►
From YouTube: Security Tooling Working Group (March 14, 2023)
A
A
The
API
is
just
get
right
now,
the
the
request
that
so
the
way
it's
structured
right
now
is
there's
a
website.
That's
I
think
it's
linked
to
from
gsd.id.
Maybe
no
I,
don't
yeah
getting
started.
I,
don't
know
quick
links,
but
you
can.
You
can
just
submit
a
pull
request
requesting
a
shitload
of
them.
If
you
need
a
lot
right.
B
So
automated
multiple
request
generation
a
lot
of
the
times
we
generate
pull
requests
and
you
know
sometimes
we
fix
security
vulnerability.
Sometimes
we
don't
right.
Sometimes
there's
security
hardening,
sometimes
they're,
not
I
figure,
it's
better
to
throw
some
identifier
on
it
rather
than
no
identifier
on
it
even
like.
A
B
A
What's
this
today,
so
the
Linux
kernel
has
like
a
ml.
They
run
over
all
their
commit
messages
and
anything
that
they
think
is
maybe
almost
a
security
thing.
They
request.
They
send
me
a
request.
I
submit
like
these
bulk,
GSD
I,
don't
know
what
to
call
them
requests
that
sounds
wrong,
but
then
then,
osv
incorp
takes
those
internally
and
Google
does
magic
with
them
inside
their
walls,
and
it's
it's
most
of
them
like
wouldn't
classify
security,
vulnerabilities.
C
B
B
All
right,
let's,
let's
chat
more
about
that
as
yeah
yeah
I'm,
building
out
a
bunch
of
I'm
standing
up
the
a
python
client,
that's
written
to
automate,
calling
modern's
API
and
go
through
the
process
of
automatically
generating
the
whole
requests,
and
so,
if
we
can
automate
more
and
more
of
this,
the
goal
of
this
client
is
that
it'll
be
a
lot
like.
Basically,
it
automatically
runs
on
weekdays
basically
and
automatically
generates
pull
requests.
So,
if
there's
any
new
code
that
Flags
a
vulnerability
it,
the
pull
request
gets
generated.
B
So
since
this
is
going
to
be
continuously
running
into
all
time
being
being
able
to
automate,
also
the
GSD
assignment
would
be
pretty.
You
know
a
good
idea
too.
A
E
Well,
yeah,
and
because,
like
because
we're
in
this
stupid
time,
Vortex
where
for
two
weeks
Europe
is
is
hasn't,
switched
and
the
US
has
switched
yup
and
and
everybody
in
Asia
is
like
just
kind
of
scratching
their
head
like.
What
are
you
you
know?
Can
you
please
get
on
the
same
page
as
us
and
not
do
this
anymore?
I
know
man
so
yeah.
D
After
my
one
year,
sabbatical
working
for
Western
Digital
foreign
guys.
G
A
A
All
right,
let's
get
cracking
I,
think
it'll
be
light
today,
I,
don't
think
we
have
a
lot
on
the
agenda
and
I
know
there's
a
bunch
of
people
at
stuff
this
week,
all
right.
So
as
we
know
to
make
this
as
confusing
as
possible,
we
sign
in
in
the
tools
agenda
meeting
and
then
we
talk
about
S
Prime
everywhere
there
is
a
topic,
it
says,
other
new
topics,
if
someone
put
governing
board,
wants
to
see
Sterling
tool
chains,
that's
from
everywhere.
F
Yeah
I
did
just
this
is
just
a
quick
heads
up.
Josh
I
know
you
already
know
this,
but
last
year
the
governing
board
wanted
to
see
more
on
Sterling
tool
chains,
I'm,
expecting.
A
F
F
And,
to
be
honest,
we're
still
working
that
question
out
ourselves,
but
I
think
the
the
short
answer
really
I
think
I'm
gonna
go
backwards,
a
little
bit
the
openness
ISF
governing
board,
it
kind
of
oversees,
the
open,
ssf
as
a
whole,
and
they
would
like
to
see
a
whole
lot
more
automation
applied
to
you
know,
increase
security
both
in
originally
developed,
and
you
know
the
whole
build
distribution
process,
and
so
the
phrase
that's
been
used,
which
probably
a
little
misleading
but
is
okay,
is
Sterling
tool
chain.
F
Basically,
you
know
some
recommended
tools,
a
recommended
use
of
tools
together
so
that
people
have
a
hey.
If
you
do
this
lots
of
good
things
will
automatically
happen.
F
It's
it's
often
said
in
the
singular,
but
I
think
the
reality
is
there's
going
to
be
a
sterling
tool
chain
for
each
ecosystem,
but
that
B,
that
is
it
May,
and
it's
not
like.
Oh
my
we're
going
to
take
away
your
birthday.
If
you
do
something
else,
it's
just
a
you
know
what
we
know.
Life
is
hard.
There
are
lots
of
choices.
Here
is
a
set
of
choices
that
make
sense
and
works
together.
F
So
you
know,
and
if
you
want
to
know
hey,
what's
that
list
and
exactly
and
so
well
that's
kind
of
in
process
right
now,
I
am
trying
to
figure
out
what
they
want
and
what
actually
is
practical
and
pulling
in
some
other
folks
and
we'll
see
what
we
can
come
up
with,
and
hopefully
it
will
make
sense
and.
F
That's
right,
that's
right,
the
expectation
is
hey.
The
result
will
be
not
just
you
know,
software
that
works
and
discrete
distribution
system.
That's
protected,
but
you
know
one
of
the
things
a
lot
of
governments
want
is
I
want
to
see
my
you
know.
My
a
lot
of
larger
organizations
is
I
want
to
see.
What's
in
there
and
I.
Think
a
lot
of
developers
of
Open
Source
is
saying.
That's
great,
but
I
have
very
very
limited
time.
Well,
I
totally!
You
know.
That's
that's
exactly
right!
F
H
A
It'll
be
interesting,
I'm
willing
to
say
that,
but
I
think
s-bombs
are
one
of
the
few
things
I,
don't
think
we're
going
to
get
a
lot
of
disagreement
with
will
say
just
because
I
think
everyone
is
starting
to
recognize
like
s-bombs
are
a
thing
that
is
just
happening,
so
that's
exciting.
Actually,
what's
that
that's.
A
Right
exactly
actually,
let's
do
a
podcast
the
other
day
and
someone
mentioned
and
I
hadn't
thought
of
it.
This
way,
but
ask
mom
is
one
of
the
few
instances
where
regulation
is
leading
industry
because
we're
seeing
all
these
regulations
saying
you
need
s-bombs,
whereas
where
I
mean
the
tooling
just
isn't
there
yet
obviously,
but
we're
working
on
it.
So
that's
pretty
cool
I
like
it
all
right,
okay,
so
for
anyone
who
didn't
see
a
lot
of
you
did,
can
you
paste
and
intro?
A
The
first
item
on
the
agenda
is
to
paste
an
intro,
so
we
don't
just
spend
half
the
meeting
going
over
intros
and
then,
if
there's
no
other
tools,
topics,
let's
go
to
the
s-bomb
topic,
which
I
just
pasted
the
link
to
okay
David.
When
are
you
adding
I,
don't
know,
anyway,
all
right
I'm
going
to
start
talking.
First
and
then
people
can
add
agenda
items
if
they
wish
Town
Hall.
A
E
There's
not
honestly
a
lot
to
try
my
screen.
I
can
oh
I'm,
muted,
no,
no.
E
Way,
yeah,
the
if
you
scroll
down
Sarah
and
I
did
some
additional
work
on
this.
Last
week
we
went
through
all
the
comments
that
that
you
had
that
you
and
some
others
had
put
in.
E
We
tried
to
flush
it
out
and
create
some
additional
text
write
some
text
if
you
will
and-
and
we
ended
up
I-
think
in
a
pretty
good
place
in
terms
of
I-
think
what
we
have
is
basically
ready
to
be
checked
into
to
GitHub.
So
you
know
the
idea
is
and
and
I
took
the
action
last
week
to
take
what
we
have
here
and
turn
it
into
markdown
and
put
it
in
GitHub
and
I
have
not
done
that
yet
so.
E
But
at
that
point
then
I
think
what
we
want
to
do
is
is
drive
it
through
PRS
and
and
and
that
kind
of
thing
and
I
think
there
are
still
some
some
questions
in
here,
probably
yeah,
but
at
this
point
I
would
suggest.
Don't
leave,
don't
leave
comments
on
the
doc.
A
Love
that
I
think
that's
perfect.
Yeah
put
it
in
GitHub,
like
I,
don't
know
who
owns
this.
Whoever
owns
it
lock
it
right,
don't
let
anyone
else
do
anything
to
it
and
I'd
say:
okay,
yeah!
Okay,
do
you
own?
It
I!
Think
you
own
it!
But
yeah
yeah!
You
do!
Oh,
yes,
it
says
you
own
it
yeah
I'd,
say
again
lock
it
just
put
a
note
at
the
top.
That's
like
we're
putting
this
in
GitHub
and
and
do
it
just
throw
it
in
there
as
markdown
and
and
that's
that
and
then
I'd
say.
A
A
E
Cool
and
some
some
of
this
as
well
talks
a
little
bit
about
the
the
form
that
we
would
expect
at
the
bottom.
The
form
that
we
would
expect
things
like
user
needs
to
take
right.
So
talking
about
s,
problem,
education,
educating
people
as
to
what
the
user
needs
are,
and
this
this
kind
of
stuff
like
developer
as
a
developer,
I
need
to
blank
so
that
I
can
blank
and,
as
moms,
help
me
in
this
way.
E
E
A
E
Think
in
action
too,
did
you
do
I
have
acts
that
do
well?
Okay,
whatever
I'll
make
PR
and
then.
A
Whatever
hit
me
up
on
slack,
no
one
needs
to
watch
me
and
stumble
my
way
come
on.
So
you
know
what
I
love
I
I
talk
about
this
with
some
people.
I
work
with
is
like
it
feels
like
you're
competent
until
you
share
your
screen
and
then
it's
like
you
forget
how
to
use
the
mouse
and
you
look
like
an
idiot,
no
matter
what
you
try
to
do.
It's
so
good
anyway.
Yeah
bug
me
on
slackdan
and
I'll
make
sure
you
get
the
whatever
privileges.
A
A
What
this
document
is
meant
to
be
is
we
want
to
go
to
the
governing
board
and
ask
them
for
some
money,
because
one
of
the
challenges
we
have
in
the
s-bomb
universe
is
there's
like
7
000
things
going
on
and
no
one
knows
what
they
are,
and
so
we
want
to
build
a
landscape
similar
to
the
was
it
the
cncf
I
think
created
it,
and
it's
just
a
nice
kind
of
visual
representation
of
everything
we
can
find
about
s-bombs,
and
we
have
no
idea
how
much
it's
going
to
cost.
This
is
one
of
our
challenges.
A
It's
like
we
we're
going
to
have
to
solicit
bids
from
from
contractors
to
figure
this
one
out
so
I,
don't
know
how
that's
going
to
go,
but
but
Kate
and
I
spent
some
time
on
this.
We
put
it
all
together.
I
feel
like
it's
in
good
shape.
If
anyone
has
any
comments,
add
them
there's
a
couple
things
I'd
like
to
get
added
that
I'm
struggling
to
find
like
the
ntia,
has
a
bunch
of
documents.
There's
a
bunch
of
lists
that
exist
today.
I
need
to
I
need
to
just
dig
some
of
those
up.
A
I
haven't
looked
very
hard,
but
otherwise
I
think
we're
in
fine
shape.
I,
don't
have
a
whole
lot
else
to
say:
I,
guess
what
time
is
it?
We
got
some
time,
I'll
run
through
it,
quick
just
so.
Everyone
gets
an
idea
of
what
we're
doing.
We
broke
it
down
into
a
handful
and
also
if
anyone
has
any
questions,
just
jump
in
we
broke
it
down
into
a
handful
of
tasks
like
stand
up.
A
landscape
is
obvious
to
do
that.
A
We
have
to
take
the
cncf
landscape
and
turn
it
into
something
we
can
use
with
our
branding
and
the
intent
is
to
not
use
the
existing
openssf
landscape.
There
is
one,
but
that's
for
kind
of
different
purposes.
We
want
an
s-bomb,
only
landscape.
That
way
we
can
list
whatever
we
want
on
it
and
I.
Don't
Envision
too
many
problems,
so
stand
up
a
tooling
landscape.
This
this
one
I,
don't
think,
will
take
very
long
because
I
found
out
the
the
cncf
released
an
unbranded
landscape.
A
So
then,
obviously
we
want
to
apply
all
of
the
known
things
to
it.
This
is
where
we
need
the
list
of
existing
tools.
The
list
of
existing
ntia
documents,
the
list
of
existing
working
groups,
like
all
that
kind
of
stuff
we
can
find,
and
this
one
is
kind
of
the
question
we
don't
know
how
long
this
is
going
to
take,
because
there's
just
a
lot
of
stuff
and
so
a
couple
hours
just
jump
in
George.
You
need
to
raise
your
hand.
H
Yeah,
just
like
I
looked
into
this
sometime
briefly
last
year,
together
with
with
Kate,
so
she
should
also
probably
know
it
seemed
to
me
and
I'm,
not
a
node
developer,
but
you
have
a
front
end
and
you
have
a
back-end
application.
So
does
stand
up
as
boom
tooling
landscape.
It's
not
really
just
about
deploying
it
or
also
changing
the
back
end,
because
I
think
some
back-end
changes
might
be
needed.
H
So
it
might
just
be
how
you
like
present
this
or
how
you
phrase
it
in
The
Proposal,
because
it's
TBD
anyway,
but
I
think
if
needed,
Vector
in
some
need
for
a
little
bit
of
code
development.
A
Each
of
these
are
are
described
in
detail
kind
of
down
below
and
for
the
tooling
landscape,
there's
the
unbranded
version,
and
then
what
do
we
say
expected?
That's
probably
landscape
will
repurpose
this
existing
work,
blah
blah,
blah
and
yeah.
We
don't
know
exactly
what
it
will
be,
but
under
goals
and
expectations
you
know
work
is
based
off
to
find
the
infrastructure
needed
and
then
repos
branding
the
ensure
landscape
code
is
modernized
because
Lord
knows
half
those
dependencies
probably
haven't
been
touched
in
years
that
they
have.
A
If
it's
like
every
other
node
project
on
the
planet
but
yeah,
we
we
kind
of
lay
some
of
that
out
and
I
guess
that
is
where
we'll
have
the
contractors
will
have
to
figure
that
something
you
know
what
that
means:
I,
don't
I,
don't
have
a
good
feel
for
it.
H
A
A
So
all
the
ntia
content
is
out
of
date
for
anyone,
who's
looked
right,
it's
what
it's
like
two
or
three
years
old
now
I
mean
it's
not
new,
and
so
how
much
effort
do
we
want
to
put
into
kind
of
taking
what
the
ntia
has
already
done
and
starting
to
fix
it
and
I
I
I,
don't
know
I,
don't
know
how
to
how
to
even
address
this.
One
I
think
Kate
might
have
some
better
ideas
than
I
do
here,
but
this
is
like
the
best
we
could
write
down.
A
So
we'll
see
we'll
see,
I,
guess
and
again
part
of
the
goal,
and
then
the
last,
the
most
important
part
is
landscape.
Is
community
maintainable
because
our
suspicion
is
that
once
we
have
a
landscape,
then
anyone
can
submit
pull
requests
to
the
projects
are
going
to
because
they're
going
to
want
to
make
sure
their
project
is
listed,
they're
going
to
want
to
make
sure
their
working
group
is
listed,
all
that
kind
of
stuff,
and
so
we
expect
the
community
to
help
a
lot
with
this.
Even
if
they
don't
a
landscape.
Isn't
that
hard
to
maintain.
A
So
this
group
could
probably
do
some
of
the
heavy
lifting
if
we
need
to.
But
fundamentally
that
is
our
expectation
and
and
that's
the
intent
at
the
end
of
this
is
to
have
an
output.
The
community
can
help
us
take
care
of
and
curate.
You
know
similar
to,
like
the
cncf
has
a
lot
of
community
contributions
to
theirs
because
everyone
wants
to
be
on
the
list.
So
that's
that
questions
comments,
concerns.
A
All
right
cool,
it's
it's
pretty
straightforward
again,
but
I
will
say
I
don't
want
to
send
this
to
the
governing
board
of
the
TAC
until
Dan's
thing
is
ready,
because
I
think
we
could
probably
send
them
together,
because
this
one
also
has
some
we'll
say,
light
requests
for
funding
and
resources.
So
we
can
probably
bundle
them
up
all
right.
A
A
A
But
I
I
think
the
the
intent
initially
is
more
of
a.
This
seems
like
a
fine
idea
or
absolutely
not,
there's
no
way
we'll
ever
pay
for
this
right,
okay
and
and
though,
based
on
those
two
paths
we
can.
We
can
then
use
that
to
because
the
other
thing
I
can't
go
to
contractors
today
and
be
like
hey
I.
Have
this
proposal?
That's
completely
unapproved,
never
been
seen
by
the
governing
board.
You
want
to
spend
a
couple
hours
helping
me
fill
it
out.
They're
gonna
be
like
no,
no
I,
don't
right
so.
H
A
A
F
Oh
well,
okay,
so
anyway,
yeah
I
haven't
had
as
much
time
in
the
last
two
weeks
as
I
was
originally
hoping.
But
that
said,
you
know
progress
made,
you
know
so
basically
I
think.
There's
there's
been
at
least
an
agreement
among
some
of
us
that
you
know
it's
important
to
actually
figure
out
the
current
status
of
Open
Source
software
s-bomb
generation
tools.
F
So
the
only
you
know
the
obvious
way
to
do
is
that
is
by
well.
Let's
start
writing
the
document
we'd
like
to
see
and
then
start
doing
the
analysis.
So
you
know
we've
We've
at
least
put
some
context
together.
Some
identified
some
related
work
identified
a
set
of
s-bomb
generators.
My
thanks
to
the
many
folks
who
have
over
time
turned
this
from
a
list
of
well
I
mean
we
didn't
start
with
a
completely
blank
slate,
but
we've
definitely
Extended.
F
You
know
I
I
totally
get
the
comment
about
hey
some
organization
be
helpful,
agreed,
but
I
think
the
first
step
is:
let's
identify
and
then
figure
out
how
to
analyze
them,
and
then
you
know
go
do
that.
We
have
identified
some
related
tools
also,
and
you
know,
and
and
that
sort
of
thing,
but
the
idea
is
what
are
the
tools
and
how
can
we
evaluate
them?
F
A
Began
yeah
and
it
happened.
So
my
thought
here
is
how
deep
do
you
want
this
to
go
and
kind
of
the
reason
I
ask
is,
if
you
look
at
like
Cyclone,
DX
or
spdx
tooling
Pages,
they
list,
like
hundreds
and
hundreds
of
things
and
I
bet.
More
than
half
are
probably
end
of
life.
They're
not
maintained
in
a
meaningful
way,
and
even
of
the
half
that
are
maintained.
F
Well,
a
lot
of
them
actually
aren't
out
of
scope,
there's
a
huge
number
of
tools
that
are
for
things
that
have
nothing
to
do
with
s-bomb
generation
and
and
so
yes,
you're
right,
there's
a
huge
number
of
tooling.
But
a
lot
of
it
is
for
like
analysis
of
s-bombs,
for
example,
or
you
know
other
things
that
that
are
as
soon
as
you
say:
hey
I
want
to
know
about
tools
for
s-bomb
generation.
F
The
list
gets
much
shorter
quickly,
I
mean
you
can
see
the
list
here,
and
you
know
right
now.
I
would
say
you
know,
I
mean
there's.
Obviously,
how
do
I
count
multiple
tools,
but
essentially
12
and
that's
including
Swift
bomb,
which
cert
CC
has
essentially
abandoned,
and
we
and
you'll
notice
that
for
them,
I
put
them
in
the
honorable
mention
category
with
no
intention
of
evaluating
Because
unless
there's
some
real
reason
to
go
back
and
look
at
Dead
tools,
I,
don't
think.
F
There's
a
reason
to
evaluate
dead
tools
so
must
be
live
must
be,
General
must
generate
open,
s-bombs
I
think
has
to
be
the
minimum
criteria,
and-
and
you
know
what
that
list-
you
know
we
still
need
to
go
through
and
see
if
there's
any
key
tools,
but
I
don't
expect
it
to
be
much
longer
than
this
list
right
here
and
to
be
fair.
C
You
know
you'll
find
maybe
their
open
source
footprint
if
they
have
a
project,
the
top
level
project,
but
most
providers
that
IBM
deals
with
and
they're
half
a
dozen
or
more.
They
all
are
work
either
working
on
or
are
creating.
S-Bomb
generators
you'll
never
find
in
your
Journal
searches,
because
there
are
some
some
link
on
some
home
page
that
they
have
on
their
product
page
so,
but
they
have
they
oftentimes
they're,
open
source
but
they're
slightly
coupled
to
their
back-end
databases
and
their
scanning
services.
F
Yeah
well,
okay,
so
let's
talk
about
this
I
guess
I've
been
assuming
that
this
is
for
evaluating
of
you
know,
I'm
only
going
to
use
an
open
source
tool
for
generating
my
s-bomb.
You
know
I'm
happy!
You
know
all
my
recipients
may
use
proprietary
tools
for
other
things,
but
if
we
want
widespread
adoption,
we
need
to
make
this
at
least
some
basic
level
super
easy.
And
so
my
theory
has
been
we're
not
opposed
I'm,
not
opposed
to
a
proprietor
vendor,
creating
a
tool
to
generate
s-bombs,
carry
forth.
C
F
I
guess
for
the
moment
and
I
guess
this
is
for
the
trying
to
make
things
simple.
I
was
trying
to
do
for
more
of
the
of
the
pure
set
to
start
with
and
I
want
to
be
careful
here,
because
it's
not
that
I'm
saying.
Oh,
you
know
you're
evil.
If
you
do
a
closed
Source
product,
that
is
not
the
message
I'm
trying
to
send
it's
very
much
the
I'm
trying
to
make
this
so
broad.
You
know.
C
Typically
well,
no
well,
typically,
what
you
see
is
that
there's
an
open
source
footprint,
you
get
some
amount
for
free
basic
generation,
but
if
you
want
salsa
level,
three
Source
information,
you
gotta
connect
to
the
backend
database
to
get
the
the
identities
the
code
genomes,
all
those
things.
That's
right:
the
provenance.
F
Okay,
so
it
does
work
with
without
the
without
the
closer.
So.
C
It's
not
a
universal
statement,
that's
generally
the
the
way
these
are
anyway,
give
us
a
try,
start
new
episode,
we'll
get
some
amount
for
free
and
we'll
get
whatever
is
public,
but
you
won't.
But
if
you
want
to
tap
into
our
Rich
pedigree
and
provenance
databases
and
and
sums
and
hashes,
you
gotta
pay
for
the
extra
attached
service
to
get
that
extra
salsa.
Three
information,
your
ass
bottom.
F
Got
it
perhaps
that's
just
my
misreading,
because
the
things
that
I've
when
I
looked
it
looked
like
they
were
essentially
required,
but
maybe
that
was
a
misunderstanding
of
their
circumstance.
A
I
have
a
thought
on
this,
but
it
might
be
I.
Didn't
I'm,
I'm
not
mean
okay.
Let's
move
on
Saba
has
his
hand
up
and
then
I'll
come
back
to
my
thought.
G
F
Okay,
yeah
I
get
a
little
overwhelmed
on
the
on
the
slack
world.
So
but
yes,
we,
we
would
love
for
help
we're.
Basically
the
first
step
was
trying
to
identify
well
the
tools
to
evaluate-
and
at
least
some
idea,
some
approaches
to
evaluate
because
evaluation
can
be
in.
You
know
you
there's
always
more,
you
can
do
so.
We
were
trying
to.
G
F
G
I
am
here
for
this
meeting
over
the
last
couple
of
months,
but
finally
we
are
getting
to
a
point
where
I
can
get
my
hands
dirty,
so
I
can
do
something
useful,
probably
and
also
seems
that
that
the
internet,
this
topic
is
also
important
for
us.
So
maybe
one
of
my
colleagues
can
also
participate
in
liberation,
of
course,
not
full
time,
but
it's
part
time.
F
G
F
G
G
Bit,
to
be
honest,
they
mostly
prefer
to
use
Swift
generation
and
I
know
that
what
are
the
issues
with
different
and
also
getting
some
reports
from
customers
who
are
using
3B,
for
example,
so
I
listed
this
kind
of
problematic
items
in
the
operation
criteria
check
the
other
tools
also
but
yeah.
If
I
would
like
to
start
with
one
single
today,
it
will
be
saved.
A
I
Yeah
I
just
thought:
I'd
interject,
here
a
little
bit
about
the
sneak
s-bomb
generation
capabilities,
so
the
sneak
CLI.
It
is
open
source,
but
we're
currently
trying
to
improve.
Let's
say
our
engagement
with
open
source
Community
to
be
to
be
more
clear
about
what
sort
of
contributions
we
accept
from
folks
outside
of
sneak.
Today,
we
we
support
s-bomb
generation
in
the
CLI
for
both
Cyclone
DX
and
spdx.
It's
an
experimental
feature.
I
We
are
developing
that
towards
GA
release
in
next
quarter,
but
this
is
something
that
we
do
offer.
F
Want
to
put
that
in
the
document
here
so
yeah
so
Matt's
points
a
good
one.
You
know
I
I
would
say
you
know
we
should
always.
You
know
we
should
strive
to
be
as
Fair
as
possible.
So
if
an
open
source,
if
it's
an
open
source
software
tool
and
it
can
work
Standalone
with
then,
then
it
absolutely
should
be
part
of
this,
and
we
want
to
partner
with
sneak
and
and
everybody
else.
F
The
goal
is
not
to
put
anybody
out
of
business
by
the
way.
The
goal
is
just
simply:
hey,
I'm,
looking
for
a
tool,
I
have
very
limited
resources.
What
can
be
done
and
if
you
find
that
you
want
something,
that's
not
available
as
open
source.
That's
a
different
discussion,
but
I
think
the
notion
was
trying
to
help
people
find
the
open
source
ones.
Frankly,
I
think
they're
closer
folks
would
like
to
know
what
the
open
source
ones
can
do
too
and.
A
I
have
one
last
comment
to
kind
of
tie
up.
What
Matt
was
talking
about.
David
is
I,
think
something
to
keep
in
mind
as
well.
Is
we
want
to
build
that
landscape
and
we
can
put
everything
in
the
landscape
so
anything
that
doesn't
maybe
make
I,
don't
want
to
say,
make
a
cut,
but
you
know
like,
like
anything,
isn't
appropriate
for
this
list
is
more
than
welcome
to
be
added
to
the
landscape
later
and
so.
I
think
that's
something
to
keep
in
mind.
Is
it's
not
like
we're,
excluding
anything?
F
But
but
also
in
terms
of
evaluations,
you
know
I'm
trying
to
scope
this
down.
To
be
honest,
you
know,
there's
only
so
much
time
everybody
has
so
by
scoping
it
to
only
the
open
source,
I
think
that
makes
it
a
little
easier.
Also
and
I
don't
know
if
this
is
true
for
sneak
but
I
do
know.
This
is
true
for
some
other
kinds
of
tools,
there's
often
criteria
that
makes
it
basically
illegal
or
not
illegal.
F
You
are
contractually
obligated
not
to
say
anything
unless
the
vendor
says
it's
okay
and
the
vendor
rarely
says
it's
okay
and
I'd,
just
rather
avoid
that
morass
of
of
of
those
Clauses
yeah
I'm,
not
a
fan
of
those
Clauses
talk
to
me
later
or
check
out
my
posting
from
years
back.
D
G
A
And
I
I
think
one
other
point
David
like.
If
you
make
a
list
of
150
tools,
no
one's
going
to
read
it
right
right.
J
A
F
Yeah
and
that
voice
yeah
well
as
far
as
what
do
I'm
not
expecting
to
see
more
than
15.,
okay,
maybe
I'm
wrong,
I
mean
16,
will
not
kill
the
world.
If
we
see
a
hundred,
that's
a
completely
different
kind
of
problem,
but
I
I
mean
I'm,
hoping
that
most
people
have
decided.
You
know
I,
don't
want
to
write
another
one.
I
want
to
improve
an
existing
one
or
use
an.
F
One
I
think
just
how
do
I
put
this
kindly
human
laziness
discourages
making
a
hundred
different
tools
of
the
same
type.
F
I
No
I
think
it's
a
good
point.
If,
if,
if
we
find
that
there
are,
you
know
100
different
actively
developed,
s-bomb
generation
tools
like
it's
a
good
good
sign,
maybe
we
should
consolidate
those
open
source
efforts
and,
and
maybe
try
to
have
you
know
smaller
number
of
tools
but
more
feature-rich,
maybe
more
languages,
supported
and
and
so
on.
So
I
think
that
would
be
actually
quite
interesting.
Learning
from
this
effort
that
that
maybe
the
Community
is
too
dispersed
across
too
many
different
projects.
G
F
Know
is
that
there's
going
to
be
some
that
are
just
obviously
the
ones
to
look
at
first.
You
know
they
support
more
languages
more
in
depth.
They're
far
more
active,
you
know,
that's
not
to
say
that
nobody
can
come
up
with
something
new
or
better.
It's
just
typically
there's
you
know.
They're
usually
leads,
and
other
people
want
to
work
with
the
leads.
They
don't
want
to
spend
their
time
working
on
something
that
everybody
else
is
abandoned.
A
I
J
A
J
F
Yeah
so
I
have
a
question
specifically
on
the
sneak
CLI
tool.
Does
that
work
by
itself
or
does
it
net?
Is
it
requiring
the
back
end.
I
So
the
answer
is
today:
it
requires
a
back
end,
so
it
generates
the
best
bombs
on
the
server
side
in
the
future
there
may
be
like
we,
we
may
introduce
a
totally
offline
version
for
s-bomb
generation
and
for
some
some
areas
like
container
generation.
We
may
may
do
this
on
client
side,
but
it's
it's
something
we're
currently
looking
at
and
investigating
for
the
future.
So,
but
today
it's
server-side
generation.
I
So
it
is
it's
open
source
and
it's
also
freely
available.
So
developers
can
generate.
You
know
s-bombs
to
their
hearts
Delight,
even
even
if
it
is
server-side
the
product
does
have
you
know
some
paid
features,
of
course,
but
in
terms
of
s-bomb
generation
I,
don't
think
we
have
any
limitations
there.
F
I
Yeah
I
I'm
I'm,
trying
to
figure
out
like
how
much
to
go
into
the
details,
but
but
essentially
the
sneak
silai
in
most
ecosystems,
so
most
package
managers
or
most
programming
languages.
I
I
Then
we
send
that
depth
graph
over
to
the
server
side
and
it
gets
converted
in
a
service
that
runs
in
in
sneaks
infrastructure.
It
gets
converted
to
a
cyclone,
DX
or
spdx
and
then
sent
back
to
the
client.
That's
how
it
works.
Okay,.
F
F
Got
it?
Okay,
actually
that
that
makes
sense,
and
indeed
almost
every
ecosystem
has
their
own
dependency
graph
format,
so
that
makes
sense.
Okay,
all
right.
A
All
right,
I'm,
gonna,
I'm
gonna
shovel
this
along
quick,
the
only
other
thing
left
on
the
agenda.
It
said
documenting
sum,
user
needs
and
Dan
you've
got
that
one.
It
has
that.
E
We
know
we
need
to
do
it
and
I
think
it
happens
after
the.
Let
me
take
care
of
putting
the
the
other
thing
into
GitHub
first
and
then
we
can.
Then
we
can
work
on
that.
Basically,.
A
A
I'll
assume
not
Let's
Escape
early,
then
because
I
like
it
when
meetings
End
early,
so
thank
you
everyone,
this
has
been
a
great
conversation.
I
think
well
done.
Everyone
who's
put
their
their
work
together
in
anyone
is
welcome
to
help
all
of
these
tasks
to
need
help.
So
don't
don't
like
wait
for
an
invite
or
think
you
can't
so
awesome.
Thank
you.
Everyone
and
I
guess.
I
will
talk
to
you
all
soon.