced
our
small
regression
independent
scanning
by
the
way,
it's
not
not
a
big
deal,
but
all
that
could
have
been
avoided.
C
If
it
had
been
a
different.
I
mean
sas
only
south
specific.
A
B
Merging
this
might
be
in
the
report
yeah
when
we
were
merging
multiple
output
within
the
same
job
when
using
docker
in
docker.
A
A
Okay,
oh
yeah,
because
we
have
a
report
package
too.
Okay,
all
right,
so
so
this
is
used
by
is
this
used
by
car
as
well
so
sas?
I
think
so.
I.
C
A
C
A
A
C
So
clark
uses
command
and
issue
say
assert,
cert,
sorry
speaking,
french.
That
said,
I
think.
A
I
was
trying
to
see
if
common
was
I'm
sorry,
I
command,
but
I
only
see
issue
and
log
util.
B
A
C
C
A
Okay,
so
I
don't
know
if
it's
useful
going
through
these,
I
just
thought
it'd
be
useful,
going
through
them
very
quickly
to
see
what
kind
of
overlap
we
have,
but
we
can
go
back
up
to
our
other
points.
C
Location
for
these
repos,
these
new
repos
one
suggestion
was
to
use
sorry.
One
suggestion
was
to
use
to
put
them
under
analyzers,
but
I
much
prefer
having
a
specific
project
group
because
it
could
be
confusing
something.
Like
I
don't
know,
the
niger
slash
command
could
be
understood
as
an
analyzer
itself
named
command.
C
E
I
was
gonna
say
I.
I
don't
really
stand
by
that.
My
comment
that
I
simply
putting
all
these
new
split
repos
under
analyzer,
because
because
of
that,
so
just
I
wanted
to
vocalize
that.
C
A
I
I
personally
am
going
to
vocalize
indifference.
I
I
honestly
don't
care
what
it's
called.
So
if
anyone
has
a
strong
opinion,
I'm
fine
with
going
with.
B
B
I
don't
know
how
much
this
is
an
issue
I
mean.
Obviously,
this
might
change
the
import
path
when
importing
the
package
in
in
another
analyzer.
So
this
might
still
have
implications
and
we
should
carefully
think
about
it.
I
agree
that
it
might
be
confusing
into
the
analyzers
sub
sub
group,
particularly
if
you
want
to
to
create
some
automations.
C
So
I
have
to
go,
but
one
last
command
the
more.
The
more
important
thing
is
to
find
the
location
two
to
agree
on
the
location
and
then
whatever
it's
gonna,
be
I
don't
mind
as
soon
as
we
have
this
location,
we'll
be
able
to
create
a
library.
C
I
mean
a
new
repo
like
one
for
issue.
That's
gonna
be
great
sorry,
so
I'm
gonna
go
often.
D
Okay,
let
me
just
state
this,
because
I
missed
it
and
I'll
admit
to
multitasking
at
this
point
if
finding
the
location
for
all
of
this
is
the
most
important
concern,
then
that
tells
me
that
splitting
common
has
been
the
decided
path
forward.
Is
that
correct.
D
A
D
Yeah
I
get
it,
we
split
off
yeah
I
mean
whatever
I
mean
we
yes
iteratively
working
through
this.
It
doesn't
have
to
be
a
big
bang
change.
I
agree,
it'll
create
a
mess,
but.
D
B
One
of
the
benefit
of
splitting
was
to
highlight,
what's
what's
really
common
and
shared
between
our
group
and
need
multiple
approval
when
putting
changes
on
design
new
changes
on
them
versus
isolated
module
that
could
be
given
to
a
specific
group
for
ownership
and
maintain
on
their
own.
B
If
we
take
out
issue,
we
know
that
the
issue
is
a
shared
one,
so
this
new
repository
will
require
approval
from
all
the
groups.
Basically,
what's
left
in
command,
would
that
be
more
independent
or
would
there
still
be
their
shared
pc?
That
would
still
require
to
have
all
approvals
in
in
those
merchant
quests.
A
I
I
think,
that's
a
really
good
point
if
we
want
to
just
if,
if
the
goal
is
to
immediately
decouple,
then
we
should
probably
choose
something.
That's
strongly
single
group
like
ruleset,
but
it's
not
going
to
move
us
forward
in
terms
of
figuring
how
to
split
out
more.
D
B
A
B
So
this
is
exactly
the
next
step
on
that
discussion
and
I'm
fine
with
that,
and
but
it
has
implication
because
it
means
we
are
acting.
The
fact
that,
even
if
we
are
all
producing
analyzer,
we
might
add
different
implementation
for
the
exact
same
purpose,
which
is
building
the
reports.
That
is
report
from
a
go
library.
B
B
So
it's
a
tough
decision,
it's
it's
a
strong
choice
too,
and-
and
maybe
it's
highlighting
that
we
are
doing
something
wrong,
because
I
I
like
to
try
to
compare
how
we
work
with
insecure
versus
how
the
company
the
rest
of
the
company
work
within
the
elaborate
application.
B
So
we
have
a
given
set
of
maintainers
in
the
race
application
that
can
take
decision
about
any
place,
any
product
area
in
the
code
base,
and
if
something
is
done
wrong,
it
should
be
cut
by
tests.
So
I'd
argue
that
yes,
static.
Analysis
is
responsible
for
the
new
report
package
report
module
and
they
are
responsible
for
maintaining
it,
which
means
anytime.
We
are
doing
a
chain
there
that
we
break
something
for
any
other
category.
B
It
should
break
a
test,
but
it
should
work.
Even
if
you
are
the
only
team
responsible
in
maintaining
officially
that
package
and
may
be
responsible
for
moving
forward
on
its
on
this
roadmap,
why
it
doesn't
work
for
us
I
mean
it's
it's
kind
of
working
outside
for
all
the
rest
of
the
company
on
the
git
library's
application.
In
theory.
In
practice,
we
can
see
some
hiccups,
but
why
why
you
wouldn't
work
here.
A
Yeah,
I
think
that's
that's
really.
I
don't
know,
and
so
so
point
I
I
had
point
10
on
here
too,
which
was
I
just.
Should
we
consider
a
lack
of
schema
enforcement
to
be
a
concern
here
if
we
have,
if
we
just
added
a
job
that
checked
if
the
output
of
scanners
conformed
to
schemas
does
that
cover
us
or.
B
E
Oh,
I
was
just
going
to
say
I
mean
that
enforcing
that
scheme
I
mean
that's
something
that
should
be
fairly
easily
like
unit
testable
within
each
analyzer.
Right
I
mean
what
is
the
artifact
from
convert?
Does
that
match?
The
schema
right
I
mean
is
that
that's
all
we're
pretty
much
saying
that
we
need.
B
Yeah
sorry
you're
right.
I
took
that
from
a
bigger
scope
perspective,
but
when
it
comes
to
this
specific
model,
you're
right
that
the
schema
might
be
enough.
Sorry,
I
went
too
far.
A
So
the
the
other
thing
that
I
I
don't
want
to
talk
about,
because
I
don't
think
there
are
enough
hours
this
week
to
discuss,
but
we
should
also
think
about
where
generic
security
reports
fits
into
this,
which
is
something
that
I
understand
from
what
I
understand.
We
do
not
have
to
conform
to
with
our
current
scanners
for
the
immediate
future,
but
I
I
fully
expect
that
to
have
a
greater
discussion,
but
that
does
mean
producing
a
similar
security
schema
format,
which
is
basically
what
issue
is
doing
somewhere
else.
B
E
If,
if
I
could
before
we
talk
about
this,
could
we
there's
a
point
that
I
that
I
wanted
to
bring
up
about
the
splitting
of
the
of
the.
E
Jumping
around
too
much
yeah
no
worries,
so
I
yeah
I
I
put
it
in
one
g.
So,
for
example
like,
like
the
the
rule
set
package
right
that
that
introduce
a
an
issue
because
we
had
like
we
added
this
ruleset
package,
which
we
also
had
to
update
the
command
package.
Because
of
that-
and
it
seems
to
me
that,
like
all
issue,
log
util
path,
filter,
crca,
cert
rule
set
search,
slash,
walk
table,
these
are
all
packages
that
do
not
kick
off
a
like.
E
These
are
all
packages
that
that
are
like
purely
just
a
library
right,
so
they
they
or
they
they
could
be.
I
guess
refactored
to
be
like
purely
just
a
library
and
not
necessarily
like
mutate
anything.
So
you
know
you
give
it
a
bunch
of
vulnerabilities.
It
dedupes
and
you
are
returned.
A
bunch
of
vulnerabilities
right
command
is,
is
the
thing
that
actually,
you
know,
runs
it's
more
of
a
framework
and
the
problem
was
command.
E
You
know
we
sas
introduced
rule
sets
which
is
specific
to
just
sassed
and
the
other
teams
don't
use
it
yet.
But
if,
like
fabian
said,
you
know,
he
had
a
comment
if,
if
sas
had
their
own
command,
that
we
that
we
owned
and
then
used
this
other
repo,
which
is
you
know,
we
might
call
it
library
or
whatever
that
has
issue
log
until
pretty
much
everything
besides
command
in
it,
then
the
other
teams
wouldn't
have
that
issue
and
to
me
this
seems
like
the
most.
E
I
don't
know
natural
break
point
where
we
are
it's
it's
kind
of
a
separation
of
concerns
where
one
is
a
purely
just
a
library.
The
other
is
kind
of
a
framework
that
teams
could
use,
and
you
know
I
mean
it's-
it's
a
lot
of
boilerplate
it.
I
also
you
know
it
could
be
that
maybe
we
don't
even
need
the
command
package
where
each
analyzer,
you
know,
defines
the
implementation
on
how
to
produce
a
report
right,
which
is
basically
what
we
do
with
some.
E
Yes,
yeah
correct
yeah,
so
I
mean
I'm
not
suggesting
that
you
know
that
that's
the
the
best
one,
but
I
mean
I
think,
splitting
out,
commands
and
then
or
I
guess,
consolidating
everything
besides
command
into
a
specific
or
into
its
own
repo,
as
the
library
to
me
that
that
makes
the
most
sense
rather
than
splitting
it
all
up
into
a
bunch
of
in
you
know,
because
it's
just
like
who's
going
to
be
using
this
this
these
these
packages,
besides
folks
within
secure.
A
Yeah
so
so
I
think
that's
true
for
so,
and
I
was
trying
to
figure
out
who
exactly
is
using
these
different
ones.
So
I
think
that
that
that's
a
very
good
point,
because
it
is
absolutely
different
and
we
should
treat
command
differently
and
that's
probably
the
biggest
one
for
splitting,
but
I
think
that
the
I
think
that
issue
is
used
more
by
like,
like
fuzzing
uses,
issue
and
clar
uses
issue,
but
neither
of
those
use
the
run
command.
A
So
I
think
that,
like
those
two
it
help,
it
would
really
help
us
split
out
the
implementation.
If
you
have
each
group
provides
a
command
or
deals
with
their
own
method
of
execution,
but
there's
like
we
still
have
a
shared
issue
with
with
primarily
issue,
I
think
which
we
need
to
rename
drastically,
but
I
think
that
yeah,
I
completely
agree
that
command
would
probably
be
the
best
one
to
split
out
there.
B
To
keep
it
as
a
shared
model
as
a
model
that
every
team
will
leverage,
because
this
is
what
I've
seen
emerging
from
some
discussion-
is
that
some
team
might
want
to
execute
their
analyzer
in
a
slightly
different
way
and
maybe
at
some
point
they
will
need
to,
because
the
more
deeper
the
deeper
we
go
into
the
functionality
of
each
category.
B
The
bigger
we
diverge
from
others,
because,
fundamentally
doing
a
dynamic
analysis
is
not
the
same
as
doing
a
static
analysis
and
what
was
working
fine
in
the
past
to
be
very
consistent
in
the
way
we
start
an
analyzer,
for
example,
on
the
brand
by
using
this
same
run.
Common
package,
for
example,
might
no
longer
be
true
now,
and
maybe
this
is
the
little
part
of
the
implementation
when
we
could
just
give
freedom
to
every
analyzer
or
maybe
every
type
of
analyzer.
B
B
More
to
the
left,
maybe,
as
we
move
everything
to
the
left
but
more
at
the
way
we
are
defining
the
ux
and
maybe
more,
we
interact
with
the
yaml
template,
for
example,
but
then
everything
is
free
to
to
run
or
to
have
a
common
package
that
works
the
way
they
want.
E
Yeah
I
mean
I,
I
think
I
that
I
totally
agree
with
that,
where
it's
the
implementation
of
how
you
get
a
report
is
kind
of
up
to
you,
but
that
report
needs
to
be
that.
That's
that's
the
thing
that's
shared
among
you
know
everything
it
needs
to
follow
the
schema
and
that
that
that's
why
it
you
know
they
suggested
splitting
out
the
the
command,
and
I
mean
because
this
is
already
happening
right.
It's
not
like
I
mean
there's,
there's
analyzers
and
there's
groups
that
that
don't
use
command
so
hey.
Oh.
E
B
Okay,
you've
been
extracting
it
to
remove
it
from
command
to
avoid
messing
with
it
with
common
changes,
but
it
doesn't
mean
that
we
extract
this
as
an
official
model
that
everyone
would
be
using.
I
get
that.
E
Yeah
right
I
mean
by
splitting
out
command.
It's
not
we're
not
saying
that
you
need
to
use
this.
It's
it's
just
it's!
It's
removing
that
additional
point
of
you
know
shared
review,
because
that's
that's
what
has
caused.
I
mean
there
has
been
changes
in
command
recently,
and
I
think
you
know
that's
that's
the
second
most
touched
package
right,
and
so,
if
we
could
remove
that,
that
would
be
I
yeah
like.
That
would
be
good.
I
guess
my
thing
is
if,
if
we
all.
A
A
It
makes
sense
for
some
things
to
be
simply
split
separately,
like
every
group
brings
your
own
command
and
then,
if
we
can
reduce
the
surface
area
of
common
to
just
issue,
then
we
have
to
figure
out
what
to
deal
with
the
issue.
But
I
I
don't
know
if
we
have
a
consensus
on
that.
E
I
mean
it
would
be
great
if
we
could,
if
we
could
like,
have
all
these
these
packages
in
one
repo,
but
then
just
require
a
shared
review,
or
you
know
shared
owners
essentially
of
just
like
the
issue
package,
but
have
the
other
ones
like
ruleset,
which
you
know
could
be
used
by
any
analyzer.
A
Yeah
so
so
there's
code
owners,
but
with
code
owners
we
don't
get
independent,
versioning
right
and
there's
a
couple
things
around
like.
A
I
I
don't
know,
there's
other
points
somewhere
written
down
yeah,
but
so
it
sounds
like
you
you'd
still.
You
still
have
reservations
around
separate
projects
or
repositories
for
each
of
these.
E
I
would
like
command
to
be
split,
the
other
ones
I
mean
I
I
see
I
see
the
I
totally
get
the
the
problem
and
I'm
kind
of
going
back
in
between,
like
like
on
one
hand,
I
like
from
a
design
like
a
go
like
what's
idiomatic
go
having
having
the
repo
with
issue
log
until
rule
set.
E
You
know
having
a
a
library,
a
repo
that
I
think
is
good.
E
A
A
It's
it's
similar
to
our
plug-in
architecture.
Really.
So,
if
there's
expectations
that
common
says
all
analyzers
need
this
thing,
then
the
analyzers
can
provide
those
things,
but
I
think
that
the
biggest
the
biggest
issue-
and
this
is
the
this-
is
actually
the
point
I
wanted
to
raise
on
number
four.
When
we
were
talking
about.
A
Well,
we've
talked
about
this
in
the
past
and
zach.
Has
this
nice
ascii
diagram
here
the
thing
I've
always
struggled
with
on
the
the
framework
side
of
this
is,
I
don't
see
a
way
where
we
can
regroup
without
causing
even
more
technical
effort
to
bump
any
changes,
any
kind
of
midway
grouping
that
we
add
just
means
we're
going
to
have
at
least
one
more
step
when
we
have
to
bump
changes
across
repositories.
I
think.
E
Yeah,
I
kinda,
I
think,
I'm
I
wanna
that's
another
one
where
I'm
I'm
not
so
sure.
I
I
I
like
what
I
said
or
believe
you
know
want
to
move
forward
with
that.
I
I
think
what
what
I'm
more
in
favor
of,
is
kind
of
what
I
suggested
earlier
was
just
having
instead
of
sas
use,
the
common
command
have
sas
just
replace
a
common.
F
A
A
If
can
we
apply
that
model
to
issue
is?
Can
we
define
an
expectation
for
what
issue
is
and
then
have
individual
issues
per
group.
B
So
you
will
face
the
same
distribution
that
we
have
the
schemas
like
what
is
specific
to
one
report
type,
what
is
shared
between
all
of
those
its
exact
same
hierarchy,
but
building
that
in
the
go,
the
library.
A
A
A
I
had
some
like
clean
up
things
up
ahead
up
above,
like
template,
doesn't
need
to
be
in
common.
It's
just
like
a
random
directory
tree.
We
stored
somewhere,
but
I
just
don't
feel
like
that.
A
I
don't
know
if
what
we
have
so
far,
which
is
split
out
some
solely
owned
modules
and
then
look
at
bring
your
own
commands.
That's
definitely
something
we
should
look
into.
Is
that
enough
to
get
us?
Are
we
getting
any
benefit
out
of
those
two
changes?
I
think
b?
We
definitely
would
be,
but
I
don't
think
that
we
have
solved
the
main
issue
here,
which
is
issue.
E
I
I
have
a
question
about
the
the
schemas
where
olivia
you
were
talking
about
how
it's
like
I
mean
there.
Obviously
there's
multiple
or
there's
different
schemas
for
each
report
type,
but.
E
I
can't
like
why
not
just
have
you
know,
for
example,
if
senior
detection
needs
a
specific
field,
that's
optional
within
the
common
schema,
and
that
goes
with
everything
else.
So
then
you
have
this
like
fully
flexible
schema,
there's
just
one
schema
that
can
fit
the
mold
for
multiple
report
types
and
that's
what
is
used
to
validate
on.
E
B
You
would
have
a
kind
of
an
issue
or
vulnerability
package
in
common
that
will
handle
the
the
generic
aspect
of
the
vulnerability
and
the
of
the
what
the
report
should
contain
for
all
report
types
and
then
each
analyzer
would
have
to
have
its
own
implementation
code
to
achieve
the
the
type
specific
implementation
like
adding
that
the
property
that
analysis
that
are
mandatory
for
this
type
of
vulnerability,
which
means
you
would
have
to
have
another
common
repository
somewhere
for
all
the
sas
analyzers,
because
you
don't
want
to
repeat
that
code
into
all
the
analyzers
and
that's
why
everything
was
put
into
the
same
place
in
command,
because
it
was
not
worth
having
this
sub
layer.
B
But
this
is.
This
is
a
good
question,
because
we
want
more
autonomy.
This
might
be
a
good
way
to
achieve
that,
but
this
also
means
you
will
enter
this
cascading
level
of
dependencies.
When
you
are,
you
have
your
analyzer.
That
depends
on
your
intermediary
layer,
and
this
layer
depends
on
the
common
report
or
issue
package.
A
E
You
know
if,
if,
if
we
have
just
one
schema
right
and
in
the
the
new
issue
package
that
that
reflects
that
schema
right,
then
each
analyzer
that
produces
a
report
will
have
to
confer
with
what
is
in
this
new
issue
package
right
and
then
that.
E
That
that
report
needs
to
be
validated
by
the
schema
and
the
I
guess,
then
the
you
know
you
could
have
like
unit
tests
or
whatever
to
verify
the
output
like
the
exact
output,
not
not
necessarily
verifying
that
it
matches
the
schema,
but
by
verifying
the
you
know
the
exact
output
to
make
sure
that,
okay,
that
all
the
fields
for
secret
detection
or
all
the
fields
for
sas
are
met.
F
B
But
how
do
you
define
what's
necessary
for
secret
detection
versus
what's
necessary
for
sex?
These
are
different
needs.
You
have
different
mandatory
properties
from
one
report
type
to
another,
so
what
you
said
could
work
well
with
a
unified
schema
so
that
you
will
have
just
one
schema
that
will
work
for
every
report
types.
B
Then
you
could
have
everything
into
one
layer
like
common
issue
package.
Just
one
schema
just
one
implementation
and
it
works
well.
This
is
not
the
case
right
now,
because,
right
now
you
can
say
I
need
every
er.
Each
vulnerability
needs
to
provide
the
location,
but
the
monitoring
properties
within
that
location
object
varies
depending
on
your
report
type
for
container
scanning.
You
need
to
provide
an
image
properly
for
sas.
You
need
a
file
path,
you
need
the
line,
number,
etc,
etc.
B
B
A
Sorry
we
can
do
something
similar
in
issue
that
we
do
in
our
schemas,
which
is
use
some
basic
inheritance.
So
we
have
an
issue
struct
and
then
we
have
a
sas
issue
struct
that
extends
issue
to
actually
get
us
a
bit
closer
there,
and
maybe
maybe
code
owners
is
the
solution
for
something
that
has
a
lot
of
like
mixed
dependency
there.
A
So
we
split
out
issue
module
into
base
issue
and
our
individual
issue
structs,
and
then
we
can
apply
code
owners
to
the
individual
issue
structs
for
our
individual
groups,
but
we
will
have
shared
ownership
over
the
the
base
issue.
Struct.
Maybe
that
won't
be
that
big
a
deal.
I
don't
know.
B
This
is
exactly
what
happens
on
the
right
side
with
the
processors
we
have
a
common
password
that
handle
all
the
generic
passing,
and
then
you
have
a
sas
specific
type
for
the
sas
location,
container,
scanning
location,
etc.
Extra.
So
if
we
can
do
that
in
go
yeah,
that
would
be
a
great
improvement
indeed,.
A
Okay,
I'll
add
that
down
here,
then
so
reducing
shirt
so
for
issue
I'll.
Just
we
can
use
some
structure,
I
don't
know
I'm
gonna,
say
struct
inheritance.
Everyone
will
know
what
that.
A
A
B
A
Okay,
cool
well
we're
over
time
did
we
cover
everything?
We
didn't
really
talk
about
sub
modules.
A
I
don't
know
if
we
see
a
need
for
sub
modules
at
this
point,
but
it
is
something
we
could
definitely
use.
If
we
still
need
to
keep
things
in
the
same
location,
I
think
it's
more
valuable
to.
I
think
it
would
be
valuable
if
we
want
to
split
issue
out
and
reference
issue
back
in
common,
but
I
don't
think
that
we
want
to
do
that
right
now.
Anything
we
talked
about
or
sorry
not
issue,
but
I
say
command.