►
From YouTube: Secure::Static Analysis office hours for 2021.01.07.
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
D
E
C
All
right,
I
think,
I'm
going
to
declare
a
quorum
and
we'll
go
ahead
and
get
started
so
everybody
happy
new
year,
so
we're
here
talking
static
analysis,
office
hours.
It
is
january,
7th
and
we'll
go
ahead
and
get
into
the
agenda
and
greg
you're.
Bringing
us
a
demo
floor
is
yours,
sir.
D
All
right
yeah,
so
I
think
it
was
the
last
static
application
security
office
hours.
We
went
through
or
sherry
was
there
and
we
actually
discussed
infrastructure
as
code
scanners,
and
so
I
did
a
quick
little
proof
of
concept
with
different
code
scanners
or
infrastructure,
as
code
scanners
and
I'll
just
go
through
where
I'm
at
with
that,
it's
been
kind
of
a
fun
exercise,
so
ansible
lynch.
D
D
Okay,
there
is
that
better.
This
is,
this
is
just
showing
the
job
results
here,
so
cfn
scan
or
cfn
nag,
and
this
is
checkoff.
We
have
all
of
the
the
code
and
things
off
this
one.
I
don't
know
why
it
broke.
It
was
working
I'll
figure
that
out,
but
that
one's
gpl
v3
anyway,
so
we
probably
not
going
to
integrate
that
into
our
product,
and
then
this
one
I
did
just
to
prove
the
concept
as
saving
the
output
as
a
json
artifact.
D
D
So,
for
at
this
stage
I
did
not
dive
too
deep
into
exposing
it
through
the
user
interface
or
actually
using.
I
know,
there's
a
template
for
new
scanners.
D
This
is
basically
just
a
proof
of
concept
to
show
that,
with
with
a
few
lines
in
a
ci
file,
we
can
essentially
run
these
ci
scanner
infrastructure
as
code
analysis
or
scanners
to
do
linting
output
or
security
output,
just
showing
that
it
can
be
done
basically-
and
I
did
go
through
some
of
them-
I
started
going
through
then
and
looking
for
licenses
that
would
be
compatible
with
our
product,
specifically
mit
and
apache
2
ones
there.
D
F
B
Yeah
so
I'll
jump
in
here
I
this
is
great
exploratory
work.
I
think
we're
going
to
see
a
lot
of
interest
in
growth
in
the
iac
area.
It's
a
key
capability
for
gartner,
which
we've
got
a
bit
of
a
very
small
amount
of
today.
I
think
this
is
definitely
something
that
will
want
to
grow
in
2021.
So
I
think
this
is
a
really
great
investigation
for
us
and
it's
really
just
a
question
of
looking
at
these
tools.
B
I
think
I'll
want
to
get
sam
white's
thoughts
on
which
of
these
he'd
want
to
prioritize
and
just
kind
of
slate
it
into
our
new
analyzer
workflow.
To
find
time
to
get
this
added
to
our
list
of
supported
languages.
So
yeah,
I
mean
great
work.
I
think
it's
excellent
and
I
think
it's
definitely
going
to
be
an
area
where
we'll
see
growth
this
year.
F
So
I
have
a
now
they're
looking
at
the
gold,
so
tomorrow
we'll
have
a
call,
so
I
suspect
the
conversation
will
come
up.
That's
why
I
want
to
take
a
look
at
quickly,
your
proof
of
concept
and
if
anything,
you
know
that
they're
looking
for,
I
can
at
least
know
you
know
we're
thinking
about
it.
I
did
send
the
example
to
them
long
time
ago,
after
talking
to
you
folks,
I
think
it
was
a
super
mentor
back.
F
Then
there
was
an
example
I
provided,
so
I
can
also
find
out
where
they
are
with
that
get
some
feedback
as
well.
C
All
right
thanks
craig,
you
bet
that
was
fun
over
the
holidays.
All
right,
I
see
dominic's
got
a
comment
but
can't
turn
on
microphone,
noting
about
some
grub
having
scanning
rules
as
well
with
the
link
that's
available
therapy.
We
want
to
get
more
information
about
that.
We'll
go
ahead
and
move
on
to
tech.
Support.
Greg
you've
got
the
next
couple,
go
for
it,
so
you.
D
C
D
Love
these
office
hours,
so
first
java
home
is
not
set,
or
it
seems
like
it's
not
set
for
some
customers
in
spot,
bugs
2
image,
the
latest
docker
image
and
I'm
wondering
if
there's
a
workaround
to
have
a
default
java
home.
D
It
has
come
up
in
two
tickets
and
it
really
seems
like
a
build
issue
more
than
more
than
like.
If
they
could
build
the
project
and
do
the
pre
compilation,
then
everything
would
be
just
fine,
but
they
are
often
using
before
scripts,
trying
to
build
or
trying
to
build
with
the
spot
bugs
to
image.
And
it's
not
having
java
home
is
throwing
some
errors.
E
Yeah,
so
I'll
just
vocalize.
My
comments,
then
here
so
spotbugs
is
complicated.
Part
of
its
nature
is
that
it
can
build
a
large
variety
of
projects,
so
that's
gradle
build
maven,
build
ant
whatever,
and
basically
what
that
means
is
it
moves
the
complexity
of
the
project,
compilation
further
into
the
analyzer
itself,
so
once
the
analyzer
fires
up,
it
checks
the
environment
variables,
it
checks
the
project
state
and
determines
how
to
build
that
project.
So
because
of
that
further
into
the
actual
analyze
step
it
sets.
E
It
checks
what
java
version
it
might
be
and
sets
the
java
home.
Because
of
that,
when
you
fire
up
the
initial
container
java
home
is
not
set,
so
we
could
set
a
default
one,
but
that
won't
really
work
unless
the
customer
is
using
our
default,
because
it's
a
build
path
that
has
like
the
version
in
it.
E
It
will
say
java
home
defaults
to
eight,
so
copied
c
asserts
into
java
8
path
and
then
later
determine
that
it's
java
11
and
it
won't
work
the
there
there's
really
two
ways
we
can
fix
that
one
is
to
move
the
so
so
the
the
specific
issue
that
you
linked
it
looks
like
that
is
failing,
because
we
are
assuming
java
home
is
set
at
startup
to
copy
any
custom
certs
into
the
appropriate
path.
E
So
it's
basically
they
move
a
lot
more
into
the
initial
set
of
scripts
or
move
the
ca
cert
further
into
the
analyzer
itself.
Both
have
trade-offs,
but
yeah
that
looks
like
a
bug
that
we
should.
We
should
find.
I'm
not
sure
the
solution
will
be
that
java
home
is
set,
but
it
will
solve
the
issue
for
this
specific
user.
D
Yeah
yeah,
and
now
that
I
look
at
it
this,
so
I
think
it's
actually
two
different
issues
and
one
I
think
you're
thank
you
for
the
great
rundown
that
that
makes
a
lot
of
sense.
The
other
user,
which
I
linked
in
the
comments,
I
guess,
tell
me
if
this
sounds
right,
like
the
fact
that
they're
trying
to
do
their
build
stage
in
a
before
script
with
that
spot
bug,
sas
two
is,
is
what's
really
blocking
them.
It's
not
the
same
issue
as
what
we
see
here
with
the
certs.
D
It's
just
it's
not
set
by
default,
and
the
before
script,
just
pulls
it
and
starts
running
stuff.
Instead
of
having
the
actual
the
regular
script,
that
spotbox
asked
would
do.
E
E
I,
and
I
I'm
trying
to
pull
that
ticket
now.
I
don't
know
which
version
they
were
using
so
whether
or
not
that
specific
fix
would
solve
that
problem
is
tvd,
but.
E
E
D
Yep
that
that
sounds
good,
I
think
we
can
move
on
and
if
you
do
want
to
dive
into
that
ticket,
we
can
hop
on
that
together,
but
it
does
seem
like
they're.
Just
the
build
step
itself
is
problematic,
not
anything
in
particular
with
gitlab.
E
Yeah
and
I
think
so,
the
the
code
snippet
that
I
left
here,
let
me
actually
number
change
these
to
numbers,
so
it's
easier
to
track
them.
I
here
the
one
I'm
selected
on,
so
we
do
have
a
method
within
to
switch
to
a
specific
java
version.
So
maybe
we
should
document
that
specific
method
in
a
before
script
call
which
should
define
it.
E
So
there
is
at
least
a
expected
way
by
which
you
set
your
job
version
and
subsequently
set
the
java
home,
but
there's
definitely
a
couple
bugs
here
and
a
couple
things
that
we
should
document
better:
how
to
use
so
yeah
I'll,
try
and
write
up
at
least
the
points
that
I'm
seeing
here
here
and
we
can
follow
up.
C
D
Yeah,
I
will
keep
keep
this
ball
going,
so
I'm
planning
a
sas
deep
dive
for
support,
which
is
basically
just
a
training
session.
I
come
up
with
some
training
materials
put
together
a
live
video,
that's
recorded
where
we
dive
deep
into
static
application
security
testing
features.
D
D
The
problem
is
in
the
customizations
and
if
we
can
get
customers
to
try
a
job
with
the
defaults
and
they
see
the
output
runs
like
if
the
scanner
runs,
it
produces
usable
output
on
a
different
project
than
the
one
they're
trying,
then
that
helps
move
support
tickets
along
like
it's,
not
sassed,
that's
broken,
it's
something
with
this
specific
project,
and
so
I
was
wondering
I
know
we
had
a
like
demo
project
in
the
past
before
I
cloned
it
and
I've
been
just
kind
of
making
modifications
to
that,
but
for
future
collaboration
or
ideas
on
how
to
go
about
doing
this,
where
support
and
sas
team
can
work
together,
I'm
I'd
love
to
hear
them.
B
So
this
is
a
little
different
than
what
my
comments
originally
were
about
from
a
troubleshooting
perspective.
I
think
this
is
an
area
where
we
absolutely
could
have
better
troubleshooting
docs,
and
I
say
that
for
sas,
but
I
think
it's
true
for
all
of
our
security
scanners
of
what
is
the
the
list
of
things
to
do,
and
what
order
to
try
to
troubleshoot
something.
B
A
I
know
from
my
experience
I
I
was
recently
working
with
a
customer
and
taylor.
I
think
you
were
on
this
slack
thread,
but
they
needed
they
had
a
bunch
of
class
files
that
they
wanted
scanned,
but
they
came
from
other
source
code
projects
and
they
only
wanted
to
do
one
sas
job.
So
we
needed
the
analyzer.
A
The
static
analysis
to
the
build
process
was
across
other
locations
and
then
the
the
scanning
process
they
wanted
to
manually,
execute
the
spot
bugs
command
and
then
they
wanted
the
analyzer
to
then
just
convert
the
xml
output
from
spot
bugs
into
into
the
the
proper
get
lab.
Json
format
our
documentation-
and
I
I
plan
on
doing
a
follow-up,
but
our
documentation
didn't
specify
that,
like
the
analyzer
is
expecting
the
xml
output,
that's
not
really
clear
anywhere,
it's
kind
of
hidden
behind
the
scenes.
A
A
But
it
would
be
helpful
to
like
just
to
kind
of
break,
provide
some
clarity
as
to
what's
going
on
behind
the
scenes
when
the
analyzer.
A
D
All
right,
so
this
question
came
up
in
a
merge
request
I
made,
which
was
just
a
docs.
Only
merger
quest
where
people,
basically
anybody
who's
not
on
ultimate
or
gold,
was
not
getting
downloadable
artifacts
for
one
of
their
jobs.
I
think
there
might
be
more
than
one
if
the
the
output
in
the
user
interface
was
not
particularly.
E
D
Oh
yeah,
you
can
see
in
the
screenshots
in
that
issue.
It
says
that
it
created
the
report,
but
you
don't
actually
see
the
results
for
phpcs
security,
audit
and
technical
writer
russell
brought
up.
Should
this
be
standard
in
the
sas
template
that
if
you
are
not
on
ultimate
or
gold,
you
get
this
downloadable
results.
C
B
B
D
A
Yeah,
so
the
the
report,
ingestion
mechanism
is
actually
taking
the
json
output
and
loading
it
into
the
database.
So
even
if
the
artifact
gets
expired
it
you
won't
have
any
problems
there.
Anything
on
the
default
branch
nowadays,
the
most
recent
pipeline,
the
most
recent
pipelines,
artifacts,
remain
indefinitely
until
a
newer
pipeline
comes
about.
I
think
that
was
just
like
maybe
thirteen,
five
or
thirteen
six.
A
All
right
good
to
know
so
right
now,
all
the
the
the
security
reports
just
include
like
the
artifacts
reports
and
then
the
name
of
the
report
and
then
the
path
to
the
report.
We
would
just
include
artifacts
paths
and
then
the
the
path
to
the
the
report
as
well,
and
then
I
would
I
would
let
users
specify
their
own
expiration
if
they
don't
like
how
long
they're
persisting.
F
And
now
I'm
dominating
the
conversation.
Thank
you
taylor
for
the
sample
example,
the
sample
project
yeah
for
secret
detection.
My
question
is
yeah.
So
great,
you
expect
the
problem
for
no
match
error
when
somehow
we
detect
the
language,
but
the
language
file
is
not
there.
Super.
That's
wonderful,
but
I
I
did
find
myself
from
time
to
time
and
update
the
sale
variable
to
remove
some
analyzers,
because
I
you
know
I
come
across
a
lot
of
customer
typescript
projects.
F
F
Yeah,
okay,
cool
excellent
yeah,
so
I
end
up
doing
for
two
customers.
Luckily
one
we
actually
closed
in
december,
so
we're
looking
at
my
implementing
them
for
all
the
application
security
scan
replace
vertical
another
one.
I
I
yeah,
I
did
it
for
kind
of
three
two
parts,
three
prospects,
so
one's
close
to
still
pending
so
we'll
see.
F
I
do
have
a
question.
There
is
another
issue
about
unknown,
unknown
yeah.
The
cap.
The
type
is
unknown
for
a
lot
of
the
eslint
type
of
issues
discovered.
I
don't
have
the
number
the
usual
number
handy.
F
Do
you
folks,
yeah
lucas?
Do
you
know
where
we
are
with
that
issue
or
thomas?
I?
I
can
look
it
up
afterwards.
I
I
do
have
a
customer
waiting
on
that,
like
our
eslint
and
a
bunch
of
scanners,
just
output,
tons
of
vulnerabilities
as
unknown
and
our
customers
look
at
them
say
that
actually
the
severity
should
be
high,
some
even
critical.
E
Yeah
yeah
yeah,
so
the
the
there's
an
epic
for
this,
and
let
me
just
find
the
link
to
that
yeah.
F
Taylor
sent
it
to
me
before
I
even
commented,
but
I
just
have
you
focus
on
the
car.
I
just
want
to
find
out
quickly
where
we
are.
E
Yeah
that
so
so
we
don't
currently
have
that
scheduled,
I'm
I
I
have
leftover.
I
have
some
work
in
progress,
work
on
attaching
severities
to
eslint
and
so
below
as
well,
but
haven't
really
had
time
to
prioritize
that
I'm
hoping
to
get
to
that
within
this
release,
or
at
least
start
merging,
that
in
okay
but
yeah,
the
epic
is
the
best
thing
to
follow.
We
don't
we
don't
really
have
the
broken
down
needed
to
work.
Unfortunately,.
F
C
I'll
go
ahead
and
ask
my
question,
and
I'm
gonna
make
you
go
back
to
the
example
you
gave
there's
like
customer
requests
that
we
don't
don't
scan
typescript
files
or
something
that
was
the
one
like
they
didn't
know
what
they
had,
and
they
were
surprised
that
they
didn't
want
it
scanned
typical
project
organization
that
I
run
it
that
I've
seen
when
that
occurs
is
that
files
of
particular
type
are
in
a
specific
directory
is
so
why
wouldn't
excluded
jurors
work
for
that
use
case?.
F
I
detect
four
or
five
of
them,
and
I
ask
them
they
say:
oh
we're
not
aware
of
those,
and
then
I
had
to
scan
through
their
source
code
to
look
for
them,
and
sometimes
I
don't
find
them
so.
I
just
went
ahead
and
comment
out
the
analyzer.
I
would
pick
up
the
more
details
and
actually
send
you
a
summary
of
what
that
project
looked
like.
C
I
think
we
made
it
through
the
entirety
of
the
agenda
and
we're
right
at
time,
so
I
think
we're
going
to
stop
there.
So
thank
you,
everybody
for
your
time
and
attention.
Thank
you
for
coming.
We
appreciate
all
your
questions,
even
from
people
not
named
greg
so
anyway,
so
so
anyway.
I
hope
everybody
has
a
great
rest
of
your
week
and
we'll
talk
to
you
next
week,
see.