►
From YouTube: Secure::Static Analysis office hours for 2020.12.10
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
thursday,
so
hope
everybody's
week
is
going
well.
So
this
is
the
second
office
hours.
The
static
analysis
has
hosted.
We've
got
a
couple
of
demos.
We
want
to
show
the
first
one
is
no
longer
tentative.
So
daniel
you've
got
the
floor
if
you're
ready.
A
B
A
A
A
This
is
something
from
this
is
something
from
me,
so
you'll
hear
us
frequently
when
we're
talking
about
things
like
that.
There's,
if
there's
spot
bugs,
is
having
trouble
scanning.
Something
we'll
tell
you
if
we
will
recommend
using
a
free
compilation
strategy.
What
is
that?
So?
I
want
to
show
that
real,
quick
with
a
with
the
project
that
I've
been
working
on,
and
so
I'm
going
to
share
my
screen
and
we'll
go
from
there
all
right,
okay.
So
what
we're
specifically
talking
about
is
something
that
you'll
find
within
our
documentation.
A
That's
it's
we're
talking
about
a
free,
composite
compilation,
strategy.
It
has
a
little
bit
of
a
blurb
about
what
we're
talking
about,
as
well
as
a
snippet
from
a
from
a
sample,
gitlab
ci,
yml
file
for
a
project,
and
so
when
we're
talking
about
free,
compile
we're
talking
about
really
two
things
number
one
that
we
have
a
build
stage
that
is
defined
within
the
within
the
pipeline
itself,
that
exposes
artifacts,
and
that
has
paths
and
and
and
what
we
are
able
to
do
with
the
spot.
A
A
So
this
is
a
project
that
I've
been
playing
with
for
a
while.
So
for
a
while
for
for
the
better
part
of
this
week,
where
we
are
taking
the
actual
spot
bugs
project,
we
have
it
mirrored
within
git
lab,
and
can
we
build
it?
Can
we
scan
it,
and
so
that
was
something
that
I've
been
playing
with,
and
this
is
so.
This
is
a
particular
branch
that
is
here
using
the
v4.2.0
of
spotbox.
A
A
We
have
a
build
defined,
we
have
a
test
phase
defined
and
you'll
notice
within
the
builds,
we're
we're
doing
we're
using
gradle,
we're
doing
it
a
symbol
and-
and
this
particular
and
we're
exposing
paths-
there's
a
number
of
paths
in
which
jar
files
are
built
within
the
spot,
bugs
project
itself,
there's
a
spot
bug.
Sas
job
has
a
dependency
of
build.
A
A
This
was
failing
because
I
also
had
a
separate
test
job
that
was
spurious,
so
I
needed
to
get
rid
of
it,
but
you'll
notice
that
spot
bugs
had
an
issue,
so
it
found
a
number
of
gradle
projects,
but
the
project
couldn't
be
built.
Therefore,
you
get
nothing
that
could
be
scanned.
So
we've
we've
seen
a
number
of
questions
come
to
us
related
to
this
very
scenario.
A
This
is
where
we're
talking
this
is
prior
to
me,
putting
in
this
free
compilation,
strategy
and
defining
a
build
job.
So
when
we
put
it
in
as
soon
as
I
get
back
to
pipelines,
we
get
a
very
different
output
number
one
build
worked,
and
so
I
did
a
whole
lot
of
work
and
I'm
going
to
go
ahead
and
do
tab.
A
A
I
have
had
this
working
you'll
notice.
We
have
spot
bug
sass
working.
This
is
this-
is
not
fully
configured
but
you'll
notice
that
it
did
find
several
of
these.
Several
projects
filled
all
of
these
jar
files
that
I
had
been
exposing
to
it
over
time.
It
was
it
found
them
and
it
started
scanning
those,
and
that
has
resulted
in
an
output
and
that
allowed
us
to
actually
scan
and
get
results,
and
I'm
going
to
live
dangerously
and
you'll
notice
that
we
have
spot
bugs
finding
things
within
spot
bugs,
which
is
interesting.
A
So
we're
taking
a
look
at
this
and
seeing
what
happens,
but
it
was.
It
was
interesting
way,
and
I
thought
was
something
that
might
be
useful
for
everyone
to
see,
because
we
keep
saying
we
recommend
the
pre-compilation
strategy.
We
recommend
the
pre-compilation
strategy.
What
does
that
mean?
It
means
that
we're
not
going
to
try
to
build
it
and
here's
how
here's
an
example
of
it
actually
being
used
and
working
within
the
test
project
itself.
So
I'll
pause
for
questions
in
case
anybody
has
any.
D
So
I've
been
bothering
you
folks
for
several
months.
D
One,
if
you
remember
right
so
almost
ever,
we
have
a
very
tight
timeline
to
prove
a
value
and
they
tend
to
be
customer
sign
up
for
gold
or
ultimate
to
try
it
out.
The
first
thing
they
turn
on
is
the
sas
scan
and
the
first
time
it
doesn't
work.
It's
a
spell
block,
so
we've
been
using
this
pre-compile.
D
The
question
is
that
I
think
we
get
them
started
with
autodevops
and
use
our
you
know
buildpack,
but
they
can
especially
java.
Those
customers
tend
to
want
to
use
their
own
build
new
job,
and
then
they
will
use
our
site
scan
template
to
scan.
D
So
perhaps
that's
where
our
scan
will
fail,
because
we
somehow
not
built
the
same
way.
So
that's
where
I
was
a
little
bit
confused,
sometimes.
A
A
And
so
the
reason
for
showing
the
configuration,
I'm
gonna
share,
screen
one
more
time
and
we'll
and
we'll
go
from
there.
A
Enabled
this
to
work
yeah,
it's
it's
not
entirely
obvious.
This
is
something,
but
it's
I
mean
I
was
working
with
this
I
haven't
had.
I
hadn't
had
a
chance
to
play
with
this
a
whole
lot,
so
I
thought
it
would
be
worthwhile
showing
here
because
we
keep
referring
back
to
this
piece
of
documentation
a
lot,
and
so
I
wanted
to
show
it
actually
working
yeah.
D
A
As
a
so,
it's
it's
not
for
everyone,
but
it,
but
it
does
solve
a
real
problem.
So
it's
so
it's
useful
yeah.
D
For
enterprise,
you
can't
ask
them
to
throw
away,
although
they
still
have
a
node.js
python
typescript
everything
else,
but
the
first
one
they're
going
to
put
into
our
pipeline
is
java.
That's
like
a
90
percent
of
time.
That's
what
I
have
seen
so.
A
second
question
is
so
our
customer
is
reading
our
documentation.
D
They
love
the
supreme
compile
because
it
worked
right.
Then
they
immediately
copy
paste
into
dependency
skin
because
they
just
assume
it
would
work
the
same
way.
So
I
just
had
a
conversation
with
our
dependency
scan
team.
They
also
recognize
that
there
is
a
confused
confused
point
there,
so
I
just
want
to
point
it
out.
Sometimes
our
customers
have
expectation
when
you
offer
a
feature
in
one
scanner
and
the
same
capability
transpose
itself
to
another
scanner.
D
D
So
I
just
want
to
point
that
out,
so
you
might
hear
a
little
bit
rumbling
from
that
part
because
we
encountered
that
exact
problem
yesterday
or
the
day
before,
because
they
were
reading
our
documentation
and
say
hey.
I
think
it's
a
pre-commando
just
like
how
you
showed
it
in
the
yaml
file,
but
then
they
they
start
adding
to
other
scanners.
A
D
A
D
Yeah
yeah,
I
think,
oftentimes
the
confuses
between
size
and
dependency
scan
for
typescript.
It's
the
same
problem
because
they
say:
oh
okay,
it's
a
scan
for
node.js,
it's
scan
for
javascript.
It's
then
it
gets
errors
and
no
match
and
is
this
for
dependency
scale?
Is
this
first
ask
it?
Sometimes
we
detect
a
language
and
then,
when
we
go
scan,
we
can't
scan
it.
So
sometimes
they
just
get
cross
wider.
That
way
as
well,
but
thanks
for
the
demo
really
hopeful
for
us
to
understand
exactly
how
it
works.
D
F
I
have
a
question
too,
in
the
the
documentation.
That's
online.
Are
you
pointing
to
this
particular
thing
that
you
just
demoed
as
an
example,
a
working
example
so
to
speak.
A
No,
I'm
not
so
I
mean
I
can
point
to
within
this
agenda
right
now.
This
particular
project
is
marked
as
private.
It
is
a
dependency
of
ours.
It
is
a
dependency
that
we
are
including,
and
so
there's
some,
and
so
so
I
didn't
want
to
mark
this
as
an
example.
This
is
something
that
we're
using
internally
to
to
test
and
the
dog
food
around
features.
A
F
That
would
be
just
you
know,
to
kind
of
address
what
that
jerry
was
bringing
up.
That
would
be
a
really
good
thing
to
have.
Is
you
know
one
or
two
working
examples
on
a
real
project,
so
to
speak?
A
Okay,
in
that
particular
case,
I
would
also
state
that
we
do
have
a
project
that
has
been
used
normal
a
lot
of
places
where
this
is
not
assuming
there's
a
group
of
demo
projects
where
this
kind
of
thing
can
be
provided.
That
is
not
owned
by
static
analysis.
A
I
believe
that
has
opened
up
quite
wide
and
the
spirit
of
everyone
can
contribute
if
you
have
demos
or
pocs
that
have
had
to
use
this
in
the
past
that
worked,
I
would
encourage
folks
to
improve
that
as
a
demo
project
there
as
well
we'll
work
with
best
we'll
we'll
make
best
effort
to
get
something
over
there,
but
that's
something
everybody
can
work
on
would
be.
My
would
be
my
would
be
my
encouragement.
D
What
we
found
really
work
well
in
documentation
is
the
code
snippet
like
the
part
of
yaml
file.
That's
like
an
example.
The
java
example
python
example.
That
part
seemed
to
work
well
with
the
prospect
and
customers
they
they
see
the
the
yaml
sample
portion
like
the
the
part
you
expose
the
artifact
the
jar
file,
even
just
in
documentation.
Show
example
like
that.
D
E
Okay,
so
I
I
also
just
linked
to
our
compilation:
documentation
there.
There
is
a
gitlab
ci,
yaml
snippet
that
shows
how
this
works.
That
is
based
on
a
the
proof
of
concept.
In
terms
of
developing
this
feature,
which
I
can
link
to
just
below.
A
And
I'm
hearing
a
lot
of
questions
around
documentation,
so
we
can
take
that
out.
We
we
have
30
minutes
and
I'm
seeing
a
few
other
questions
or
so
I'd
like
to
so
I'd
like
to
move
on,
and
we
can
not
that
these
are
not
important,
but
I'd
like
to
make
sure
we're
not
taking
up
all
the
time
for
this.
So
I
would
very
much
appreciate
any
of
the
feedback
everybody
has
within
slack
or
the
document,
or
ideally
an
issue
that
would
be
greatly
appreciated.
A
All
right
is
there.
I
see
a
lot
of
other
questions
from
old
asia.
Olivier's
got
some
stuff
in
there.
C
A
F
His
name
is
yarn.
You.
A
Weren't,
thank
you.
I
was
about
to
say
it
very
wrongly.
So
all
right,
a
friend
reached
out
today
asking
about
specific
issue
and
the
state
of
our
plans
integrate
semcrep.
Do
we
have
an
official
answer
for
for
them
them
I
am
assuming
is
friends
rather
than
r2c,
which
is
the
company
behind
some
grub,
so
this
particular
issue
is
a
technical
discovery.
Issue
with
this
is
something
that
has
not
been
executed.
This
has
a
number
of
questions
that
need
to
be
answered
before
we
can
figure
out.
A
If
this
is
a
direction
we
even
want
to
take
so
this
is,
there
is
a
there
is
a
sim
grip
based
analyzer
that
we
have
that
we
are
using
and
it's
node.js
scan,
and
so
that
was
reworked
to
use.
A
Node.Js
scan
has
went
through
a
major
revision
to
become
a
sum,
grup
analyzer
or
a
sim
grip
scanner,
and
so
we
we
used
that
as
a
as
an
opportunity
to
to
upgrade
that
analyzer,
which
was,
and
that
ended
up
being
more
of
a
full
rewrite
to,
and
it
became
a
sum
group
based
analyzer.
We
liked
it.
We
liked
what
we
saw,
and
so
that
was
one
of
the
catalysts
for
that
discovery
issue,
because
semgrep
has
quite
a
broad
bit
of
coverage,
and
so
what
could
we
use?
A
What
are
what?
What's
the
what's
the
what's
the
strategy?
These
are
all
open
questions,
and
so
this
conclusions
from
my
point
of
view,
the
conclusion
of
this
discovery
issue
is
going
to
determine
what
we
would
do
and
when
we
might
do
it-
and
so
that's
that's
my
that-
that's
that's
all
I
can
answer
at
this
point
unless
others
want
to
add
on
or
have
different
viewpoint.
A
And
I
can
follow
up
with
yarn
afterwards.
If
we
can
chester,
you
had
some
questions.
Would
you
like
to
go
ahead
and
speak
to.
G
Him,
yes,
so
yeah,
I
I've
been
working
with
a
customer
who's,
looking
to
understand
how
we
basically
design
ci
templates
that
other
teams
inherit
and
include
into
their
pipeline.
So
so
what
are
some
of
the
best
practices
around
designing
these
ci
templates
that
folks
will
end
up
using.
A
So
in
the
issue
you
linked
to,
there
were
a
few
responses,
particularly
from
the
including
the
engineering
manager
who's
over
verify
testing.
A
Was
there
additional
input
or
input
that
was
missing
from
those
from
those
responses
that
you're
looking
for
here.
G
Just
yes,
I
wanted
to
see
how
other
teams
kind
of
think,
through
the
kind
of
that
that
that
question
of,
if
I'm
designing,
that
you
know,
especially
from
the
security
side
right,
so
a
lot
of
development
teams
will
might
have
to
include
some
jobs
into
their
pipelines
that
have
to
be
executed,
for
maybe
compliance
reasons
or
just
for
quality
reasons.
G
A
All
right,
I
think,
the
best
way
we
can
answer
that,
as
far
is
going
to
be
along.
What
considerations
do
we
have
when
making
vendor
the
vendor
templates?
Would
that
be
a
suitable
proxy
to
your
question,
yeah
yeah
that
can
definitely
work
all
right.
I'm
going
to
defer
that
to
some
engineers
that
are
here
and
see
if
they're
willing
to
answer
that
particular.
A
So
the
question
that
was
phrased
was
along
the
lines.
What
considerations
do
we
have
when
we're
designing
templates
that
are
going
to
work
within
a
cicd
runner?
And
so
we
have?
I
mean
the
primary
way
in
which
we
integrate
security
scans
is
through
vendor
templates
that
are
designed
to
work
with
the
generically
within
ci
cd
environments.
B
B
Yeah
it
does
I'm
just
I'm
just
actually
trying
to
think
through
it,
because
it's
been
a
bit
in
many
ways.
I
inherited
much
of
it
and
I've
made
slight
tweaks.
So
I
think
when
we
talk
about
design
considerations,
are
we
thinking
towards?
You
know,
works
generically
works
offline,
it
works.
B
It
covers
the
80
use
case.
I'd
say
I
think
there
was
one
other
off
the
top.
My
head,
I
can't
quite
remember,
oh
works
on
gitlab.com
versus
you
know
self-hosted.
I
think
those
are
the
few
that
come
off
the
top
of
my
head
right
off
the
bat
anyone.
E
Oh,
my
goodness
mine,
I
know
sorry,
I
missed
the
first
half
of
that.
Would
you
mind
adding
that
to
the
docking
as
well
for
your
class?
So
a
couple
things
that
I
was
thinking
about.
One
of
those
is
sticking
with
default
stages,
so
we
have
predefined
stages
within
our
ci
configurations
like
test,
and
it
gets
really
problematic
when
defining
stages
outside
of
the
defaults.
Because
then
you
can't
simply
drop
in
a
vendor
template
and
it
will
work
with
all
configurations
by
default.
E
Localized
configuration
is
a
big
point
too.
So
if
we
use
a
variable
like
compile
across
our
sas
templates
based
on
the
pre-compilation
stage,
if
you
define
that
globally,
you're
very
likely
to
run
into
a
conflict
when
someone
includes
that
template
elsewhere,
so
it's
best
to
stick
with
local
variable
definitions
like
per
job
or
per
group
of
jobs,
and
the
other
thing
we
ran
into
recently
is
rule
extendability.
E
So
all
of
our
sas
jobs,
which
is
something
like
12
within
one
template,
rely
on
ci
commit
branch
being
preset.
So
if
someone
wants
to
use
merge
request
pipelines
instead
of
branch
pipelines,
then
they
currently
have
to
override
that.
In
about
12
places,
which
is
unfortunate
so
using
something
like
base,
jobs
to
extend,
is
really.
E
D
I
just
want
to
clarify
when,
when
you
folks
say
a
vendor
template
in
in
my
case,
it's
mostly
templates
that
devops
team
built
for
the
entire
enterprise,
so
so
oftentimes
there
will
be
designated
areas
set
up
to
set
up
those
templates.
Now
all
the
project
teams
had
to
use
them
or
have
also
have
ability
to
extend.
So
I
don't
know
if
that's
different
from
what
you're,
both
talking
about
like
a
vendor.
D
Like
is
there
just
based
on
my
experience.
Templates
are
very
important
because
we
impose
the
standard
across
the
organization
and
you
need
to
support
all
the
languages
that
all
the
teams
are
using
and
also
you
need
to
be.
I
think,
from
best
practice
point
of
view
in
you
need
to
have
enough
security
control.
D
So
now
everybody
can
make
make
change
to
it
and
there
is
a
ability
to
audit
through
to
see
if
they're
compliant,
so
if
they
do
make
their
own
sas
scan.
Hypothetically.
D
I
I
I
can't
find
any
tools
to
help
that
kind
of
compliance
audit
and
also
the
the
process
to
make
those
templates
and
make
them
available
to
all
application
teams.
It's
all
manual
right
now.
It's
not
something
you
can
map
easily
so
that
that's
it's
just
something
I've
been
working
on
for
a
long
time
is
I'm
working
with
matt
and
group
level
required
pipeline
required
job
that
I
I'm
hoping
that
will
be
one
of
the
capabilities
that
can
push
sas
scan
job
out
as
a
compliant
job.
D
You
must
run
every
application
must
run,
otherwise
they
can't
go
to
production
hypothetically,
I'm
just
using
example.
So
those
are
the
challenges
we
have
seen,
but,
but
I
don't
know
if
you
folks
heard
much
of
those
requirements
in
the
past.
A
Yes,
we
have,
there
is
a
new
group,
so
container
security
is
a
group
that
has
been
reformed,
that
will,
that
has
part
of
their
feature.
Category
feature
set
exactly
what
you're
asking
about,
and
what
you're
asking
for
are
group,
or
instance,
level
policy,
policy
enforcement
and
policy
building.
This
is
a
group
that
is
just
now
forming.
They
have
it
as
a
part
of
their
features
that
they
are
just
actively.
A
Not
building
it's
too
early
for
that,
but
it
is
a
part
of
it.
There's
they're
formulating
what
their
plans
are
as
far
as
what
the
roadmap
looks
like
for
it
and
that
group
will
be.
The
is
my
understanding
is
that
group
is
the
one
that's
going
to
have
the
answers
for
that
particular
problem
set,
and
I
am
going
to
give
you
a
little
bit
more
information
here
in
the
document
with
features.
A
The
secure
stage
or
secure
section
or
sec
section
strategy
reviews
session
that
was
yesterday,
so
that's
that's!
That's
the
source
that
I'm
pulling
from
that
speaks
into
gives
a
little
bit
more
information
about
what
they're
about
some
plans
that
we
have
around
here.
That
would
that
gives
more
uniform
controls
over
what's
running
what
the
configuration
of
the
mar
and
so
forth.
So
it's
it's
all
very
high
level,
but
I
think
it's
speaking
to
the
use
case
that
you're
asking
about
so.
D
A
Understood
yeah
is
this.
The
security
aspect
of
this
is
what
is
the
is
the
part
of
the
answer
that
I
could
that
I
could
redirect
you
on
real,
quick
anna.
I
see
you
had
a
question
about
infrastructure
as
code
tools,
which
I
think
I've
answered
at
this
point.
As
this
is
it's
it's
sitting
in
our
backlog,
it's
not
something
that
we've
had
a
chance
to
to
investigate
any
further.
So
there's
no
updates
that
I
can
give
you
at
this
point.
It's
sitting
in
a
waiting,
further
demand.
A
There's
we
we've
got
a
few
ideas
and
I
think
there
we
will
we'll
look
into
it
as
soon
as
we
can.
It's
just
not
something
that's
been
prioritized
yet.
H
A
A
H
In
terraform,
so
those
are
the
two
I
have
can
come
across
so
far.
A
D
Alien
sorry,
enterprise,
us
for
terraform
and
civil
as
well.
G
D
A
A
H
Yep-
and
I
mean
we
have
one
gitaps
demo
developed
where
they
are
leveraging
tfsec
and
tf
lint
as
a
as
a
separate
tool
to
incorporate
into
the
scanning.
But
if
we
offer
it
part
of
our
assessed
offering
that
that
will
be
great
to
give
it
back
to
our
customers.
I
I
So
if
it's
ansible
lint
or
some
even
the
get
github
super
linter,
it's
relatively
easy
in
a
few
lines
of
yaml
to
have
pull
an
image,
install
that
tool
and
scan
all
the
files
in
the
repository
output
that
to
an
artifact-
and
I
do
think
that's
something
that
support
could
probably
help
with
when
I'm
wondering
if
what
they
want
is
like
the
same
native
support
as
our
current
sas
scanners,
where
you
get
the
vulnerability
reports
in
the
user
interface
and
you
can
expand
it
in
the
merge
request
and
thing,
because
I
I
think
is
a
quick
proof
of
concept
for
this
demand
would
not
take
a
long
time
as
long
as
there's
an
open
source
scanner
or
linter
that
could
flag
this
stuff.
H
Right
so
yeah
we
do
have
a
solution
architect
who
developed
a
proof
of
concept
involving
in
part
of
the
ci
job,
and
they
are
showcasing
it
that
way.
But,
as
you
mentioned
like,
if
you
have
it
part
of
ui
management,
then
they
can
walk
through
those
vulnerabilities
and
take
actions
on
it.
So
it's
it's
good
to
have
a
feature
I'll.
A
Say:
okay,
the
one
thing
I'll
add
to
it
is:
there's
a
document
there's
a
out
of
the
link
to
our
documentation.
We
aim
to
work
and
play
well
with
others,
so
there
is
documentation
on
third
party
scanner
integrations.
So
that's
a
that
is
available
as
a
as
something
that
we're
not
officially
building,
but
it
is
a
way
to
bring
that
capability
in
if
it's
something
that
they
need
and
there's
an
open
source
component
that
they
can
that
they
can
take
advantage
of
as
a
part
of
our
ci
configurations.
A
This
is
something
that
it
could
use
could
be
repeatable
if,
if
it's
something,
if
that's
useful,.
A
All
right,
we
are
four
minutes
over
time,
so
I'm
going
to
go
ahead
and
pause.
The
conversation
there.
Thank
you
everybody
for
your
time
and
attention.
We
appreciate
you.
We
appreciate
your
questions
and
your
interests
so
well
we'll
keep
these
going
as
long
as
there
is
interest
in
the
in
the
in
the
content.
So
thank
you
very
much
we'll
pause
here
and
we'll
be
back
at
the
same
bat
time
same
bat
channel
next
week,
so
have
a
great
rest
of
your
week
have
a
great
weekend.