►
From YouTube: Secure:Static Analysis office hours for 2021.02.11
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
thursday,
everyone,
if
you
intended
to
come
to
office
hours
for
static
analysis,
you
have
found
yourself
in
the
right
place
so
we'll
go
through
like
we
always
do
with
starting
with
demos
and
ross
has
got
it
from
the
start.
So
floor
is
here,
sir.
B
All
right,
yeah,
so
we've
so
the
breakman
tool
that
we
use
just
recently
updated
so
that
it
now
scans
just
about
any
ruby
file.
B
So
we
have
updated
our
breakman,
analyzer
and
detection
rules
so
that
that
is
now
supported,
so
any
any
ruby,
any
project
with
ruby
files
should
should
should
run
automatically,
and
so
I
guess
I
guess
I'll
go
through
the
demo
and
then
we
can
talk
about
questions
and
such
so
here
is
our
sassed
template
that
is
running
on
gitlab.com
and
we'll
go
out
with
the
next
release
of
the
self-managed,
and
this
is
this-
is
the
pertinent
update
now
we're
just
looking
for
any
ruby
file
or
a
gem
file?
B
Gem
file
is,
is
the
most
common
way
that
people
write
ruby
projects,
but
you
can
you
can
write.
You
can't
write
a
ruby
project
without
any
gem
files,
so
this
gives
us
a
little
bit
extra
coverage
with
the
checking
for
dot
rb.
B
So
here
and
I'm
just
and
this
isn't
going
to
be
a
live
demo,
this
is
just
something
that
already
happened
and
and
greg
kind
of
inspired
this
one
actually.
So
this
is
gitlab
shell,
it's
it's
mostly,
you
know
a
go
project,
but
it
does
have.
It
does
have
some
ruby
and.
B
B
So
as
of
a
week
ago,
before
the
new
breakman
changes
rolled
out,
breakman
was
not
running
so
it's
running,
it's
running,
go
sect
and
see
some
secret
detection
jobs,
but
not
break
man.
B
So
and
then
you
know
drum
roll.
Here's,
the
we're
gonna
switch
to
the
pipeline
from
today
and
break
man
is
running.
They
they
didn't
have
to
do
anything.
No,
no,
nobody
did
anything
except
for
we
deployed
changes
to
production
and
this
automatically
happened
so
a
little
bit.
I
mean,
I
guess
I
guess
it's
good,
but
it's
also
anti-climactic
in
that
there
were
no
vulnerabilities
found
so
that
that's
a
good
thing
for
forget
lab
shell,
but
nothing
to
see
in
the
report.
B
So
we
can
hop
over
to
questions
and
I
can
stop
sharing
my
screen
so
greg.
C
C
I
guess
I
do
have
one
question,
so
this
is
it's
gem
file
and
it
was
ruby.
Is
it
is
the
other
like
okay?
So
we
have
this
utility
and
get
lab
support
called
get
lab
sos
and
it
basically
grabs
a
bunch
of
logs
and
runs
commands
like
disk,
free
and
free
m
and
stuff
to
get
system
information.
C
But
it's
written
in
ruby.
It's
just
a
single
static.
Ruby
file
would
would
that
be
something
that
breakman
and
its
new
iteration
would
work
on.
B
B
It
does
not
claim
to
be
a
ruby
scanner
because
it
many
of
its
rules
are
still
focused
on
rails,
whether
it's
targeting
specific
versions
of
rails.
It
finds
in
your
in
your
gym
file
and
says:
hey
you're
on
rails
3-2.
You
need
to
upgrade
to
3.2.13
or
whatever,
and
then
there's
some
more
generic
railsy.
B
You
know
model
view
controller
type
things
which
isn't
going
to
apply
to
you,
but
then
there
are
things
like
if
you're
trying
to
run
a
system
command
with
parameters
passed
in
it'll,
it'll
flag
like
that,
so
when
you
said
you're
running
disk,
free
or
something
so
if
you're
doing
that,
it
might
say,
hey
here's
this
is
unsafe.
B
Are
you
sure?
Are
you
sure
you
want
to
do
that?
That
kind
of
thing
so
but
yeah
I
mean
as
long
as
it's
a
dot
rb
file.
It
should
run.
B
Excellent,
and
so
you
asked
about
other
other
things
and
that
that's
what
that's,
what
got
me
looking
at
get
lab
shell,
which
is
like?
Oh,
it's
already
running,
I
don't
have
to.
I
don't
have
to
find
make
something
up
to
demo,
which
is
great.
I
did
look
at
giddaly
and
you
know
have
a
comment
here
about
it:
had
sas
default
analyzer
set
to
go
sec
so
in
theory
removing
that
variable
would
make
breakman
run
in
practice.
That
did
not
work.
B
B
But
that's
not
turning
their
questions.
I
think
that's.
B
A
C
Okay,
yeah
yeah
all
right.
Well,
it's
a
customer.
They
work
a
lot
with
java
and
they
recently
upgraded
to
ultimate
and
they're
having
some
friction
with
sas
scanning.
I've
identified
a
lot
of
their
problems
as
like
the
first
first
round.
It's
like
okay.
This
is
it's
darker
and
darker
and
we're
like
spending
time
troubleshooting
that
and
saying
let's
upgrade
they've
agreed
to
upgrade
but
they're
currently
on
12.10,
and
they
have
this.
I
guess
it's.
C
It's
called
a
feedback
session
now
I
thought
it
was
like
a
office
hours,
but
I
will
be
there
representing
support,
trying
to
see
if
there's
anything
from
the
technical
side
or
support
side
that
we
could
do
to
like
basically
get
sas
working,
how
they
want
it
to
or
working
with
less
configuring
specifically
spot
bugs,
and
I
just
thought
if
anybody
wanted
to
have
an
invite
to
that.
C
I
could
send
that
out.
I
I
don't
know.
I
think
I
could
share
the
agenda
as
well,
but
really
it
seems
that
the
purpose
of
the
meeting
is
really
more
feedback
sharing,
and
I
do
see
that
we
have
sam
white
and
taylor
as
well
as
matt
there.
So
I
I
don't
know
that
we
need
any
additional
representation,
but
you
might
see
some
questions
from
me
about
spot
bugs
following
that
meeting
or
if
you
want
to
join
and
and
see,
if
you
could
add
anything
ping
me
and
I'll,
send
you
an
invite.
A
C
Yeah-
and
it
seems
like
that,
the
folks
we're
meeting
with
tomorrow
are
kind
of
like
the
the
upper
management
like
they're
stakeholders,
but
they're,
not
they're,
not
particularly
admins
or
like
messing
with
the
code
themselves.
So
I
think
just
listening
in
and
being
there
will
be
perfect.
So
thank
you.
E
Yeah
so
felipe
said
to
throw
this
on,
if
he's
not
able
to
make
it
today,
but
this
one's
just,
he
ran
into
an
issue
with
gosek
and
asked
about
it
so
eyes
on
a
sword.
Notes
of
what's
going
on
here,
I'll
just
quickly
screen
share
to
make
this
more
clear.
E
E
E
Okay,
cool
here
we
are
so
here
is
a
job
log
failing
for
gosek
here
it
looks
like
on
in
some
cases,
ghost
x
says,
fetching
dependencies
exit
and
no
feedback
provided.
E
This
is
a
I
wouldn't
say
common-ish,
but
it
does
happen
occasionally
with
our
analyzers,
because
we
require
debug
logging
to
be
turned
on
to
return
certain
error
cases.
So
this
is
just
kind
of
an
annoying
aspect.
E
E
This
is
just
kind
of
like
an
awkward
piece
of
code
that
we
need
to
work
on
more
globally
here,
which
is,
if
you
get
an
error,
we
should
output
with
the
areas
without
requiring
people
to
turn
on
debug
logging.
So
that's
really
what
we
need
to
improve
here,
because
this
should
never
happen.
Aside
from
that,
the
actual
core
issue
came
up.
It
doesn't
appear
that
this
is
reproducible.
E
I
tried
re-running
it
and
did
not
see
this.
So
I'm
going
to
guess
it's
just
a
random
failure
with
fetching
dependencies
to
proxy.golang.org.
E
So
we
should
improve
the
logging.
There
probably
have
to
do
an
audit
across
our
analyzer
to
see
if
they
have
similar
locking
behaviors.
But
beyond
that
it
looks
like
there
is
a
brief
issue
with
go
dependencies
sometime
yesterday,
when
this.
F
Ran
for
what
it's
worth
lucas
just
so
you
know
I
think
fabio
created
an
issue
for
that
logging,
where,
if
it's
an
error,
we
help
put
it
like
warren
or
up
or
even
air.
You
know
a
higher
logging
error
level
and
I
think
his
he
just
extracted
that
in
I
think
one
of
their
packages.
F
E
A
A
A
C
This
is
just
an
idea
I
had
in
the
shower
this
morning,
so
browser
extensions.
C
One
thing,
that's
kind
of
cool
about
them
is
that
you
can
like
most
of
them
are
they
have
an
open
source
license
and
you
can
review
the
code
they're
written
in
javascript
and
I've
I've
scanned
at
least
one
or
two
before
with
the
sas
scanner
in
the
past,
and
I
was
thinking
what
what
like
an
initiative
or
project-
or
I
don't
know
something
I
consider
it
fun-
might
be
to
check
for
vulnerabilities
in
browser
extensions
using
our
assass
features
and
I
thought
of
two
potential
used
cases.
C
One
is
like
our
internal
security
and
compliance
team.
It's
it's
always
been
kind
of
a
gray
area
about
browser
extensions.
What's,
okay,
to
install
on
your
work
machine
and
what's
not
okay
and
I'm
sure,
there's
people
out
there
who
they
haven't
extensions
installed
where
the
first
thing
it
says,
can
it
like
view
and
edit
everything
you
see
in
your
browser
window
and
they
just
click,
ok
and
maybe
supply
chain,
or
just
like
for
trust
reasons
that
might
not
be
super
safe.
C
They
either
use
an
api
key
to
show
you
something
extra
or
they
have
changed
the
user
interface
in
some
way.
These
do
generally
require,
like
pretty
big
permissions
like
to
edit
what
you
do
on
gitlab.com.
Maybe
we
could
have
mirrors
or
something
where
we
run
sas
scans
on
these
browser
extensions
associated
with
git
lab.
C
If
we
find
something
potentially
contribute
upstream
and
it'd,
be
kind
of
browning
points,
saying
like
hey,
noticed,
you're
on
another
git
provider,
gitlab
has
some
really
cool
sas
scanning
and,
like
I
don't
know,
good
good
promotion
or
something
for
for
what
you
all
do.
A
D
I'll,
just
I'll
throw
out
my
two
cents.
I've
I've
had
to
do
quite
a
bit
of
work
with
the
browser
and
in
the
past,
specifically
around
hooking
browser
extensions
and
what
have
you
and
it
was
a
never-ending
cat
and
mouse
chase,
and
it
was
probably
one
of
the
worst
experience
I
ever
had
as
a
developer.
So
while
I'm
no
longer
in
that
position,
so
if,
if
we,
if
it's
something
that
we
want
to
take
on
and
we
feel
will
have
value,
I
can
get
behind
it.
D
However
I've
I've
got.
I
guess
some
very
mixed
emotions
about
the
proposal.
A
Yeah,
I
don't
know
where
yeah
I
struggle
with
where
we
would
find
time.
I
think
it's
an
interesting
idea.
F
F
You
know
extensions,
I
think
if
there
was
more
on
that
focus,
then,
ideally,
maybe
even
things
could
get
automated
at
some
point
where
you
know
it's
just
a
service
for
providing
the
community
and
also
making
our
employees
more
safe.
So
I
I
like
the
idea,
but
in
terms
of
taking
into
fixing
the
vulnerabilities
yeah
it
doesn't,
it
doesn't
sound.
D
So
me
so
I
and
I'm
like
I
said
I
I,
the
browser
extension
is
one
of
these
things
that
I
want
to
get
behind.
I
just
I
maybe
I
have
my
own
baggage
around
it.
That's
preventing
me
from
doing
it,
but
I
I
would
still
question
it
daniel.
Don't
you
believe
that
we
would
still
be
in
that
same
sort
of
never-ending
chasing
aspect
of
it
where,
where
the
the
codes
change
so
significantly
that
we
would
have
to
change
the
way,
we're
even
trying
to
evaluate
the
code.
F
Yeah,
that's
an
interesting
thought.
I
mean
if,
if
we're
looking
at
it
as
mostly
just
that
it's
javascript
and
we
can
scan
javascript
as
a
static,
you
know
application.
So
just
take
a
pure
sass
approach.
I
don't
see
why
the
shift
in
the
you
know
the
architecture
or
you
know
vast
refactors,
which
are
common
in
javascript.
Would
I
I
don't
see
that
causing
us
issues
where
we'd
have
work
generated
as
much
as
they
might
catch
bugs
sooner.
I
could
be
wrong.
Maybe
I'm
misunderstanding
the
proposal,
but
I'm.
F
One
other
aspect
there,
though,
is
if
they
did
do
a
big
refactor
or
something
change
significantly,
and
it
did
cause
issues
with
our
tools.
You
know,
then
we
get
insight
into
that
sooner,
so
it
would
still
be.
It
would
prob
likely
be
meaningful
work,
not
just
work
given
away
so
to
speak,
but
I
mean
I
yeah
as
greg.
Are
you
are
you
speaking
to
the
fact
that
they're
written
in
javascript
and
we
can
scan
javascript
and
it's
mostly
just
a
javascript
scan
or
is
there
something
deeper
with
the
extension
aspect.
C
No,
I
was
thinking
well,
it
would,
it
seems
like
it
would
really
be
eslint.
So
yeah
I
mean
we
could
we
could
do
a
pretty
much.
C
I
was
thinking,
do
a
slimmed
down
javascript
scan
and
now
I'm
trying
to
think
of
like
what
a
just
a
fun
proof
of
concept
might
be,
and
so,
if
eslint
can
do
like
multi-level,
if
it
can
find
multiple
projects,
I'm
wondering
if
I
should
just
download
all
of
the
gitlab
extension
source
code,
put
it
all
in
one
mono
repo
and
then
just
run
eslint
on
it
and
see
what
happens
but
yeah.
The.
F
Other
thing
I
was
just
gonna
say
one
other
approach
that
you
can
try
out
is
doing
a
gitlab
mirror
and
then
enabling
you
know
sas
on
that
and
then
it
automatically
updates
and
you
can
see
vulnerabilities
over
time,
etc.
C
I'm
I'm
starting
to
question
my
initial
idea
about
a
allow
or
deny
list
for
browser
extensions
that
would
actually
pass
by
the
compliance
team,
because
I
I
know,
there's
the
whole
trust
element
and,
if
you're
doing
zero
trust,
then
you
can't
be
trusting
a
hundred
different
browser,
extension
owners
and
and
following
up
on
who
is
the
maintainer
of
the
projects
and
things
maybe
just
a
fun
fun
thing
I'll
I'll.
Do
a
proof
of
concept
and
report
back
next
week.
What
I
find
out.
A
C
A
I
was
going
to
say:
that's
not
a
static
analysis
function
so
anyway,
anyways
thanks.
Everybody
we'll
see
you
here
next
week
saying
that
time
bat
channel
and
have
a
good
rest
of
your
week
and
weekend
see
ya.