►
From YouTube: Secure::Static Analysis office hours for 2021.01.14
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
Right
welcome
to
this
edition
of
office
hours
from
static
analysis,
so
thank
you,
everybody
for
taking
the
time
to
join
us,
as
always,
we'll
follow
the
the
agenda
with
leading
off
with
demos
and
lucas.
I
think
this
is
yours.
If
you
want
to
introduce
it
and
talk
about
what
all
is
in
there.
A
Sure
so
I
just
recorded
this
like
an
hour
ago,
which
is
a
custom
rule
set
demo.
So
it's
a
13
minutes
of
setting
up
and
using
custom
rule
sets
to
disable
rules
for
the
eslint
scanner
on
a
javascript
project.
This
just
uses
the
default
express
project,
template
and
yeah.
It
also
includes
a
demo
of
eslint's
vulnerabilities
that
now
reports
severity,
which
is
all
of
them,
so
feel
free
to
check
that
out.
A
I'm
happy
to
answer
any
questions
or
anything
after
a
watch,
there's
really
too
much
in
the
agenda,
so
I
can
do
it
live
if
we
wanted,
but
we
can
save
that
for
the
end.
If
so,.
C
The
only
thing
I
would
add
to
this
is
that
we
do
have
documentation
in
our
sas
and
secret
detection
pages
about
custom
rule
sets.
I
actually
just
gave
a
demo
of
this
to
a
customer
earlier
this
week
and
I
think
we
probably
do
need
to
put
a
few
more
examples
and
maybe
a
little
bit
more
context
about
what
scanners
support,
what
custom
rule
sets.
So
I'll
look
at
getting
a
an
issue
open
for
that.
A
I
I
think,
that's
actually
a
good
segue
too
too.
What
I
added
here,
which
is
the
technical
support,
first
point
in
doing
the
demo
they're.
A
One
of
the
things
that
became
more
apparent
to
me
is
that,
with
the
current
syntax,
you
need
to
identify
a
specific
rule
using
the
identifier
name
and
value,
so
the
identifier
would
name
or
the
identifier
type
would
be
like
eslint
security
rule
and
then
the
value
would
be
timing,
potential
timing
attack
and
we
don't
really
have
a
good
way
of
surfacing
those
characteristics
of
the
raw
finding
within
our
ui.
A
D
D
B
B
E
Yeah
absolutely
hello,
everyone,
so
yeah
I've
been
working
with
a
customer
who's
using
the
spot
spot
bugs
analyzer
and
interestingly,
so
it's
detecting
four
potential
projects
and
after
it
scan
successfully
scans
the
first
one.
It's
actually
failing
with
the
message
signal
killed.
E
I
initially
thought
this
was
maybe
like
killer
it's
running
out
of
memory
and
the
process
is
getting
killed.
It
is
running
on
the
kubernetes
executor
by
the
way,
so
I
had
the
customer
up
the
amount
of
available
memory
to
the
build
container
to
about
seven
gigs
and
they
added
a
command
to
just
show
the
available
memory,
and
we
can
see
that
seven
gigs
is
available,
but
unfortunately
it
didn't
really
alleviate
anything.
E
A
A
There's
a
lot
of
typing,
so
I
think
other
people
definitely
can
chime
in
here,
but
one
of
the
one
of
the
common,
it's
probably
out
of
memory.
We
actually
have
java
ops
set
to
default
to
1900
megabytes
within
the
analyzer,
so
that
can
be
upped
and
I'll
link
to
that
here.
But.
E
Yeah
so
they've
upped
that
to
there's
a
lot
of
details,
I
kind
of
just
glossed
over
it,
but
there's
a
lot
of
details
in
the
slack
thread,
but
they've
upped
that
to
a
little
over
six
gigabytes
and
it
didn't
seem
to
help
at
all.
They
tried
using
the
so
so
right
now
they're
using
the
flag,
the
xmx
flag,
and
then
they
also
tried
using
one
that
set
the
max
memory
to
a
percentage
value
of
90
and
that
didn't
help
either.
E
Well,
the
repository
itself
is
only
a
handful
of
megabytes,
but
I
don't
know
how
big
the
build
objects
are.
Specifically,
so
I
mean
it
is
possible,
it's
still
running
out
of
memory.
We
could
definitely
try
upping
that
more
if
they
have
more
available
yeah.
B
Okay,
just
to
back
up
a
little
bit,
I
know
you're,
focusing
in
on
memory,
but
just
to
I
want
to
add,
I
want
to
make
sure
that
I've
got
the
assumption.
My
assumption
questions
at
answered.
First
dude,
since
this
is
a
multi-project
repository
in
ci,
the
nci
pipelines
that
they're
trying
to
configure
so
can
they
build
it?
E
B
D
E
B
B
B
A
I
just
linked
to
another
issue
that
has
been
open
for
about
well
eight
months,
cool
that
is
also
spot
bugs
and
also
assuming
memory
issue.
So
it
doesn't
look
like
we've
had
we've
been
able
to
dig
into
this,
but
that
looks
definitely
related.
E
B
B
F
B
F
Yeah,
so
basically,
this
is
a
a
very
big
enterprise
customer
for
us,
in
in
singapore
and
they've
just
released
an
rfe
for
sas,
mainly
sas
tool.
The
required
technical,
functional
requirements
is
not
a
long
list,
but
it
has
some
good
features.
Requirements
are
mainly
around
ide
support
and
cli
support.
I
mean
outside
the
git
clip,
so
I
thought
to
ask
the
group
here:
if
we
have
that
kind
of
capabilities
and
and
get
labs
asked
solution,
can
they
be
used
outside
outside
gitlab?
F
I
mean
instead,
this
customer
have
they
have
gitlab
deployment,
but
not
necessarily.
We
are
not
sure
yet
if
they
will
use
this
new
size
to
within
the
same
gitlab
instance,
or
just
as
an
extended
scanning.
C
Tool
so
to
jump
in
here
we
definitely
do
support
these
rfps.
So
I'm
happy
to
help
and
provide
answers
to
these.
I
do
encourage
all
to
take
a
stab
at
answering
them
first,
using
our
documentation.
Most
of
these
are
just
copying
pasting
links
to
and
from
with
that
said,
on,
your
two
points
about
id
and
cli
support.
This
is
something
that
we
see
requests
from.
It's
come
up
with
analysts
in
the
past.
C
Ultimately,
we
have
the
thought
that,
with
our
shift
left
approach
of
shifting
security
to
developers,
ide
support
is
potentially
an
argument
a
step
too
far,
because
you
can't
set
up.
I
can't
force
a
developer
to
run
a
certain
id
and
extension.
I
can't
configure
it
for
them.
I
can't
enforce
settings
for
them.
C
I
can't
infor
work
enforce
workflows
around
that,
which
is
why
we
put
our
focus
and
efforts
building
our
functionality
within
the
cicd
process,
where
we
have
complete
control
to
do
things
like
our
merge
request,
approvers,
we
can
structure
that
standard
experience
that
ui
with
that
said.
At
the
end
of
the
day,
all
of
our
security
functionality
are
just
ci
jobs.
At
the
end
of
the
day,
so
if
one
of
our
existing
ide
plugins
support
interacting
with
ci
jobs,
naturally
it
will
work
with
secure
jobs.
C
So
the
example
that
I've
got
particularly
is
our
vs
code
integration.
You
can
do
quick
actions
with
checking
the
status
of
pipelines
quickly,
jumping
to
a
merge
request,
jumping
to
specific
job
outputs
that
all
works
with
our
security
jobs
today
in
terms
of
syntax
highlighting
or
a
spell
checker
you'll
hear
it
called
where
you
know
we'll
highlight
a
vulnerability
in
your
id.
That's
not
something
that
we
support
today.
F
C
C
Again,
all
of
that
happens
within
our
cloud
ci
cd
runners
with
that
said,
if
they're
running
gitlab
locally
or
they
can
shell
into
their
gitlab
instance,
certainly
they
could
interact
with
runners
in
the
cli
for
that,
but
it
it's
again
not
a
core
use
case
that
we're
focused
on
today,
cool.
B
B
I
do
not
see
them
in
participants,
so
I'll
go
ahead
and
read
so
just
saw
infrastructure
as
code
demo
from
greg
last
week
reminded
me
of
ex
colleague
of
mine,
published
an
open
source
project
around
this
and
there's
a
link
available
to
it.
Might
this
be
where
it
might
be
worth
looking
into.
B
I'm
going
to
say
thanks
for
sharing
the
so
knowledge
is
good.
Options
are
good.
These
are
the
it's
it's
worth
it.
It
helps
us
know
that
these
are
out
here
and
they're
options
available
to
us.
B
I
will
say
that
we
have
not
looked
further
into
infrastructure
as
code,
though
that
has
been
a
that
is
becoming
a
recurring
theme.
As
for
for
extending
what
sas
can
do
so
this
is
so
it's
interesting
that
this
keeps
coming
up
at
least
to
me
so
well.
I
think
what
we
I'm
pretty
sure,
there's
an
issue
for
this
as
far
as
expanding
ia
infrastructure
code
type
scanning-
and
this
is
something
that's
certainly
worth
adding
to
that-
and
I
will
pause
there
for
other
perspectives
to
come
forward.
C
C
C
I'm
happy
to
have
a
conversation
about
that.
If
you're
interested
to
dig
more
into
it.
This
is
one
where,
at
the
end
of
the
day,
our
integration
docs
are
open
in
public.
You
can
go
build
your
own
gitlab
integration
with
any
analyzer
using
our
commons
library.
C
We
have
some
examples
that
some
folks
on
the
call
have
built
out
so
always
welcome
that.
I'm
also
happy
if
we've
got
connections
to
this
company
to
have
a
conversation
with
them,
so
yeah
we're
always
interested
in
seeing
what
else
other
people
are
doing,
especially
if
it's
open.
G
D
G
Pick
up
the
example
I
had
to
do
for
a
customer,
so
they
it's
a
typescript
type
of
project.
So
a
lot
of
our
analyzers
fail
back
then,
because
we
have
this
no
match
error.
You
can
see
no
match
because
we
say
we
have
those
languages
initially
when
we
detect
it.
When
we
actually
go
to
analyze,
we
can't
find
a
file
with
the
suffix,
so
a
lot
of
those
analyzers
through
this
no
match
error.
But
with
that
issue
closed,
I
assume
I
don't
need
to
suppress
those
analyzers
anymore.
G
B
G
G
A
I
don't
think
that
that
error
will
go
away
entirely
for
the
foreseeable
future,
just
because
there
is
always
going
to
be
a
discrepancy
between
how
specific
we
can
get
using
the
rules.
Ci,
syntax
and
our
analyzers
have
stricter
requirements,
so
one
of
those
cases
is
breakman.
A
Breakman
is
a
rails,
not
a
ruby
analyzer
and
as
such,
it
needs
to
check
if
the
gem
file
contains
a
specific
reference
to
rails.
So
we
can't
really
check
the
contents
of
a
file
using
the
rule
syntax,
so
there
will
always
be
a
risk
of
that.
I
think
the
biggest
other
than
the
sas
exclude
analyzers,
which
will
help
out
with
this.
The
other
big
improvement
I
would
mention
here
is
improving
the
extendability
of
the
rules
themselves,
so
customers
can
set
their
the
rules
to
whatever
they
would
be.
Looking
for.
G
A
G
A
So
are
those
are
those
actually
false
positives,
or
does
the
search
max
depth
make
them
work.
G
One
of
them
yes,
but
not
for
this
one,
this
one,
I
think
it's
the
first
positive,
the
one,
the
mana
repo
one.
I
was
telling
you
it's
like
a
4050
projects,
we're
migrating
them.
They
sign
up
for
gold,
so
we're
migrating
them.
But
still
I
don't
know
how
we
can
migrate
those
old
projects,
they
have
a
lot
of
legacy
projects
and
how
do
we
break
the
their
model
ripple
into
individual
projects,
so
the
workaround
for
now,
once
they
go
start
implementing
and
they
might
stick
to
what
I
did,
but
we
will
see.
B
B
I
I
my
memory
matches
lucas's
and
that
is
ten
thousand
comparisons
and
notice
that
I
didn't
say
ten
thousand
files,
so
within
a
within
a
given
rule
or
job
the
rule,
we're
using
to
define
a
job
if
we're
looking
for
multiple
things
like
if
we're
looking
for
a
com,
if
a
if
a
if
a
job
description
is
looking
for
typescript
and
javascript
and
jsx
files
and
so
forth,
then
that
effectively
becomes
three
comparisons
per
file
that
we're
looking
for
and
so
that
eats
that
quickly
eats
into
the
maximum
number
of
files
that
a
repository
can
have
before
everything
starts
defaulting
to
true.
B
So
it's
this
is
a.
This
is
a
nuance
to
be
aware
of,
and
is
a
limitation
where
we
will
match
more
aggressively
than
may
be
the
case,
then.
Maybe
then,
then
maybe
then
we
might
have
might
be
in
other
circumstances.
B
D
G
Because
there's
so
many
analyzers
failed
right,
the
screenshot
you
can
see
they
were
like.
Oh
osas,
scan
failed.
They
just
have
that
impression.
So
when
I
go
comment
out,
it
didn't
do
any
harm
to
them.
It
just
visually.
They
know
oh
everything's
working
everything's
green,
but
we
might
accidentally
escape
some
file
types.
G
D
D
D
G
And
I
I
just
told
them
for
this
customer
I
said
I
just
fixed
it.
It's
just
going
to
run
against
the
language
you
use
because
I
analyze
their
ripple,
but
for
the
other
customer
model
ripple.
I
I
kind
of
that
time.
I
think
in
discussion.
We
knew
we
were
not
supporting
the
well
and
also
number
files
easily
their
repository
source
code
files.
More
than
thousands,
the
match
is
usually
more
than
ten
thousand
that
I
understand
so
that
I
commented
out.
They
didn't
complain
either
because
it's
just
too
noisy
for
them.
G
So
then,
and
then
the
sass
worked
for
them,
because
we
surfaced
some
of
the
vulnerability
to
them,
mostly
lint.
We
cannot
scan
c
sharp
and
what
you
call
it.
The
the
you
know
the
older
microsoft
platform
and
also
we
cannot
do
javasci
so
and
that
they
accept
our
sas
to
them.
Ourselves
is
partially
working,
but
in
just
saying
everything
read
to
them.
Nothing
was
working
back
then.
D
B
G
G
So
it's
compounded.
It's
multiple
issues
together
made
the
experience,
not
very
favorable,
but
you
know
we,
we
correct
everything
else,
but
they
have
other
challenges
they
couldn't
build.
I
got
them
to
build
in
javascript,
they
couldn't
they
couldn't
get
yeah,
they
couldn't
get
a
java
7
build
that
got
them
to
building,
and
then
they
couldn't
build
the
older
windows
that
got
them
to
buildings.
Javascript
was
what's
a
powershell,
sorry,
so
so
to
them.
That
is
a
hurricane
victory,
so
you
know
give
the
sas
clean
it
up
a
little
bit.
They
really
liked
it.
G
They
tried
to
replace
vertical.
That
was
the
case
and
then
so
we
did
when
and
the
end
we're
looking
to
implement
start
implementing
february,
we're
just
ramping
them
up
right.
B
Now
all
right,
thank
you.
I
do
want
to
hype.
One
thing
that
taylor
has
put
in
the
in
the
in
the
agenda
in
that
there's
a
deprecation
coming
and
this
will
be
part
of
removals
for
1404s,
and
this
is
a
change
in
one
of
the
very
configuration
variables
we
have
from
sas
to
default
analyzers
to
sas
excluded
analyzers.
B
We
like
this
a
lot
because
sas
default
analyzers
locks
customers
into
a
specific
set
of
jobs
that
they
can
run
until
they
remove
or
amend
that
particular
setting.
So
if
we
are
to
defecate,
remove
or
to
add
new
analyzers
they're
locked
they're
locked
into
a
particular
set
of
jobs,
this
shift
to
excluded
analyzers
effectively
is
a
way
of
instead,
instead
of
declaring
what
you
want
on,
it
allows
customers
to
declare
what
they
want
off
and
that's
that's
an
important
shift,
because
it'll
allow
us
some
flexibility
moving
forward
for.
G
B
G
B
This
is,
this
is
a
good
change
and
so
we're
looking
forward
to
having
this
one
in
so
it's
not
in
yet
we're
working
on
it,
but
but
this
is
a
good
one.
So,
but
then
this
should
help
in
this
scenario.
If
it's,
if
it's
indeed
the
perception
problem,
they
just
want
to
turn
stuff
off
all
right.
I
am
seeing
we're
at
time,
so
I'm
going
to
call
it
a
conversation
right
there.
So
thank
you,
everybody
for
your
time
and
attention.