►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
B
For
me,
so
welcome
everybody
to
the
january
5th.
The
first
inaugural
work
group
meeting
of
2022
welcome,
welcome
everyone.
I'm
michael
everyone
had
a
nice
new
year
and
a
little
bit
of
time
off
and
holidays,
and
all
that,
so
we
are
actually
first,
let's
do
any
new
friends
who
would
like
to
introduce
themselves
if
you
haven't
participated
in
this
working
group
before.
B
Okay,
so
log
for
j
obviously
is
is,
is
a
hot
topic.
I
want
to
just
have
a
little
bit
of
discussion
on
on
it
david.
Do
you
want
to
kind
of
lead
this?
This
discussion,
yeah.
A
I
mean
we,
you
know,
I
don't
want
to
make
this
a
long
for
jay
meeting,
but
I
I
think
it's
relevant
to
talk
about
this
and
in
particular
much
more
on
the
hey.
How
could
this
have
been
found?
Much
sooner,
because,
of
course,
you
know
if,
if
log
for
j
had
been
released
and
one
day
later
or
even
better
a
day
before
the
problem
had
been
found
and
fixed,
that
would
have
been
well
a
whole
lot
better.
A
So,
and
so
basically,
I
tried
to-
and
I
thought
about
this-
and
I
I
thought
four
ways
in
particular.
I
think
that
this
could
have
been
found
in
well
number
one
frankly,
training
in
education,
I've
just
put
into
our
meeting
notes
of
the
specific
text,
specifically
from
our
course
and
the
section
intercourse
that
talks
about
not
letting
untrusted
users
control
output
formats,
because
that's
typically
a
bad
idea.
A
I
mean
the
the
execution's
the
worst,
but
frankly,
the
whole
idea
that
a
an
attacker
can
cause
data
to
be
reinterpreted
in
any
way
is
dangerous
and
just
shouldn't
that
that
that
shouldn't
be
next
security
audits.
I
hear
there's
this
project
alpha
thing.
That
might
you
know
that
some
people
are
interested
in
I
mean
I
think
this
is
definitely
a
case
where
it's
always
hard
to
guarantee
an
audit
will
find
something.
But
I
think
this
is
the
kind
of
thing
an
audit
would
be
pretty
likely
to
find.
A
If
you
have
somebody
who
knows
what
they're
doing
is
spending
real
time
actual
time
on
this,
I
think
fuzzing
is
plausible.
You
know
it's.
You
know
there
is
the
issue
of
hey.
Would
fuzzing
have
even
gotten
to
cover
that
area,
and
would
you
notice
that
it
downloaded
random
code,
but
I
think
that's
decent
chance.
A
It's
a
little
less
likely,
but
negative
testing
is
possible.
Now
it's
not
that
they
didn't
have
testing.
They
had
almost
nearly
8
000
functional
tests,
but
but
just
but
they
were
just
but
they're
primarily
functional,
but
but
what
they
clearly
lacked.
It
was
negative
testing.
In
other
words,
these
are
the
things
that
shouldn't
work.
B
Yes,
so
I'm
I
wonder
if
the
distinction
between
so
the
the
idea
of
the
message
look
up
by
itself
now,
you
know
it.
No
sorry,
I
take
it
all
back
because
they
implemented
things
like
look
up
from
an
environment
variable
and
right
it.
So
while
I
can,
I
think,
there's
some
blame
on
java,
the
time
to
be
so
interesting,
well,
trusting,
but
also
like
it.
It's
just
the
whole
way
that
jndi
is
like,
like
so
like
thousands
of
people
became
like
first
learned
about
jndi
in
the
past
month.
B
You
know
after
spending
years
and
years
working
with
java.
So
I
I
don't
know
that
like
like,
I
I
think
there
was.
There
were
probably
some
runtime
features
in
in
the
plugability
and
the
the
defaults
that
were
probably
also
kind
of
root
causes
of
this,
where
if
the
only
thing
that
you
could
do
is
look
up
variables,
it
would
be
an
information
disclosure
issue.
Now,
maybe
those
those
variables
are
sensitive,
but
the
the
whole
way
that
you
can
jump
from.
B
You
know
a
log,
a
message
to
load
a
class
and
execute
it.
You
know.
Obviously
it
was
a
log
for
j
issue,
but
I
I
think
java
shares
some
some
of
the
blame
in
this
yeah.
A
Or
at
least
java's
jndi,
or
you
know,
java
or
java
jndi,
I'm
not
sure
where
you
know,
because
indeed,
although
it's
jndi
specifically,
there
are
actually
a
number
of
cases
where
java
is
delighted
to
download
and
run
arbitrary
code
and
go
really.
You
think
that's
a
good
idea
why
yep
yep.
B
I
I
think
the
other
thing
that
that
log4j
showed
is
that
a
lot
of
people
were
like
sweet,
I'm
still
on
java,
I'm
still
on
log
for
j1,
so
I'm
not
affected
so
which
is
kind
of
like
well.
Okay,
but,
like
you
know,
and
1.x
has
been
deprecated
since
2015..
B
Yeah,
including
rce
I
mean
the
rc,
is
a
little
bit
like
slightly
contra.
It's
not
you
know
it's
not
like
a
lot
for
j2
vulnerability,
but
it
it's
but
yeah
I
mean,
and
so
a
lot
of
this
was
packages
you
know,
so
this
is
somewhere
in
the
transit
of
graph
one.x
showed
up
in
in
a
lot
of
cases.
B
So
no
it's
hard,
it's
a
hard
bond,
but
I
do
think
the
love
for
j
is
particularly
interesting
in
the
context
of
alpha,
because
it's
like,
I
don't
want
to
say
even
say
it's
a
normal
vulnerability.
It's
a
normal
vulnerable
feature
as
as
lugia,
as
you
said,
like
you
know
it's
working
as
design.
It
was
a
bad
idea,
but
it
was
working
as
designed.
You
know
it
wasn't
a
nation-state
actor,
it
wasn't
an
apt
thing.
It
wasn't
some
like
super
esoteric
kernel
bug.
It
wasn't
like
any
of
the
other
like.
A
Vulnerability
like
yeah,
this
is
just
it's
a
mistake.
It's
an
unintentional
mistake.
It
just
happened
to
be
extremely
awful
and
you
know-
and
of
course
you
know-
indeed
you
know,
but
for
the
grace
of
god
go,
I
kind
of
thing
any
developer
can
make
a
mistake,
but
it's
the
mistakes
happen,
but
they
shouldn't
normally
be
this
costly.
B
Cool
any
other
thoughts
from
the
crowd
on
before
we
close
the
log
for
jay.
C
No,
but
it
is
interesting
because
I
mean
probably
with
the
using
fadzinger,
we
were
not
able
to
identify
this
particular
bug,
but
there
is
a
fuzzer
for
java.
I
found
after
the
log4j
incident,
and
it
is
interesting
because
it's
part
of
the
google
asphalt
open
source
project
and
probably
making
funding
easier
for
developer
by
integrating
it
in
the
sci
can
help
to
identify
some
bug,
not
every
vulnerability,
not
every
bug,
but
it
can
help
to
identify
similar
issues.
C
Not
this
in
particular,
because
it
was
probably
a
bad
feature,
but
other
bad
input
can
be
found.
A
Yeah
in
this
particular
case,
I
mean
google's,
been
funding,
oss
fuzz
and
trying
to
make
it
really
easy
to
get
it
into
ci
pipelines
of
open
source
software
projects.
It's
not
entirely
clear
with
the
probability
of
fuzzing,
detecting
this
specific
kind
of
problem.
I
mean
that
doesn't
mean
that
fuzzing
is
bad.
It's
just
there's
a
problem.
I.
C
C
This
feature-
probably
fuzzing,
was
not
enough,
but
in
general,
maybe
other
similar
bug
where
there
is
a
user
input
that
that
is
not
checkered
properly.
Maybe
you
have
added
some
check,
you
may
you
have
add
some
scientists,
but
they
are
not
enough
or
bad
written.
Similar
fuzzing
can
help
you
and
I
have
tried
to
add
fuzzing
to
some
project
and
sometimes
it's
very
hard
to
integrate
funding
in
a
project.
Yes,.
A
D
Has
anyone
looked
into
code
ql,
I'm
very
curious
because
java
is
you
know
very
friendly
to
static
analysis
and
at
scorecard
I
had
codeql
warned
us
about
a
few
months
ago
about
an
identical
problem
where
we
were
taking
a
variable
interested
and
using
it
to
do
an
http
request
and
I'm
curious
whether
anyone
even
tried
codeql
on
the.
B
Yeah
so
yeah,
so
I
think
it's
it's
I'll
post
it
in
here.
I
I'm
pretty
sure
this
is
the
references,
the
rule,
the
rule
somewhere
here.
A
But
yeah
I
I
I
I
yeah,
I
am
looking
around
for
a
log
for
jay
and
and
code
ql,
and
you
know
what
I
find
is
people
are
using
code
ql
to
look
for
log
for
j,
but
I
haven't
seen
any
evidence
that
log
for
that
the
the
existing
rules
building
on
codeql
would
have
found
it.
B
Okay,
if
I
can,
if
I
can
find
if
I
can
find
the
actual
rule-
and
I
think
that
it
would
be-
you
know,
I'll,
post-
a
link
to
the
rule
anyway
over
here.
As
we
talk
about
other
stuff-
I
I
did
actually
sorry
but
before
before
closing
on
this,
I
did
have
a
thought
and-
and
I
wanted
to
see
if
anybody
was
aware
of
a
tool
that
did
this-
I
didn't
want
to
have
to
just
write
it
from
scratch.
B
What
I
was
looking
for
is
so
so
after
2.,
I
guess
16
came
out,
I
wanted
to
see
like
was.
Is
there
any
other
path
that
I
can
get
from
anywhere
in
in
log4j
to
the
jndi
manager,
class
or
or
things
like
that?
B
What
I
really
wanted
was
like
a
method
to
method
call
graph
like
visual,
and
I
would
just
want
to
be
able
to
like
circle
that
and
see
that
oh
there's,
no
paths
or
yes,
there's
a
path
coming
here
through,
like
the
configuration
loader
stuff
and
then
and
I
had
a
hard
time
finding
anything
I
wound
up.
I
forgot
how
I
did
it
ultimately,
but.
D
Have
you
also
tried
this
solo
tool
called
shift
left
security
where
they
basically
don't
do
exactly
the
same
as
codql?
They
have
a
a
graph
like
you
know.
This
multi-layer
graph
with
data
flow
control
flow
blah,
blah
blah,
but
instead
of
giving
you
an
api,
they
give
you
like
a
shell,
so
you're.
Basically,
writing
like
some
sort
of
python
thing,
and
I
think
it's
a
little
bit
it
might
be.
It
depends
what
you
like,
but
it's
yeah
they're
part
of
opponents
itself
also
so.
B
A
B
It
okay,
so
next
thing
metric,
dashboard,
revamp
so
lauren.
Thank
you
for
joining
tonight.
So
you
know
the
the
metric
dashboard.
So
this
is
this
is
metrics.openssf.org.
B
We
have
a
meeting
right
after
this
actually
to
talk
about
getting
some
getting
some
work
done
to
basically
clean
it
up,
make
it
make
it
better
it
right
now.
It's
in
my
microsoft
teams,
azure
subscription,
which
is
not
the
best
place
for
it,
so
it'll
be
moved
over
to
the
open
ssf
one,
because
we
do
have
an
open,
ssf
subscription,
we'll
try
to
make
it
more
cloudy,
because,
right
now,
it's
just
everything
running
on
a
single
vm
things
like
that,
but.
A
B
Actually
fixing
some
bugs
like
having
it
refresh
periodically
and
not
when
someone
pings
me
and
tells
me
that
it's
out
of
date-
and
I
take
full
responsibility
for
that-
I
just
can't
get
cron
working.
A
I
don't
understand
it,
but
it's
if
it
moves,
then
it
doesn't
matter
anyway.
Exactly
so.
Your
your
goal
is
to
is
to
not
die
anytime
soon,
but
would
it
would
be
probably
good.
E
B
And
and
literally,
and
have
somebody
else
be
able
to
do
it,
you
know,
and
not
just
and
all
that
stuff.
So
so
we'll
do
that.
So
as
part
of
this,
if
there
are
feature
requests,
throw
them
out
as
issues
in
the
project,
let
me
find
the
thing
metrics
here,
open
issues
for
requests
and
we'll
you
know
hopefully
be
able
to
move
on
some
of
those
next
thing.
Sorry
anything
else
on
on
that
topic,
cool
alpha
omega.
B
So
I
you
know
I'm
going
to
save
my
demo
to
the
end,
so
we
can
get
to
everything
else,
but
we
have
made
some
progress
on
on
well
on
both
of
them.
So
on
the
omega
side,
we
have
a.
Let's
call
it
a
proof
of
concept
portal
that
triage
portal
we've
moved
over
all
of
the
internal
infrastructure
that
we
had.
That
has
been
doing
the
automated
scanning.
B
So
I
think
we
have
eighteen
hundred
or
maybe
two
thousand
projects
scanned
so
far
and
it's
scanned
with
like
twenty
something
different
tools,
including
code
ql,
so
there's
still
significant
work.
That
needs
to
be
done
to
hone
that
and
and
just
look
for
critical
issues
and
reduce
false
positives
and
all
that
stuff.
B
But
it's
a
it's
a
start
and
it's
it's
plumbed
together
and
it's
looking
at
new
projects
as
they
are
published,
so
it's
kind
of
staying
on
top
of
on
top
of
that,
on
the
the
portal
side,
it's
we're
probably
still
maybe
a
month
away
from
making
it
public,
but
I
think
it's
it's
it'll
be
minimally
useful
to
the
triage
folks
to
do
in
fact,
maybe
I'll
just
do
it
and
get
it
done
with
him
go
back
to
it.
So
there
we
go
so
this.
This
is
the
portal.
B
Some
of
it
is
just
simple
links
out
to
you
know,
code
search
stuff,
but
the
idea
is,
you
have
findings.
The
findings
are
the
things
that
are
imported
by
the
tool.
B
And
tell
me:
I
broke
it,
no,
okay!
So
there's
a
thing:
the
there's
a
package,
the
issue,
how
it
was
found.
You
click
on
it.
You
see
the
content
of
the
file,
the
content
of
the
package.
You
can
explore
triage,
it
notes.
B
You
can
say
this
thing
is
garbage
and
open
up
a
tooling
bug
or
you
can
go
the
other
way
and
say
no.
This
is
real.
I'm
gonna
open
up
a
case.
I
know
I'm
going
through
this
super
quick.
I
have
a
demo
video
that
I'll
send
a
link
out
to
so
this
is.
This
is
not
real.
I
just
made
up
this
text,
so
oh
I'll
change
that,
but
that
that
that
was
a
joke.
B
But
the
idea
is,
you
know
you
kind
of
create
a
case
here
and
then
you
get
it
reported
through
github
security
lab
or
whatever
it's
not
it.
The
the
the
intent
here
was
like,
let's
just
have
something
basic
that
works
and
then
we'll
we'll
build
on
it,
we'll
build
on
it
later.
So
we
will
have
probably
two
engineers
that
will
that
we're
gonna
hire
to
care
and
feed
and
expand
and
make
better
this
and
the
and
the
automation.
So
that's
my
demo.
B
So
that's
on
the
omega
side
and
on
the
alpha
side,
we've
been
meeting
we're
planning
to
announce
next
week
have
a
blog
article
and
or
press
release.
B
A
I'll
say
worst
kept
secret
ever
since
you've
presented
it
to
like
every
working
group.
B
And
and
these
meetings
are
public
and
it's
on
yeah,
if
you
web
search
alpha,
you
know
it
comes
up
in
in
places.
So
it's
fine
any
questions
or
anything
on
this.
B
No
so
lgtm.com.
B
Lgm.Com
is
always
interesting
because
it
really
is
a
list
of
unfixed
security,
vulnerabilities
and-
and
I
know
that
that
in
the
past
we've
had
conversations
on
like
is
this
like?
Where
is
this
on
the
scale
of
like
good
and
evil
to
like,
have
be
public
or
omega
because
we're
assuming
now,
you
could
also
say
that
well,
lgtm.com
is
like
you
just
download,
codeql
and
run
it
yourself
like
it's,
not
no
one's
stopping
you.
B
B
It
really
is
more
of
like
an
oh
day
list,
so
we
do
not
want
the
omega
output
to
be
in
fact
somewhere
here.
I
think
I
have
on
the
front
page
like
access
to
omega's
restricted.
So
this
is
not
intended
to
be
public
facing
where
I
think
we
do
have
an
opportunity
to
be
public
facing
is
I
mean
one
is
like
reports
and
aggregations
and
you
know
wins
and
things
like
that,
but
also
in
the
concept
of
the
skim
store-
and
I
don't
know
what
skim
is
gonna.
B
I
think
I
don't
know
if
skim
is
changing
the
name
or
whatever,
but
the
idea
of
an
activity
has
taken
place
against
a
target
and
someone
asserts
that
and
puts
it
in
a
store
so
that
other
people
can
consume.
So
the
idea
would
be
I'm
going
to
consume
left
pad.
I
see
that
omega
has
scanned
left
pad
and
not
found
anything
like
that's
an
interesting
fact.
B
A
To
be
honest,
it
seems
to
me
that
the
triaged
ones
are
the
more
sensitive
just
just
fyi.
I
I
used
to
work.
You
know
with
the
us
department
of
defense,
you
know
their
view
was
basically
you
know
if
you
analyze
publicly
available
code
using
a
tool
that
you
can
download
or
purchase
or
anything
like
that.
I
mean
that's
not
I
mean
anybody
could
do
that.
There's
really
no
point
in
trying
to
like
if
they
were
worried
about
classification.
There's
no
point
in
classifying
that
because
in
fact
anybody
else
could
do
that.
A
As
far
as
you
know,
you're
the
100th
person
to
do
it.
What's
what
becomes
more
sensitive
is
when
you
get
a
human
in
there
who
starts
analyzing
and
saying
false,
positive,
false
possible.
Oh
wait!
That's
real!
Because
the
even
even
with
these
tools
to
reduce
the
false
positives,
I
think
I'm
expecting
you're
still
going
to
get
a
non-trivial
number
of
false
positives
and
having
humans
look
over
to
do
that.
Final
review
and
sort
is
that's
in
my
mind
where
things
change
from
anybody
could
do
it.
A
B
Right
right
I
mean
I
I
I
agree.
I
think
yes
so
so
I
agree
completely.
If
the
I
guess
the
more
successful
we
are
at
reducing
false
positives,
the
closer
the
two
align
and
at
some
point
they
become
close
enough
where,
if
we're
successful,
that
the
untriaged
vulnerabilities
are
just
as
sensitive
as
the
triaged,
but
so
I
think
to
be
safe,
we
treat
everything
as
sensitive.
B
Knowing,
though,
that
yeah,
obviously
you
know
the
vulnerability
reports
that
we
send
out
are
going
to
be
the
most
sensitive
at
all
of
everything.
Yeah.
A
And
try
not
to
send
them
out
on
friday,
try
not
to
send
the
posting
on
fridays.
A
I
think
that
was
actually
part
of
the
challenge
with
log4j
is
making
the
public
announcement.
That's
a
big
vulnerability
on
a
friday
did
not
make
anybody
happy.
B
Cool
okay,
anything
if
there's
nothing,
nothing
left
for
alpha
omega,
we'll
jump
to
security
insights,
and
this
is
the
yama
one.
I
I
started,
calling
it
security
insights
is
that
the
right
name,
luigi.
C
Yes,
it
is
the
right
name.
I
have
an
update
for
this
week,
but
for
the
next
one
I
hope
to
have
a
well-written
document
and
start
to
write
a
small
linter
for
the
yaml
file.
C
So
usually
I
don't
write
web
page,
but
I
could
use
the
the
other
webpage
that
we
have
created.
I
don't
remember
the
name
now,
but
to
format
and
on
the
document.
Oh
come
on.
A
E
C
Yes,
but
because
yes,
because
I
mean
writing
a
python
script
to
format,
yaml
is
not
a
good
idea.
If
we
can
have
a
javascript
web
page
where
the
developer
can
just
add
the
correct
information
and
receive
the
outputting.
A
B
A
B
Sorry,
oh.
A
But
in
all
honesty,
though,
having
generated
static
pages
is
a
non-problem,
it
doesn't
have
to
be
running
in
the
browser
on
java,
with
javascript
having
a
little
program
that
generates
static
pages,
and
then
you
view
it
is
a
pretty
common.
B
Approach
david,
I
I
think
luigi's
talking
about,
I
want
to
create
a
yaml
filing.
I
want
to
validate
it.
C
Yes,
for,
for
the
I
mean
for
the
maintainer
of
a
particular
report,
I
it
is
probably
a
nice
idea
offer
an
easy
tool
to
create
the
jam
well
formatted
for
yeah.
A
C
Okay,
all
right,
but
this
is
the
next
step.
Probably
I
can
finish
the
I
just
need
to
clean
the
current
document,
removing
the
garbage
and
adding
an
example
of
the
yaml
file,
so
we
have
a
specific
and
when
they
and
then
we
can
write
the
the
web
page,
the
tool
that
we
can
write
the
code.
Yes
so
so
this
is.
E
E
C
E
B
Awesome
amir.
F
How
are
things
good
good,
so
I
just
have
a
quick
update,
just
some
general
cleanup
of
the
repo
and
then
special
thanks
to
dylan
who's
been
doing
some
work
on
the
automatically
generating
the
overview
table.
I
believe
he
has
a
an
update
for
the
work
group
and
questions
specifically
for
you
on
that.
So
I'm
going
to
hand
it
off
to
dylan.
E
Yeah
sure
I
appreciate
that
so
so
one
thing
mike
the
the
essentially
I
kind
of
set
up
this
separate
github
action
to
you
know
to
run
these
these
python
scripts.
I
wrote
and
regenerate
the
overview
and
kind
of
automatic
like
and
push
it
those
changes
to
github
and
all
that
the
only
problem
I
was
having
was
that
amir's
from
amir's
point
perspective
in
the
oss
public
repo
as
an
admin
or
whatever
he
didn't
have
access
to
the
secrets.
E
Like
github
the
repository
secrets
under
you
know
like
repository
settings
secrets,
which
I
have
in
my
private
one,
I'm
not
sure
if
that's
something,
it's
not
a
private,
it's
a
public
fork.
Actually,
I'm
not
sure
if
that's
something
with
his
particular
permissions
or
why
that
was
because
that
was
something
that
was
kind
of
a
necessary
variable
in
the
github
actions
that
I
set
up.
A
Well,
you
know
if
you
need
help
on
that,
we
have
a
program
manager,
a
project
manager
who-
and
that
is
your
job-
to
deal
with
nonsense
like
that,
so
I
may
just
dump
you
on
poor
jen
who
will
have
to
figure
it
out
and
how
to
handle
it.
E
E
E
Where
is
that
under
for
you,
because
I
don't
even
see
this
this-
the
secret,
the
oh
it's
under
settings?
Oh
it's
in
the
it's!
It's
okay,
yeah!
So
amir
settings,
page
there's
only
like
three
tabs
on
the
left
and
secrets
is
not
one
of
them.
Okay,
so.
E
A
Here,
I've
added
to
the
notes
here
I
think
mike
scalvetta
can
do
it,
but
if
not
talk
with
jen
bonner,
I
think
technically
I
can,
but
I'm
I
was
working
till
11
p.m.
Last
night,
and
so
I'm
trying
to
not
add
to
my
do
list
right
now.
F
So
dylan
we
can
link
up
on
finishing
that
cron
job
part.
E
Yeah
yeah,
as
soon
as
you
add
the
secret,
the
the
crown
job
yeah.
We
can
talk
about
it
afterwards,
but
it
should
just
it
should
just
run
and
auto
update
the
overview
page
upon
any
kind
of
push
or
pull
request
or
stuff
like
that.
Thank
you
for
that
previous
effort.
There
setting
up
the
actions
for
the
validator.
I
just
had
to
kind
of
tack
it
on
to
the
end
of
that
cool.
So.
B
Awesome
so
I
mean
something
we
should
probably
should
talk
about
in
the
context
of
alpha
omega
and
security
reviews
is
that
we
do
plan
to
have
the
output
of
each
alpha.
Engagement
become
a
secure
review,
so
that'll
be
a
natural,
a
natural
pipe
that
we
would
that
we
would
build.
I
don't
think
we
need
to
do
anything
anytime
soon
to
you
know,
make
that
happen,
but
just
directionally.
E
Someone
I
just
while
it's
on
my
mind
and
I
don't
forget,
I'm
sure
this
is
something
you've
thought
of,
but
for
the
alpha
magic
omega
project
for
the
like
code,
ql
scanning
part
of
it
have
you
thought
about,
because
I
think
I
I
it
sounds
like
you're
trying
to
kind
of
make
sure
the
false
positive
rate
and
the
you
know
everything's
critical
there.
It's
like
running
your
own
kind
of
custom
set
of
code.
Ql
queries.
That's
just
like
the
high
precision
critical
kind
of.
B
Absolutely
yes,
so
so,
right
now
I've
I've
intentionally
not
gone
down
the
path
of
like
which
rules
should
we
not
run
mostly
just
because
I
know
it's
a
can
of
worms
that
if
I
open
it
it'll
be
it'll,
be
all
over
it'll
be
really
messy
yeah,
but
yes,
so
what
we
would?
B
We
would
probably
filter
the
rules
by
precision
and
the
type
and
probably
even
maybe
some
other
things,
but
we
want
to
have
feedback
from
the
portal
to
say,
like
actually
gather
and
say
this
rule
has
had
80
false
positive,
because
n
equals
300.
That's
too
much
so
we're
gonna
turn
it
off
I'd
rather
miss
miss
things
with
with
omega,
then
waste
a
lot
of
time.
E
Awesome
awesome,
yeah
that'll,
probably
help
contribute
to
improving
the
the
precision
of
these
things
too
right,
because
if
someone
just
writes
a
query
and
marks
it
as
this
precision,
it
kind
of
helps
code
ql2
at
the
same
time,
but
yeah
so
awesome.
I
just
want
to
make
sure
that
was
or
just
see
if
that's
in
the
as
long
as
in,
like
the
back
of
your
guy's
mind,
then
something
eventually
to
do.
I
just
thought
I'd
toss
it
out
there
before
I
forgot.
I.
B
Mean
in
fact,
what
what
really
it
is
is
taking
the
the
false
a
tool
emitting
a
false
positive
is
a
defect
in
the
tool,
or
at
least
in
principle.
That's
how
we'll
we'll
describe
them.
Some
of
them
will
affect
some
of
them.
We
won't
be
able
to
fix,
but
either
way
it's
a
defect
in
the
tool
yeah.
A
I
think
that's
awful
extreme,
but
okay,
I
mean
the
the
goal.
I
I
salute
the
goal.
The
reality
is
speaking
of
someone
who's
written
these
tools.
The
usual
problem
is
you,
don't
have
enough
information,
and
so
you
have
to
decide
either.
Do
you
report
you?
What
do
you
want
a
false
positive
in
front
of
negative?
You
can
avoid
false
negatives
by
never
saying
anything,
but
that
isn't
very
helpful.
A
Well,
I
mean
I
opened
a
file.
Is
that
controlled
by
the
attacker
or
not?
I
don't
know,
are
you
going
to
require
the
users
to
provide
a
lot
of
context
information
before
they
can
do
an
analysis?
B
That
that
that
that
is
absolutely
true
too,
but
what
I
would
say
is
is
that
it's
the
difference
between
you're
using
stir,
copy
and
you're
using
stir
copy,
and
I
see
that
you
know
this
taint
coming
from
the
user
over
here
like
one
is
one-
is
just
string
matching
the
other
one
is
like
real
analysis,
so
we
want
to
make
everything
real
analysis
and
then,
if
it
comes
down
to
a
you
know,
I
see
that
I
see
that
you're
interpolating,
this
string
with
a
you,
know,
percents
bracket
thing
and
they
can
suck
in
an
environment
variable
like,
and
your
docs
show.
B
You
know,
th
this.
This
pat,
like
there's,
probably
more
more
context
that
could
be
absorbed
to
make
better
decisions
that
isn't
available
today.
So
we
want
to
push
we
want.
We
do
want
to
advance
state
of
the
art
here.
You
know
as
much
as
we
can
so
anyway,
any
is
there
anything
else.
Anyone
would
like
to
talk
about.
B
E
That
alpha
omega
poc
thing
is
super
cool.
Just
a
comment,
I
guess
not
a
question.
That's
awesome,
stuff.
B
I
have
I
have
it
right
now
in
my
oh
did
I
I
don't
think
I
showed
you
that
so
this
is
completely
off
topic
and
this
is
going
to
sound
like
a
product
plug
and
I
guess
it
is,
but
have
you
guys
used
code
spaces
before
github
code
spaces.
A
I
know
of
it
I've
I've
written
about
that
kind
of
thing,
but
I
actually
haven't
used
it,
but
you
know
about
it.
It
is
like.
B
Just
wonderful!
So
so
what
you
have
you
know
what
I'm
going
to
stop
recording
just.