►
From YouTube: OpenSSF Identifying Security Threats WG (June 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
A
I
think,
last
time
we
we
talked
about
a
couple
things,
including
like
changing
the
name
of
the
working
group
office
hours
a
little
bit
of
update
on
alpha
omega
things
like
that,
but
it's
a
good
good
time
for
open
chat.
If
there's
anything
that
you
guys
want
to
talk
about,
or
if
you
guys
would
like
some
time
back.
This
could
also
be
a
relatively
short
reading.
So
do
we
have
any
new?
No,
no,
no
yeah!
There's!
If
there's
anybody
who
doesn't
regularly
attend
we'd
like
to
introduce
themselves
feel
free.
B
B
There
is
no
at
the
moment
a
clear
standard,
first
bomb
file,
or
if
there
is
a
I
miss
it.
I
consider
that
probably
the
most
popular
is
cyclone
dx
biovasper,
but
I
am
not
totally
sure,
but
this
bomb
value
is
quite
generic.
You
can
add-
and
yes
the
spdx
yes
exactly.
Thank
you,
and
but
the
the
this
bomb
section
is
quite
generic.
You
can
add
the
url
to
the
file
and
also,
you
can
add
the
standard
that
you
are
following.
B
So
if
the
scanner
want
also
to
read
this
bomb
file,
they
can
and
now
I'm
working
to
a
python
command
line
to
help
the
maintainer
to
create
this
file.
I
am
using
click
packages
to
create
the
command
line
honestly,
and
in
this
way
the
command
line
can
help
the
maintainer
to
create
the
the
security
insight,
and
it
can
also
check
in
real
time
if
the
value
is
correct
or
not,
so
you
don't
need
to
create
one
and
then
check.
B
The
next
step
is
to
add
this
python
script
to
to
the
wrapper.
For
that,
probably
I
will
ask
a
good
review,
because
I'm
not
so
good
as
python
developer,
so
I
prefer
to
have
a
double
or
triple
check,
and
that
is
I'm.
I
was
a
bit
slow
in
the
last
four
weeks
honestly
for
personal
reason,
but
now
I
have
time
to
work
on
it.
The
main
issue
is
how
to
handle
the
communication
skill
for
me
and
also
in
openssaf.
B
I
I
mean
that
we
have
a
lot
of
rep
a
lot
of
projects.
For
example,
there
is
not
a
good
repo
best
practice
for
package
manager
that
I
didn't
remember
I
didn't
remind-
and
it's
not
correlated
to
the
security
insight,
but
it
is
another
topic
that
interests
me
so
after
that
I
have
added
the
python
script
to
to
link
the
code
and
to
create
the
file.
Probably
I
I
need
to
understand
how
we
need
to
proceed
to
communicate
better
in
openssf
and
with
tea
party,
packaging
and
service.
B
B
I
need
help,
definitely
because
I
I've
seen
that
bomb
is
a
very
popular
topic
at
the
moment.
Even
if
there
is
not
a
clear
standard
and
the
security
sites
at
the
moment
support
engine.
Expand,
you
add
the
link,
you
can
add,
also
multiple
link,
because
I
don't
know
if
some
big
project
project
can
create
difference
bomb
just
to
have
a
more
compliant
approach
to
these
this
security
requirement.
But,
yes,
I
need
a
good
way
to
communicate
with
a
different
team
to
be
aligned
on
it.
B
B
A
B
A
Good
and
then,
and
then
I
think,
the
the
outcome
that
I
think
we
want
out
of
that
is
getting
the
tact
to
support
all
of
the
open
ssf
projects.
Yes
using
it
as
well
as
like,
do
we
should
have
a
should
we
have
like
an
external?
Should
we
have
a
blog?
Should
we,
like
you
know?
How
do
we
communicate
this
better
and
what
what
the
ordering
of
that
is
like?
Maybe
we
do
it
for
ourselves?
First,
then,
the
blog
and
then
yes.
C
Yeah
I'll
just
kind
of
give
you
an
update,
since
it's
been
about
probably
about
four
weeks
since
our
last
update
and
in
the
last
couple
of
meetings
there
was
like
the
overall
question.
We
were
just
basically
following
up
with
what
happened
from
like
stream,
two
from
the
white
house
and
just
trying
to
kind
of
like
understand
what
was
the
meaning
of
that.
C
There
was
like
a
a
selection
that
was
around
lfx,
but
we
we
decided
that,
since
there
were
like
some
things
that
were
still
kind
of
like
unknown
around
like
what
the
platform
would
look
like,
we
decided
that
we
were
probably
going
to
spend
time
focusing
more
on
the
content
and
perhaps
maybe
also
think
a
little
bit
more
about
like
if
there
was
a
platform
that
was
selected.
What
should
be
the
criteria
for
what
that
platform
should
look
like
so
kind
of
like
focusing
more
on
the
content.
C
So
we
were
diving
into
things
like
who
are
the
personas
of
the
folks
who
would
want
to
consume
the
content
for
this
dashboard
and
we
identified
like
a
developer,
a
superior
name,
somebody,
a
researcher,
ospo,
maintainer
and
potentially
government,
and
then
even
within
government.
We
thought
that
there
might
obviously
be
different
types
of
even
within
governments.
There
might
be
like
different
types
of
entities
under
government
and
then
they'll
question
even
around
the
personas
is.
How
would
they
want
to
consume
this
data?
Would
they
want
to
consume
it,
be
an
api?
C
So
that
was
one
of
the
quest,
some
of
the
conversations
we
had
last
week
and
then
we
also
talked
about
criticality
data
and
talked
about
those
like
open
disk
questions
around
how
those
the
data
nets
waited
because,
there's,
I
think,
even
within
say
a
project
like
scorecards
there's
been
like
discussions
around
if
the
data
is
biased
and
maybe
some
folks
may
want
to
actually
just
consume
the
data
and
like
do
their
own
waiting
around
it.
So
there's
some
open
questions
that
maybe
folks
in
this
car
might
know
more
about.
A
Right
there
was
a
good
discussion
within
these
securing
critical
projects
working
group
specifically
on
criticality
and
how
to
how
to
measure
it
and
what
it
really
means
and
and
the
more
we
talked
about
it,
the
less
it
seemed
that
we
were
sure
what
words,
what
what
the
words
meant
or
what
we
intended
by
by
the
words.
So
I
think
that
there's
a
lot
of
opportunity
to
bring
clarity
to.
A
C
C
A
I'm
sure
so
so
just
bring
a
little
bit
of
clarity
to
like
stream
two.
So
after
the
the
dc
meeting,
you
know
open
ssf
now
has
a
commitment
of
you
know
more
funds.
Those
my
understanding
right
now
is
that
the
intended
way
for
those
funds
to
be
distributed
is
through
the
working
groups
and
the
projects
to
say:
hey
we'd
like
to
do
x.
We
need
y
dollars
to
do
it
now.
A
A
C
Yeah,
I
think
one
of
the
thoughts
around
it
and
I'll
kind
of
come
to
that
is
potentially
get
some
of
the
folks
from
stream
two
basically
to
join
into
the
discussion,
and
so
there
was
also
like
a
a
thought
about
actually
making
this
metrics.
This
dashboard
f
would
be
like
a
sub
and
like
almost
like
an
official,
and
we
didn't
know
how
that
would
how
to
go.
Why
that
would
make
it
like
a
sub
project
of
like
the
security
of
this
particular
working
group,.
A
Yeah,
I
would
I
mean
I
would
consider
it
already
kind
of
that
yeah
informally
feel
free
to
just
kind
of
drive
it
invite,
whoever
to
whatever
meetings
you
want
to
have
on
it
yeah.
You
know
I
I
think
it
makes
sense
to
have
have
the
the
actual
like
nuts
and
bolts
discussions
be
outside
of
this
normal
working
group
meeting,
but
that's
kind
of
like
like
what
what
you've
been
doing
with
with
jay
and
bernard
okay,.
A
A
Able
to
use
perfect
just
send
a
note
to
jory
or
or
jen
and
just
say:
hey,
could
you
add
a
recurring
invite,
tell
them
when
and
they'll
add
it
edit
to
the
calendar?
Actually,
we
can
just
do
this
right
now,
because
I
think
I
have
updated
access
to
this
think
about
when,
when
you'd
like
to
have
the
meeting,
show
me
something
slack
and
I'll
take
care
of
it.
Okay,.
C
C
Yeah,
some
of
the
other
topics
we
talked
about
was
vulnerability
data.
It
was
like
currently
there's
like
a
few
vendors
where
that
data
is
being
surfaced
from,
and
there
was
a
question
around
should
we
create
a
criteria
around
like
the
vendor
selection,
for
example,
some
of
the
vendors
have
like
a
freemium
model
and
we'll
think
about.
C
Should
it
just
be
something
that's
always
freely
available
so
anyway,
from
the
last
meeting
where
we
have
action
items
is
just
to
basically
explore
the
different
vulnerability
data
sources
and
also
think
about
what
other
data
that
we
should
be
adding
to
the
dashboard
and
also
the
criteria
for
platform
selection
that
I
bet
based
on
what
the
community
actually
needs.
So
those
are
kind
of
the
major
major
points
that
we're
thinking
through
awesome.
A
Wonderful
moving
on
office
hours,
so
we
talked
about
this
last
time.
I
put
a
request
out
to
the
best
practices.
Working
group
got
a
couple
of
folks.
That
said,
hey
I'd
like
to
participate,
but
I
don't
have
time
to
drive
asked
on
general
got.
I
think
the
same
thing
wanted
to
open
up
one
more
time
for
here
to
see.
Is
there
anybody
that
would
like
to
drive
this
effort
and
what
I
mean
by
driving?
A
This
effort
is
basically
like
logistics,
setting
up
the
meetings
and
making
sure
that
there's
enough
coverage
there
validating
the
the
design
to
see
like
isn't,
is
the
open
office
hours
idea
is
that,
should
we
do
that
or
should
we
do
kind
of
a
sign
up
for
a
slot
thing
and
then
get
the
word
out
on
twitter
and
I
guess
an
open,
ssf
blog
and
then
run
it
for
six
weeks
eight
weeks,
something
like
that
and
then
wrap
up.
Think
about
you
know
how
it
how
it
went.
Should
we
continue
it
should
be?
A
A
Marta
the
floor
is
yours.
Thank
you
appreciate
it.
We
do
have
a
a
bunch
of
other
folks
that
volunteer
to
be
part
of
it,
so
I
will
I'll
send
out
an
email
or
I'll
I'll
start,
a
slack
conversation
with
you
and
everyone
else
that
expressed
interest,
and
that
way
you
have
everybody
and
we
can
go
from
there.
E
C
A
A
Wonderful
for
alpha
omega
a
quick
update.
We
are
continuing
to
go
through
hiring.
We
are
feeling
good
about
a
couple
of
candidates.
We've
been
talking
to
I'm
hoping
to
land
them
very
soon,
but
you
know
hiring
us
hard.
We
have
we're
also
planning
so
michael
windsor,
and
I
will
be
in
austin
in
two
weeks
for
open
ssf
day.
So
we're
going
to
talk
about
alpha
omega
then
so
we're
putting
together
a
deck,
we're
hoping
to
have
two
more
alpha
engagements
announced.
A
I
I
really
think
we'll
we'll
get
at
least
one
of
them
landed,
I'm
like
50,
50,
60,
confident
on
the
other
one
for
omega.
I
mentioned
last
time
that
we
published
a
bunch
of
kind
of
automated
security
reviews,
so
this
was.
We
ran
the
tool
chain
against
a
bunch
of
projects
for
the
ones
that
the
tool
chain
found
nothing.
We
expressed
that
in
terms
of
a
review
and
sent
that
off
to
secure
reviews
separately.
A
We
started
going
through
some
of
the
findings
where
we
did
find
like
legit
issues,
and
so
I
have
one
report
out
to
a
well.
I
have
three
reports
that
are
ready
to
go
one.
I've
already
sent
out
the
other
two
are
just
pending
my
time,
we're
looking
so
we
know
we
don't
have
a
super
well-defined
vulnerability
management
process.
On
our
end,
we've
been
working
with
a
couple
folks
to
come
up
with
something
that
works.
So
options
are
like
the
cert
vince
project.
A
We
could
use
that
we
could
use
github
security
advisors.
We
could
use
like
private
github
repos.
We
could
create
something
completely
separate.
We
could
just
use
email.
We
could
track
things
in
a
shared
spreadsheet,
like
kind
of
everything's
on
the
table.
I
don't
think
we
need
to
optimize,
for
you
know
thousands
of
vulnerability
reports
until
we're
actually
generating
thousands
of
vulnerability
reports.
A
A
A
One
more
topic
for
that:
we've
been
speaking
so
we've
had
a
number
of
conversations
with
should
say,
security,
vendors
and
then
the
general,
and
these
are
starting
to
fall
into
a
into
a
common
theme.
So
the
theme
is
a
security
vendor
or
security
research
firm
or
whatever
has
findings
that
they
don't
have
a
large
enough
team
to
like
action
them
all
and
with
they,
but
they
would
like
to
participate
in
alpha
omega
to
some
extent
and
what
we're
thinking
about
is
number
one.
A
A
What's
a
minimally
triaged
validated
findings
from
a
third
party
and
just
act
as
the
final
like
final
triager,
and
you
know,
interface
back
with
the
with
with
the
maintainers
directly,
so
a
concrete
example,
you
know
well
not
concrete,
but
like
it's
an
abstract
example.
Luigi
finds
a
vulnerability
he
sends.
He
sends
it
to
omega.
Omega
looks
at
it
says
yep.
This
is
a
real
vulnerability,
we'll
take
it
from
here
and
and
kind
of
sends
it
out.
A
The
question
is:
does
that
meaningfully
change
the
scope
or
the
direction
of
omega
significantly
enough,
where
that's
not?
Actually,
what
omega
was
designed
for,
because
omega
was
was
originally
like.
We
find
the
vulnerabilities
and
we
take
care
of
fixing
them
if
somebody
else
finds
the
vulnerability
like.
Should
we
just
pick
up
the
second
half
of
that?
I
don't
have
a
super
strong
feeling
on
that.
I
feel
like
at
the
end
of
the
day.
It's
did.
E
E
If
I
understood
what
you're
saying
correctly,
are
you
saying
like
a
intermediary
which
will
accept
a
vulnerability
report
and
inform
the
upstream
project
and
get
it
straight
to
fixed
and
dis
like
a
responsible
disclosure,
or
you
know
like
coordinating
the
disclosure
activities
that
what
you
are
saying
or
is
something
completely
different?
I
got
it
completely
different.
A
A
You
know
through
to
you
know
kind
of
lots
of
other
options
and
then
it
and
then
either
they
action
it
or
they
don't
action
it
and
if
they
action
it,
that's
great.
I
don't
really
care,
but
if
they
don't
action
it,
if
that's
because
you
know
they're
just
great
they
generated,
you
know
150
000
potential
vulnerabilities.
A
A
I
think
one
of
the
challenges
is
that
the
vulnerabilities
sit
in
a
database
somewhere,
and
so
so
these
are
now
you
could.
I
think
what
you're
arguing
is
well,
why
wouldn't
they
just
pump
that
to
snake
or
hunter
dev
or
another
party?
I
don't
know
the
answer
to
that.
Maybe
it's
because
the
it's
below
the
confidence
bar
that
those
other
platforms
need.
A
Maybe
it's
because
there
are
no
write-ups,
maybe
for
whatever
reason
and
and
maybe
it's
something
that
omega
can
kind
of
be
the
like
grease
the
pipe
that
connects
those
two
sources
together,
or
maybe
those
aren't
for
what
for
a
different
reason.
Maybe
those
aren't
the
right
platforms
to
do
the
disclosure
and
and
omega
would
do
it
ourselves.
A
E
You
know
all
these
tools,
they
are
not
a
silver
bullet
for
all
the
programming
language
or
the
framework
or
the
technology
right
so
yeah.
I
think
we
need
to
capture
that
gap
in
my
opinion
and
trying
to
improve
that
area
right
like
where
exactly
we
have
the
gap
and
improvement
yeah.
I
would
like
to
hear
others
opinion
also
on
you
know:
you're
right,
I
think
luigi
has
handsome
yeah.
B
D
B
And
researchers
send
you
a
profile
concept.
You
need
just
to
reproduce
it
and
communicate
with
a
human,
but
with
a
scanner.
You
have
a
justice
kind
of
say:
hey,
there
is
a
vulnerability
and
if
you
are
lucky,
maybe
this
cannot
give
you
a
good
proper
concept.
Otherwise
there
is
just
a
flag,
and
sometimes
it
is
important,
for
example,
for
log
project
was
important
to
identify
all
the
developers
in
your
project
and
fix
them,
but
if
you
usually
don't
use
them
because
they're
gonna
be,
it
was
too
critical.
B
But
when
you
are
in
a
grey
area
like
high
or
medium
volatis,
can
that
can
impact
your
project?
But
you
don't
know
if
the
dependencies
can
be
hacked
using
the
exploit
that
particular
tiers
is
expensive,
and
this
means
that
people
that
do
this,
usually
they
need
to
know
really
well.
The
project
of
quite
well
so
create
the
environment
replicate,
and
I
think
there
is
a
value
in
this
in
in
this
in
in
this
idea.
B
So
but
my
question
is,
it
can
scale
we
have
enough
people
or
we
have
how
we
can
do
it,
because
the
the
risk
is
that
maybe
we
just
flag
as
not
vulnerable
and
then
the
project
is
vulnerable
and
this
is
another
problem.
Probably
so
I
don't
know
if
we
have
a
procedure
to
mitigate
a
positive
or
false
negative
one
of
the
should
term,
but
so
the
idea
is
good.
B
A
Idea
all
right,
no,
I
I
I
I
think
it's
all
good.
I
mean
I
wonder
if,
if
like,
we
would
be
in
a
better
place
as
an
industry.
If
we
just
essentially
connected
the
data
sources
of
high
quality
vulnerability
information
into
directly
into
platforms
like
hunter
dev,
in
which
case
we
we
just
kind
of
made
the
introductions
and
said,
do
the
thing
and
then
the
platforms
kind
of
went
their
way
and-
and
you
know,
did
everything
think
the
problem
is
going
to
be.
E
Yeah,
I
I
think
that
is
one
of
the
benefit
of
I
mean
honda
is
a
as
an
example.
There
are
many
other
similar
platform.
They
are
rewarding
both
the
person
who
is
reporting
and
fixing.
I
mean
I
think
in
that
case,
both
party
will
have
interest
to
understand
what
is
the
problem
and
how
they
can
fix
it
right,
like
I
think
both
of
them
will
get
rewarded
in,
in
my
opinion,
but
like
as
low
as
you
mentioned,
I
was
also
more
worried
about
that.
Oppression.
E
B
B
B
There
is
the
other
topic
that
a
lot
of
our
personal
projects
have
the
dependencies
for
the
product
and
the
dependencies
for
the
dev
environment.
If
there
is
a
critical
vulnerability
in
the
dev
environment
is
a
real
vulnerability.
Yes,
in
my
opinion,
but
the
point
is
the
product
is
vulnerable
or
not
because
of
it
and
everything
is
in
the
same
wrapper.
B
E
A
I
I
think
this
is
more
omega.
I
think
the
alpha
engagements,
at
least
right
now
and
probably
through
the
end
of
this
year,
are
going
to
be,
are
going
to
look
and
feel
like
the
node
engagement.
Where
we
come
up,
we
we
have
an
agreement
with
an
external
organization
that
can
manage
the
funds.
You
know
on
a
day-to-day
basis
themselves.
D
A
A
E
E
D
A
A
D
It's
it's
crazy,
so
I
mean
the
readme
actually
has
these
list
of
tools
and
a
framework
and
their
integrations
are
really
being
tightly
coupled
they're
tightly
coupling
spiffy
inspire
they're
tightly
covering
a
certificate
authority,
they're
they're,
doing
crazy
stuff
on
a
rapid
pace
and
they're
going
to
be
driven
to
credit
representation
very
soon,
according
to
the
meeting
they
had
this
past
last
week,
and
they
want
to
create
an
example
using
npm
of
all
things
which
has
a
direction
direct
eye
to
alpha
makeup.
Right
now,.
E
D
But
let's
be
real
here
I
mean
everything
they're
offering
independently.
I
know
most
major
companies
are
looking
at
tech
time
and
all
these
technologies
that
they're
putting
there.
So
this
is
the
future.
You
know
you're
looking
backwards
and
projects
in
the
past,
but
this
is
here-
and
this
is
this-
is
what
is
actually
creating
the
salsa
level,
three
compliance
evidence
and
documents,
and
things
like
that,
so
it'd
be
great
for
us
to
assure
that
they're
vetted
and
made
yeah.
E
But
that's
that's
a
very
good
point.
Like
yeah,
I
think
that
that's
the
best
practice
to
encourage
for
the
open
source
project,
but
at
the
same
time
I
I
was
with
the
original
paper
when
we
create
the
the
best
practice
paper
and
reference
architecture.
One
also
right
like
so
one
of
the
big
challenges.
The
focus
in
that
area
was
you
know
that
team
wasn't
going
to
focus
too
much
on
him
fast
or
dust
or
sc
those
kind
of
area.
That
is
a
bit
more
complicated.
D
D
I
think
other
groups
are
talking
about
that,
but
the
the
basis,
the
foundation,
the
framework,
the
workflow
engine,
the
runtime
engine
and
all
the
connective
tissues
to
sig,
store
and
whatnot
are
all
going
to
be
highlighted
in
that
they're
going
to
create
an
npm
example,
and
that's
what's
going
to
be
shown
at
every
conference,
so
it'd
be
great
to
have
a
testimonial
that
this
thing's.
All
these
things
here
have
indeed
been
run
through
some
of
our
core
evaluation,
analytic
tools.
E
D
Even
my
own
company,
99
percent
of
the
people,
98
of
my
products,
2000
products,
don't
use
tech
time
we're
trying
to
make
it
easy
for
them
and
the
more
security
features
we
add
the
less
foot-pounding
fist.
You
know
fist
pounding
what
stomping
they
can
do
and
resist
moving
towards
something.
That's
more
secure.
D
E
E
We
are
in
the
process
of
you,
know
the
public
meetings,
sorry,
the
community
meetings
and
everything
so
yeah
cool
yeah.
So
going
back
to
the
the
sc.
Sorry,
the
first
piece.
What
I
was
saying,
michael,
I
think,
in
my
opinion,
just
my
personal
opinion.
I
I
I
think
we
should
improve
the
automation
areas
wherever
we
can.
I
think
we,
it
is
important
to
find
out
the
gaps
of
the
tools
we
have
and
I
I
do
believe
that
there
is.
E
There
won't,
be
one
sas
tool
or
one
sca
tool
or
one
tool
so
the
problems,
but
I
think
it's
all
about
for
us
to
understand.
You
know
what
our
weakness
of
the
tools
we
are
using
and
what
it
is
not
good
for
right,
like
okay,
so
yeah.
I
think
that
is
important
to
cover.
Otherwise
we
may
give
a
full
security
to
a
project.
You
know
which
may
be
a
different
language,
different
framework,
different
ecosystem.
The
tool
is
always
saying
you
are
good.
E
There
is
no
issue,
but
the
tool
you
know
may
not
have
a
proper
support
for
that
language
or
roots
for
the
language,
but
there
can
be
so
many
challenges.
I
think
it
is
important
to
have
good
coverage
from
an
automation
perspective
before
going
for
any
manual
or
semi-manual
kind
of
activity
right.
I
think
it's
important
to
come
back.
D
I
totally
agree,
I
think,
that's
speak,
that's
speaking
to
the
opposite
side,
the
implementation
side
of
the
other
side
of
the
coin,
which
we
have
discussions
at
the
whatever
the,
whatever
the
critical
projects
won
or
debate.
Initially,
what
what's
the
most
critical
projects-
and
it
always
comes
up
in
people-
have
different
views
and
the
same
thing
with
tooling.
If
your
view
is
some
tool
or
some
view
or
something
is
more
important
based
upon
a
language
or
something,
then
that's
view
is
valid.
So,
but
it's
the
I
want
to
point
out.
D
D
A
D
E
Yeah
so
another
opinion
I
have
like
yeah,
there
won't
be
again,
there
won't
be
a
silver
bullet
tools
which
will
be
false,
positive
free
for
all
the
programming
language.
All
the
technology
stack
like
even
sas
or
whatever
tool.
It
is
right
like
yes,
the
tool
should
be
good,
but
there
can
be
some
tools
which
are
subject
matter
expo
in
particular
stack
and
that's
why
they
may
have
good
quality,
but
there
are
also
different
set
of
tools
in
the
abstract
domain,
which
are
doing
a
consolidation
and
deduplication
of
from
multiple
tools.
E
So
you
don't
give
the
raw
result
to
the
consumer.
What
you
do
is
you
feed
all
this
different
tool,
output
to
a
one
tool
which
will
consolidate
like
okay?
This
findings
was
reported
by
code
ql,
some
graph
sonar
cube.
So
this
is
a
99
percentage
guarantee
that
it
is
a
true
positive
finding.
So
we
don't
need
to
do
a
review.
A
I
I
I
I
I
understand
the
sentiment
and
I
and
I
think
that,
if
the,
if
the
output
of
the
at
at
some
point
in
the
future,
I
would
love
that
to
be
the
case
where
we
can,
just
through
fully
through
automation,
whether
it's
aggregation
and
dedupe
and
all
that
stuff
get
a
report
out
to
a
maintainer.
I
think
for
right
now
the
goal
would
still
be
like
all
of
that
stuff
would
help
us
be
more
efficient
in
our
triage.
A
A
Oh
yeah,
yeah,
yep,
okay,
write
write
it
up
in
a
way,
that's
consumable
for
a
maintainer
and
send
a
report
out
whether
that's
through
hunter,
dev
or
directly
or
events
or
doesn't
really
matter,
but
the
the
value
add
that
we
provide
is
the
we
make
it
easy
for
the
maintainers
to
consume,
to
understand
they're,
not
getting
more
results.
It
needs
to
be
like
really
high
quality.
I
didn't.
E
Sorry
it
interrupted,
I
didn't
mean
consumer
is
the
end.
Maintainer
consumer
can
be
this
analyst
itself,
so
yeah.
Imagine
if
there
is
one
person
and
who
has
to
treat
thousands
of
findings
and
they
you
know
having
tools
or
automation
like
that,
will
help
to
reduce
their
workload.
And
you
know
just
it's.
It's
just
automation,
more
information
right
here.
Absolutely.
A
B
Yes,
maybe
one
if
we
can,
it
is
interesting
on
the
topic
about
expired
domain
in
the
open
source.
It
is
quite
common,
and
maybe
we
should
continue
this
topic,
maybe
next
meeting,
but
having
tool
or
ci
that
check.
If
the
domain
in
the
package
manager
is
expired
or
something
similar
could
be
a
good
idea,
it
is
not.
Sometimes
there
are
false
positive
I
mean.
Maybe
the
domain
is
not
expired,
though
it's
not
so
easy
to
understand.
B
If
domain
is
a
pilot,
apparently,
and
especially
maybe
the
email
associated
to
the
package
manager
account
is
not
the
same
of
the
domain,
but
at
the
same
time,
for
a
lot
of
reason,
a
domain
that
is
linked
in
a
package
of
another
web
page
also,
if
it
is
not
user
for
the
account,
can
be
abused
in
a
lot
of
way,
fishing
or
other
or
other.
So
I
think
it
is
a
good
idea
having
it
for
not
just
npm
or
pi
pi,
but
also
for
other.
B
D
C
D
To
align
they're
moving
to
standardize
their
metadata
they're
moving
to
a
more
secure
package
managers
and,
as
pointed
out
in
one
of
the
calls
one
of
the
things
you
could
create
all
the
tools
you
wanted,
but
just
simply
domain
switching
is
not
an
indicator.
Then
one
of
the
big
breaches
they
brought
up.
Someone
pointed
out,
I
think
david
wheeler,
pointed
out
if
somebody
got
their
email,
email
stone,
so
basically
they're
impersonating,
the
actual
legitimate
owner
of
the
domain,
and
so
that
would
never
you
can't
detect
that.
So
I
think
it
goes
back.
D
The
onus
needs
to
be
put
onto
the
ecosystem
and
the
package
managers.
I
think
at
least
the
ones
represented
at
that
work
group
are
serious
about
trying
to
close
those
loopholes
so
and
then
actually
they're.
Actually,
some,
I
think
even
this
year
some
were
promising.
They
were
going
to
put
out
even
perhaps
that
with
this
partisan,
more
secure
repo
effort,
they
might
actually
have
fixed,
fixed
domains
that
they
own
themselves
kind
of
like
a
bitly.
D
A
I
also
think
that
that
it
it
might
be
hard
or
impossible
for
you
to
look.
So
when
you
look
at
a
package
metadata
from
the
outside,
you
see
some
things
you
see
like
an
email
address
and
whatnot
that
email
address
is
not
necessarily
the
email
address
associated
with
the
login
to
the
platform.
To
do
the
thing,
so
we
learned.
A
I
think
this
is
more
anecdote
than
I'm
sure
of
this.
But
if
that's
not
the
case,
then
you
can
complain
all
you
want
about.
Like
expired
domains
of
you
know,
users
of
email
addresses
associated
with
old
versions
of
a
package,
but
it
doesn't
matter
because
that
login
possession
of
that
login
account
doesn't
grant
you
any
access
and
the
only
party
that
really
knows
for
sure
are
the
software
repositories
so
matt.
I
agree
completely.
This
should
be
driven
through
that
work.
Working
group.
D
That
working
group
mean
in
terms
of
all
the
work
we
do
to
secure
a
supply
chain,
the
the
key
source,
where
people
pick
up
open
source
libraries
you
know
fix.
The
problem
is
the
right
with
right
approach.
It's
you
know
it's
the
building
blocks.
The
building
blocks
need
to
be
secure.
You
know
for
us
to
build
our
house
from.
E
Yeah,
in
my
opinion,
this
issue
is
primarily
related
to
lack
of
strong
authentication
mechanisms
with
the
the
repositories
itself
right
if
the
repositories
were
enforcing
a
strong
authentication
to
someone
to
login
and
publish
and
modify
even
as
domain
takeover
won't
result
in
an
account
back
over
activity.
So
technically
they
need
to
take
over
multiple
factors,
and
it
won't
make
it
that
easy.
But
I
think
this
all
goes
back
to
you
know.
E
In
some
cases
attacker
may
take
over
the
github
account
or
a
source
code
repository
account,
and
they
may
you
know
upload
that,
but
yeah
the
chain
need
to
be
very
secure
that
there
should
there
should
be
a
strong
authentication,
all
the
way,
from
source
to
the
repository
binary,
repository
or
package
for
their
publishing
and
from
where
they
are
getting
it
right.
So
yeah.
D
Right
and
and
these
that
was
part
of
the
discussion
that
was
had
that
at
that
work
group
and
it's
just
the
problem,
is
they
have
so
many
things
on
the
table
and
so
much
ambition
of
what
they
want
to
do.
You
know
I
just
want
to
cheer
them
on.
I
don't
want
to
get
in
their
way
because
they're
all
moving
the
right
direction
and
it's
the
probably
the
most
organic
group
we
have
in
openssf,
and
I
want
it
to
be
organic.
D
You
know
the
people
are
actually
representing
the
repositories
leading
the
effort
and
they
have
all
the
right
things:
ingredients
in
the
table.
We
just
have
to
make
sure
that
they
keep
those
items
in
the
table
if
they're
going
to
create
a
new
iteration
of
these
things
that
you
know
version
two,
if
everyone's
going
to
step
up
to
version
two
or
version
three
or
whatever
it
is
that
it's
got
to
be
right,
the
metadata
is
gonna,
be
right,
the
signing
is
gonna,
be
right,
the
hashing
is
gonna,
be
right.