►
From YouTube: Security Tooling Working Group (February 14, 2023)
A
B
I'm
painting
their
man
I
bent
over
to
pick
something
up
this
morning
and,
like
my
back,
is
killing
me
now.
It's
like
God,
damn.
B
A
A
B
A
Not
much
of
a
spy
anything,
but
it's
an
Aussie
play.
It's
nice.
B
B
C
A
B
If
you
haven't
done
so
yet,
if
everyone
can
sign
in,
can
someone
paste
the
link
to
this
I
just
pasted
it
a
minute
ago,
and
then
there's
also
the
introduce
yourself
and
chat
for
anyone
new
here,
rather
than
go
through
a
lengthy
intro
process,
just
paste
who
you
are
even
if
you've
been
here
before
into
the
chat
that
way,
we
kind
of
all
know,
what's
up
I
just
saved
this
and
reuse
it
every
week,
so
you
can
also
do
the
same.
I.
B
Okay,
we
had
a
tools
topic
from
who
put
that
in
there
was
that
Dan
here.
B
Daniel
Goodson:
are
you
here
Danielle?
Yes,
oh
he's
connecting
all
right.
Daniel
Goodson.
Are
you
here.
I
Hi
everyone
can
you
hear
me?
Yes,
okay,
I'm,
Franco,
lambrani,
I'm,
there's
a
cops
intern
here
in
description,
currently
I'm
studying
for
a
virtual
degree
in
computer
science.
I
G
I
Hey,
could
you
see
my
screen?
Yep
looks
good,
okay,
well,
I'm,
going
to
present
your
channel
parse.
This
Library
I
was
working
on.
B
B
I
Okay,
well,
hey
I,
have
I
want
to
format,
I
want
to
parse
the
Ninja's
output
and
each
each
of
this
one
have
a
different.
It's
done.
No,
how
different
output
formats
so
I
started
to
see
some
open
source
projects
and
everyone
believed
events,
the
parsing
model
and
also
they
they
pass,
what
they
need,
and
you
can't
extract
the
parser
from
the
library
to
use
it,
for
example,
make
an
internal
code
Checker
contact,
so
I
want
to
merely
to
solve.
I
This
problems
was
what
was
my
design
goals
and
I
want
to
make
an
error
to
question
this
output.
It
I
want
to
make
it
easy
to
add
a
parser,
extensible,
effectual
use
of
the
data
you
parse,
for
example,
you
have
Osiris
and
you
can
use
SQL
database
generator
or
service
generator,
or
you
can
Define
your
own
server.
I
I
I
For
example,
this
is
an
implementation
of
a
parcel
I
I
hear
I
pass
the
npm
part
in
VM
output,
and
you
can
see
they
are
just
a
25
line
of
codes.
Well,
it's
really
simple:
I
use
Sergeant
spot
query
to
set
the
information
I
want
and
about
the
new
name
and
the
schema
file
name.
This
is
the
team
I'm
going
to
use
to
validate
the
the
Json
I'm
going
to
pass
or
to
pass
it
through
the
next
chain
in
the
chain
of
responsibility
and,
for
example,
this
is
an
observer.
It's
a
easy
one.
I
I
I
I
Output
converter
using
your
channel
bars
if
I
here,
I
invented
a
I,
add
the
feature
of
a
signif
output
to
the
library
to
the
foreign
you
can
see.
There
are
just
a
seven
lineup
codes.
Mainly
the
Json
report
is
what
is
where
I
get
the
Json
parser
of
server
and
parts
that
pass
from
Json
is
the
function
of
my
library
and
what's
the
last
line
and
from
printing
the
output-
and
this
is
the
implementation
of
external
converter
using
malaria-
is
just
12
line,
12
line
of
codes,
so
it's
really
Simplicity
and
faster
internet.
I
I
It's
an
internal
project
to
set
a
baseline
of
static,
Checkers
findings
in
ASC
code.
I
am
going
to
present
this
tool
in
the
future.
I
want
to
count
I
want
officials
perhaps
and
interplify
and
store
it
in
a
base
file.
So
in
in
the
pipeline,
you
can
check
if
these
base
files
already
exist
and
checks
if
the
amount
of
issues
per
file
per
minute
are
the
same
or
you
will
have
new
new
ones.
So
you
can
work
on
your
tasks
and
forget
about
the
interest
intelligency
code
so
for
technical
debt.
I
Another
example
of
use
is
code.
Checker
is
a
tool
for
runs
on
the
interest
in
CC
Plus
Code.
They
distort
to
Checker
checks.
The
information
receives
from
each
linter,
for
example,
for
fake
positives
and
some
kind
of
stuff,
and
for
both
fixes
by
based
on
the
findings
that
you
can
apply
automatically
so
here,
I
can
use
your
channel
bars
or
parts
delete
this
outputs
or
to
use
the
information
parcel.
I
H
I
Well,
what
are
the
current
state
of
my
library
is
of
this
Library?
Sorry,
the
static
Checkers
support
is
going
to
NCI
APM
for
jelly
drone,
and
also
all
the
editors
with
sarif-based
output.
I
have
three
options
implemented.
Database
generator,
assigning
generator
and
console
is
what
I
show
you
the
code
and
the
next
step
with
this
Library
I
think
it's
a
I'm
waiting
for
the
publication
clearance,
so
I
want
to
make
it
fully
now
more
passions
like
being
some
I,
buy.
C
H
And
the
importance
of
the
database
is
that
a
data
base
by
using
SQL
live
to
me
and
it
will.
It
currently
provides
a
lot
of
flexibility
for
research.
We
are
doing
a
lot
of
research
of
security
security
depth,
so
we
can
have
all
the
flexibility
of
SQL
for
occurring
all
the
all
the
tools
you
have.
I
I
use
a
sqlite
chemical
planter
sqlite
moment,
so
that's
all
for
this
Library
I,
don't
know.
If
you
have
any
question.
E
I
I
did
have
a
question
you
mentioned
you're,
currently
awaiting
waiting
for
publication
clearance.
Do
you
have
any
idea
when
that's
likely
to
happen.
H
Yeah
I
think
it's
likely
next
week
or
by
the
end
of
the
month
for
sure
we'll
publish
it
in
GitHub.
H
It's
you
know:
it's
some
internal
bureaucracy,
but
by
the
end
of
the
month
we
will
publish
it.
Okay,
awesome,
we
will
publish
it
under
some
very
permissive.
A
free
software
license.
H
And
like
and
the
same
thing
with
the
deviation
from
Baseline
system,
okay,
at
that
point,
we
will
ask
for
help
for
contributing
with
more
parsers
for
observers.
C
C
B
B
F
F
Sure,
okay,
so
this
this
started
out.
When
you
know
one
of
the
roles
for
my
company
is
to
try
to
figure
out
how
to
activate
Dell,
to
participate
in
openssf
initiatives
to
solve
challenges
in
the
software
security
mobilization
plan
and
so
I've
been
attending.
These
meetings
for
a
while,
because
software
bill
of
materials
is
an
area
that
we
want
to
have
in
Industry
leadership
and
participate.
F
But
there
was
never
really
a
one-to-one
connection
in
in
a
lot
of
the
work
streams
directly
to
yeah
a
like
a
working
group
or
a
special
interest
group.
So
this
in
in
our
case,
the
security
tooling
working
group
was
starting
to
align
with
the
s-bomb
everywhere
work
stream.
F
And
so
we
we
wanted
to
put
together
a
proposal
for
this,
the
scope
and
and
the
and
the
work
that
the
special
interest
group
would
do
and
as
we
were
getting
ready
to
accomplish,
that,
I
realized
that
there
was
another
connection
that
had
already
happened
probe
in
the
best
practices.
Working
group
had
aligned
to
the
education,
mobilization
plan,
work
stream
and
he
had
created
an
education
proposal,
and
so,
instead
of
Reinventing,
the
wheel
I
did
what
any
really
efficient
person
would
want
to
do
is
say:
I
really
like
the
will
you've
built.
F
I
would
like
to
put
my
proposal
in
the
same
format
and
I
think
that
we
could
get
a
lot
of
momentum
if
other
working
groups
or
or
companies
spin
want
to
spin
up
a
special
interest
group
that
aligns
to
a
work
stream.
F
This
could
be
a
pattern
or
a
template
that
that
they
use
to
do
that.
So
what
we're
seeing
on
the
screen
right
now
is
the
education
mobilization
plan
review.
F
So
he
he's
built
this
in
GitHub
right
now,
we're
not
in
GitHub
we're
just
in
a
Google
doc
that
we've
been
working
on,
but
essentially
he's
kind
of
framed
it
out
where
they're
talking
about
education,
the
mobilization
plan
and
then
he's
put
together
a
a
way
to
look
at
those
proposed
ideas
and
a
a
proposal
summary
so
I'm
going
to
go
into
the
education
all
right.
F
So
this
first
page
that
that
he
has
basically
talks
about
the
mission
of
the
special
interest
group,
and
so
this
really
aligns
with
the
document
that
we've
been
working
on.
You
know:
Josh
has
been
leading
the
way
the
past
month
or
so.
Where
we
have.
Let
me
see
if
I
can
hide
these
floating
meeting
controls.
F
However,
it
ends
up
evolving
to
that
plan.
To
help
accomplish
that
mission,
and
then
he
wraps
it
up
in
a
proposal
summary
at
the
end,
so
what
Dan
has
done
and
I'll,
probably
let
you
speak
to
this
a
little
bit
more
Dan
is
he's
built
this
two
week.
What
we're
we're
using
a
Google
doc
to
try
and
kind
of
build
the
template,
put
the
meat
on
the
bones
or
put
the
bones
together.
I
should
say
and
dance
put
a
little
meat
in
there
on.
G
G
Yeah,
okay,
no,
no,
the
there
I
I
think
we're
just
at
the
very
early
stage
I.
We
have
some
notes.
Basically,
we
don't
have
that
we
don't
I
would
say
trying
to
kind
of
bring
up
the
document
that
we
do
have.
F
G
I
mean
I,
don't
even
know,
I
mean
we
we
just
have.
We
just
have
some
notes,
basically,
that
that
Sarah
and
I
have
been
carrying
to
between
us
saying,
okay.
G
Well,
we
want
this
new
channel
this,
so
we
want
to
create
something
that
is
like,
as
Sarah
said,
the
the
documents
that
are
detailing
what
the
education
stream
is
doing,
but
in
in
ideally
in
GitHub,
in
markdown
format
and
kind
of
taking
what
I
think
is
in
the
goals
and
purpose
document
and
making
a
little
bit
more
concrete.
G
It
was
the
idea
that
I
that
I
am,
and
so
you
know
like
what
I
like
about
Crimson
is
it.
It
says
you
know
we're
going
to
do
education,
we're
gonna.
Do
this
we're
going
to
do
that
and
I
was
struggling
a
little
bit
when
I
was
coming
into
this
workstream
news,
looking
at
the
goals
and
purpose
document
to
kind
of,
say:
okay,
we'll
parse
out
of
that,
what
exactly
is
going
to
happen
in
Espana
everywhere?
What
are
we?
G
What
are
we
doing
so
I
think
that
was
what
we
were
working
together
on.
We've
got
two
calls
so
far
and
we're
going
to
continue,
and
then
hopefully
we
get
some
some
stuff
that
we
can
actually
bring
into
the
GitHub
repo
on
in
marketing.
On
that
the
people
can
take
a
look
at.
Does
that
make
sense,
yeah,
okay,
all
right.
F
And
I'm
going
to
post
in
the
chat
the
link
to
the
education
GitHub,
because
I
think,
if
you're,
if
you
read
it,
it'll
you'll
and
you're
interested
in
participating
or
you're
interested
in
and
helping
to
say
well
what?
What
will
this
look
like
for
kind
of
ideating?
What
will
this
look
like
for
for
our
work
stream?
It's
a
it's
a
really
good!
It's
a
really
good
start!
Yeah.
B
G
B
Here
and
then
I
think
it's
this.
Yes,
if
you
scroll
down
to
approach,
there's
a
bunch
of
work
that
we
want
to
do,
but
there's
kind
of
two
ways
the
openssf
has
been
we'll
say
getting
work
done,
one
is
through
funding
proposals
and
the
other
is
through
members.
Volunteering
and
I
think
one
of
the
struggles
we've
had.
Is
it's
easy
to
get
people
to
show
up
to
meetings
like
this,
and
it's
really
hard
to
get
people
to
do
work,
and
so
one
of
the
things
I
would
really
like
to
make.
B
B
We
know
that,
but
it's
where
we
start
the
process
and
learn
the
lessons,
because
there
is
so
many
things
we
don't
know.
We
don't
know
in
this
space
right
now.
It's
like
indescribably,
huge
and
so
that's
kind
of
the
the
birth
of
all
of
this
I
guess
is
the
whole.
There
are
in
fact
Dan
you
and
I
talked
what
like
two
weeks
ago,
where
you're
saying,
like
I,
literally,
have
people
to
work
on
this
stuff.
What
can
we
do
right?
And
today
we
don't
have
a
good
answer.
Yeah,
like.
B
G
G
People
have
to
come
to
a
meeting
of
the
minds
first
and
and
kind
of
get
comfortable
working
with
each
other
in
order
to
start
work
and-
and
that
can
take
time,
the
I
think
that
the
the
action
oriented
approach
that
you
that
you're
trying
to
promote
I
think
is
really
good,
a
good
one
and
maybe
it
it
lends
itself
more
towards
the
idea
that
people
in
this
group
should
be
feeling
empowered
to
put
put
stuff
forward
and
just
say
we're
hey
what
about?
What?
If
we
work
on
this?
G
What
if
we
work
on
that
and
not
feel
like
they
have
to
get
complete
consensus
from
anybody
else
in
the
group
or
before
opposing
things.
G
B
And
so
I
guess
maybe
my
question
then,
is:
how
can
some
of
us
help
you
along
this
path
because,
right
now
it's
it's
you
and
Sarah
and
I
mean
if
you
don't
want
help
yet
and
you're
saying
not
yet
it's
not
the
time.
That's
that's
a
perfectly
reasonable
answer,
but
if
there's
something
we
can
help
with
I
know
like
I've
got
a
little
time
I
could
I
could
spend
on
some
of
this
over
the
next
couple
weeks.
G
B
J
J
B
And
I
guess
the
one
the
one
ask
I'd
have
for
everyone
else
is
in
the
meantime.
The
approach
is
where
we're
starting
to
lay
down
the
things
we
want
to
do.
If
anyone
has
an
interest
in
this,
like
look
it
over
and
make
sure
it's
kosher,
we've
gone
through
this
for
many
many
weeks,
so
it's
I'm
pretty
happy
with
it.
But
if
anyone
has
any
thoughts
or
comments,
you
know
you're
always
welcome
to
add
them
to
the
document
cool.
E
Yes,
I
guess
you
know
it
says
it:
let's
it,
you
know,
identify
gaps,
it's
kind
of
a
precursor
to
that
which
is
hey.
Let's
go
evaluate
some
of
the
tools
and
and
I'll
be
honest
right
now,
I
think
you
know
looking
at
the
bigger
landscape,
there's
a
lot
of
that
can
be
done,
but
I
would
love
to
get
a
focus,
a
starting
focus
on
the
s-bomb
generators.
E
B
B
All
right
so
I'm
going
to
jump
us
into
the
next
topic.
I
have
on
the
list,
which
is
this
landscape
proposal
and
I
really
want
to
get
this
tied
up
and
try
to
get
it
in
front
of
attack
just
because
it's
going
to
take
probably
a
month
or
more
of
back
and
forth,
so
tying
into
David's
comment
about
understanding
the
ecosystem
around
us.
Now
we
don't
have
to
wait
on
this
to
be
done.
B
For
example,
if
we
want
to
start
reviewing
s-bomb
generators,
there's
no
reason
that
can't
start
with
anything
and
that's
the
sort
of
thing.
If
someone
wants
to
do
that,
just
do
it
right,
open
a
document
in
GitHub
worker
repositories.
Talk
about
it
on
slack.
Maybe
we
will
die
I,
don't
care
how
we
start
doing
it
just
someone's,
so
you
can
say
I'm
going
to
do
this
and
do
it
like
there's,
that's
I,
think
one
of
the
other
bits
Dan
touched
on
is
like
the
empowerment
angle.
B
I
am
a
huge
fan
of
people
just
doing
stuff
I.
If
you
want
to
do
the
work
like
you
get
to
do
the
work,
and
if
someone
wants
to
complain
about
your
work,
like
you
can
tell
them,
perhaps
is
welcome
like
I'm
I'm.
Fine
with
that,
like
do
the
work
or
shut
up.
That's
kind
of
my.
My
rough
attitude
will
say
on
a
lot
of
this,
but
anyway,
so
this
document
I
want
to
go
through.
It
is
as
much
as
we
can
in
the
time
remaining
and
the
intent
of
this
is.
B
We
want
to
create
a
landscape
for
s-bombs
and
I,
don't
mean
just
open
source
ass
bombs,
I
mean
literally
everything
we
can
find
be
it
closed.
Source
tools,
companies
working
on
this
stuff
working
groups
at
sisa,
everything,
absolutely
everything
we
can
find,
and
then
that
can
drive
some
of
our
other
things
like
David
was
just
talking
about
s-bomb
generators.
B
No
one
knows
what
all
the
s-bomb
generators
are,
because
there's
probably
a
lot,
and
this
would
be
a
lovely
way
to
start
tracking.
All
of
this
information
and
figuring
things
out
like
what
are
the
abandoned
desk
bomb
generators.
What
are
the
current
s-bomb
generators
like
who's,
working
on?
What
who
owns?
What
like
we
don't
know
so
anyway.
This
is
a
document.
B
Kate,
Stewart
and
I
have
been
working
on
for
far
too
long,
and
here
I'll
put
it
in
the
chat
just
for
anyone
who's,
not
in
the
notes
and
the
intent
is
to
take
this,
go
to
the
attack
and
the
governing
board
and
ask
for
money
and
then
pay
someone
to
do
the
work,
because
I
think
something
like
standing
up
a
landscape
as
much
as
I'd
love
to
say,
oh
sure,
we'll
get
volunteers
to
do
this.
B
I,
don't
think
this
is
volunteer,
work,
I,
think
the
initial
work
sucks
and
it's
going
to
be
hard
to
get
people
to
do
it,
but
we
can
probably
turn
money
into
work,
but
then
longer
term
we
should
be
able
to
maintain
it
because
it's
just
a
yaml
file.
So
anyway,
the
way
the
document's
laid
out
is
obviously
table
of
contents.
We
have
the
executive
summary.
This
feels
slim
to
me
and
I
I
need
to
expand
it,
but
I
just
haven't
gotten
there.
B
We
have
no
idea
how
long
this
is
going
to
take
so
part
of
The
Proposal
Kate
suggested.
Is
we
just
ask
is
part
of
like
a
call
for
proposals,
ask
whoever's
submitting
it
to
us
what
they
think
the
number
of
hours
is
going
to
be
because
we
we
don't
know
like
no
one's
ever
to
my
knowledge,
no
one's
ever
really
done
this
before.
B
So
we
lay
out
the
the
high
level
tasks
and
then
we
go
into
depth
down
below.
We
have
the
current
s-bomb
ecosystem,
where
we
just
describe
all
the
things
I
said,
and
then
we
talk
about
the
tasks
right.
This
is
where
we
take
these
and
we
kind
of
expand
them
a
little
bit,
and
so
first
task
is
to
set
up
a
landscape
under
open
ssf
there's
the
cncf
I
actually
found
since
the
last
time
we
talked
about
this.
There
is
an
unbranded
landscape
that
exists.
B
So
one
of
our
initial
things
we
listed
in
the
to
do
was
unbranding
the
cncf
landscape.
We
don't
need
to
do
that.
They
already
did
that.
So
basically,
the
first
task
is
to
take
the
unbranded
landscape
and
put
it
into
the
openssf
universe
and
then
start
modifying
it
right,
and
we
kind
of
lay
this
down
in
our
goals
and
expectations.
Right
put
it
in
our
GitHub
repo
figure
out
what
infrastructure
we
need,
because
it's
got
to
run
on
something,
and
this
is
where
I
like
I,
don't
know.
B
E
A
E
C
E
Basically,
the
governing
board
has
pre-approved
a
small
amount
of
money
for
some
other
basic
infrastructure,
stuff
Beyond,
which
you
know
we
need
to
ask
governing
board
for
funding.
Although
you
know,
if
it's
a
small
amount,
probably
not
a
big
deal,
you
know
I'm
not
expecting
to
need
a
lot
of
special
resources,
but
if
that's
wrong,
let
me
know
what
you
got
in
mind:
I.
E
B
E
It
needs
a
yaml
file,
I
I,
Dan
Khan
is
no
longer
alive,
but
who
wrote
it
and
he
wrote
it
specifically.
E
E
Internal
generation
of
okay,
my
understanding
was
that
the
thing
didn't
require
anything
other
than
JavaScript
in
it
again
and
download
the
yaml
file.
I
may
be
completely
wrong,
in
which
case
my
my
apologies
but.
B
E
E
No
I
they
that
I
think
that's
that's
not
alive.
I,
don't
do
my
knowledge
is.
B
B
E
B
E
Okay,
it's
called
just
landscape
yeah.
A
B
B
In
the
notes
right
here,
yeah
so.
A
B
We
we
specifically
don't
want
to
use
this
infrastructure
erno,
because
we're
going
to
also
feature
closed
source
and
non-open
ssf
related
stuff,
and
so,
when
I
talked
to
Kate
a
long
time
ago,
it
was
basically
accepted
that
we
should
not
try
to
use
the
current
landscape
and
we
expect
our
data
to
be
gigantic.
And
so
we'd
also
like
pollute
theirs,
which
we
don't
want
to
do,
because.
A
C
B
Right
absolutely
yep,
100.,
okay,
okay,
all
right
so
and
again.
This
is
why
we
need
like
someone
to
figure
this
stuff
out.
We
don't
even
know
we
don't
know
what
we
need.
We
don't
know
how
it's
going
to
work
so
anyway,
we've
got
start
with
the
landscape
figure
out
the
infrastructure,
public,
repo
branding,
the
the
landscape,
which
obviously
will
work
with
the
open
ssf
in
the
legal
and
all
that
update
the
dependencies.
B
I
did
so
when
I
wrote
that
I
didn't
realize
that
the
current
landscape
has
its
own
project,
and
that
looks
pretty
up
to
date
because
the
cncf
fork
looked.
It
had
some
crusty
things
in
it,
but
so
we're
good.
There,
probably
I'm,
still
going
to
leave
it
in
just
because
they
should
make
sure
they
do.
It
then,
of
course
document
the
crap
out
of
it,
because
we
want
to
make
sure
after
the
contractor
is
done.
We
don't
have
to
ask
them
for
help
just
to
make
it
run,
so
that's
kind
of
like
task
one.
B
Any
questions
comments,
concerns
I,
assume,
not
it's
pretty
straightforward,
I
feel
like
then
things
start
getting
a
little
more
dicey,
and
this
is
where
I,
Kate
and
I
have
going
back
and
forth
a
lot
on
this
one
like
so
there's
already
a
bunch
of
documentation
that
exists
today
from
like
the
ntia
and
cisa
and
all
over
the
place
and
there's
tons
of
it
like
tons
and
tons
of
it.
B
And
so
one
of
the
things
we
want
to
do
is
start
to
unwind,
some
of
that
and
figure
out
like
what
is
the
data
that
has
been
captured.
We
can
add
to
a
landscape
because,
for
example,
a
lot
of
the
ntia
documents
are
no
longer
living
documents,
they're
frozen
in
time
forever,
and
many
of
them
are
becoming
outdated,
and
so
we
want
whoever's
doing
this
to
basically
go
through
a
bunch
of
the
existing
documentation
and
we'll
send
them
the
list
right.
B
We're
not
going
to
make
them
go,
find
the
docs
we'll
we'll
create
the
list
of
all
the
docs.
We
know
about
and
just
ask
them
to
landscapify
the
resources
and
again
they're
also
PDF
documents
today,
which
is
a
pain
in
the
butt.
So
and
then
this
is
where
it
starts.
Getting
a
little
more.
This
I
feel
like
this
is
one
of
those
like
AI
curves,
that
the
farther
out
you
get
the
the
less
accurate
the
data
becomes.
B
So
we
want
to
take
the
ntia
documents
basically
and
then
we
also
want
to
start
enriching
them,
and
this
is
where
we
add
like
new
tooling,
that
isn't
necessarily
known
about
in
the
old
documents
figure
out,
I
I,
don't
know
what
this
step
is.
This
is
the
one
I
could
use
a
lot
of
help
from
this
audience.
B
K
K
B
K
B
That's
perfect
yeah
and
that's
like
that's
the
kind
of
stuff
I
didn't
know
about
that,
right
that
that
makes
me
sad.
That's
cool
though
good
and
obviously
spdx
says
similar.
We
want
to
make
sure
we
capture
all
of
the
formats
that
way.
Anyone
looking
as
like,
impartial
third
party,
doesn't
have
to
try
to
Wade
through
two
different
sites
with
two
different
interfaces,
but
this
is
really
cool,
I'm
glad
they
did
this.
B
Okay,
where
are
we
here?
We
are
so
anyway,
that'll
need
help
and,
if
someone's
willing
to
help
with
that
that'd
be
great
and
if
not
I'll
do
my
best
to
to
find
it.
Can
anyone
putting
notes
in
the
chat?
Can
you
add
those
to
the
this
document?
The
notes
document,
because
I'm
gonna,
the
chat,
will
disappear
and
I
would
like
to
review
all
these
later.
To
add
to
this
proposal
all
right,
then,
the
last
one
is
to
just
ensure
the
landscape
is
maintainable.
B
For
anyone
who
doesn't
know
the
landscape
is
run
by
a
yaml
file
and
we
just
want
to
make
sure
it's
well
formed
and
we
can
update
it
and
our
intent
and
our
suspicion
is
that
once
we
have
a
yaml
file,
anyone
can
submit
pull
requests
to
that.
The
community
will
help
a
lot,
because,
obviously,
if
you're
creating
a
project
or
you're
a
company
working
in
s-bomb
or
you're
doing
whatever
you
have
an
incentive
to
add
yourself
to
this
file-
and
we
want
to
make
this
like
the
place.
B
Everyone
knows
they
can
go
to
find
what
they
need,
because
today
it's
really
hard
to
find
Dan
just
jump
in
you're,
not
for
raising
your
hand.
G
Wow
all
right,
I'm,
just
trying
to
figure
out
where,
in
this
fits
educational
materials,
because
one
of
the
things
that
I
I
posted
something
in
the
in
the
in
the
chat
just
elaborating
on
on
the
the
kind
of
basic
categories
of
stuff
of
work
and
I
keep
hearing
about
landscape
and
to
me,
a
landscape
also
needs
to
speak
to
people
who
are
not
sick,
who
are
not
in
this
space
who
don't
who,
if
you
say
as
bump
to
them
our
software
bill
of
materials,
they're
going
to
look
at
you
like
you're
from
Mars
right
and
that's
like
90
of
the
developer,
Community
out
there
right.
G
G
So,
in
the
same
way
that
the
best
practices
working
group
as
produces
guides,
we
need
to
have
succinct,
s-bomb
guides
that
also,
you
know,
explain
what
it
means
when
we
say
s
on
and
what
it
doesn't
mean
and,
like
you
know
what
how
those
are
used
in
general
in
the
software
industry,
so
that
people
know
in
in
simple
language
rather
than
bombarding
them
with
passwords.
G
So
the
so
anyway,
I
want
to
make
sure
that
that
also
fits
into
your
vision
of
the
landscape
or
maybe,
if
it's
not
the
landscape,
then
maybe
it's
something
else.
That
means
to
me
in
in
educational
materials
that
we
need
to
produce,
which
is
a
different
kind
of
artifact
I.
B
B
G
G
To
me,
that's
one
of
the
things
that
we
and
that's
why
I
I
wrote
down
in
the
document
that
Sarah
and
I
are
working
on
the
educational
materials
in
in
coordination
or
in
cooperation
at
the
best
practices,
all
right,
the
best
practices,
education
or
something
because
I
think
that's
that's
the
kind
of
audience
that
we
want
to
go
out
to
100.
B
G
I
totally
got
that
a
feeling
after
I
dialed
into
a
lot
of
the
album
thing
as
well
at
Austin,
which
was
great
by
the
way,
but
but
yeah
I
got
I
got
that
feeling
very
much
during
that
yeah.
B
When
so
so,
I
think
my
vision
of
that
and
if
anyone
disagrees,
feel
free
to
speak
up
is
the
landscape
is
just
like
pointers
to
everything
else.
So
we
would
have
some
sort
of
s-bomb
Education
effort
and
I.
Don't
know
if
we
would
own
that
or
if
the
education
said
you
should
own
that
or
what
it
whatever
it
doesn't
matter.
But
then
the
landscape
would
just
point
at
that.
B
So
when
people
are
looking
for
s-bomb
content
in
the
landscape,
where
they
can
see
it
all,
there
will
be
like
an
education
tab
or
section
or
category
or
whatever,
and
then
we
can
and
we
can
link
out
to
other
people's
education
stuff
because
I
know
there's
some
group
from.
Is
it
like
RIT
I,
don't
remember
where
they're
from
at
the
moment,
that's
doing
like
learn
about
sbomb.com
or
something
like
that.
B
It's
like
it's
really
cool
stuff
right
and
obviously
there's
nothing
to
do
with
open
ssf.
But
it's
totally
one
of
those
things
that
it'd
be
great.
If
we
can
make
sure
we
kind
of
point
at
them
and
and
make
sure
everyone
knows,
it
exists,
because
I
also
want
to
one
of
the
other
goals.
Is
we
don't
want
to
turn
this
into
some
like
insular
landscape,
where
we're
only
trying
to
promote
openssf,
stuff
I?
Think
if
we
do
a
good
job,
our
things
will
rise
to
the
top.
B
B
E
So
let
me
comment
you
had
said
something
earlier.
You
know
having
you
know,
try
you
know
trying
to
develop
a
much
larger
landscape.
What's
going
on
across,
you
know,
Industries
as
a
whole
on
a
variety
of
different
topics:
I
get
it
I
can
see.
The
value.
E
I
also
think
that
there's
value
in
really
honing
down
to
the
to
a
particular
narrow
case.
You
know
where's
the
biggest
pain
Point.
Let's
try
to
get
some
very
pointed
answers
and
much
more
rapidly,
because
this
is
going
to
take
a
while
to
do
this.
Big
thing
you
mentioned
earlier:
hey,
let's,
go
evaluate,
you
know,
I'm
thinking
that
the
big
pain
point
right
now
is
open
source
software,
s-bomb
generator
tools.
E
Obviously
you're
you
know
sift
is
clearly
one
there's
a
few
others
I'm
wondering
if
maybe
we
should
just
get.
You
know
in
parallel
drill
down
fast
focus
on
that
specific
area.
You
know
first
identifying
the
key
contenders
and
you
know
evaluating
what's
good
about
each
of
them,
so
we
can
get
an
idea
of
where
they
are
are.
Are
you
game
for
doing
that
in
parallel
with
the
output
of
that
you
know,
being
I?
Can't
see
it
here,
but
it's
basically
the
you
know:
where
are
the
gaps?
E
A
C
E
C
J
At
the
first,
then
I
think
it
was
very
interesting,
seeing
where
people
there's
one
s-bomb
tool,
isn't
going
to
do
everything
you're
going
to
get
s-bomb
tools
that
are
just
looking
at
license
management
and
actually
they're
nowhere
near
yet,
because
the
quality
of
the
data
is
awful
to
make
that
useful.
So
until,
unless
you
get
industry
to
provide
good
data,
the
s-bomb
value
of
s-bombs
isn't
going
to
be
there.
So
how
are
we
looking
at
that
in
terms
of
license
management
and
understanding
how
licenses
are
actually
defined
and.
E
E
Version
of
spdx30
is
going
to
acknowledge
that
for
a
lot
of
folks,
you
know
most
of
the
work,
for
example,
I,
think
in
the
US
government
and
I
think
this
is
also
shared
with
the
EU.
They
don't
care
about
licenses
not
relevant.
What
they
care
about
is
tell
me
the
components
and
the
version
numbers,
because
what
I'm
caring
about
is
the
known
vulnerabilities,
because
software
is
almost
entirely
pre-existing
components.
They
have
known
vulnerabilities,
I'm,
not
getting
insights
and
so
you're,
absolutely
right
for
a
large
number
of
folks.
E
G
Exact
component
yeah
I'm,
sorry,
but
just
just
like
the
the
maybe
this
is
maybe
I'm
being
unduly
influenced
by
one
particular
talk.
But
one
particular
talk
at
the
past
time
day
that
had
a
really
I,
don't
know
had
an
effect
on
me
or
or
I
felt,
was
strongly
something
that
we
should
keep
paying
attention
to
was
the
one
from
Siemens.
Yes,.
J
G
They
they
they
had
they.
They
were
saying
that
those
two
things
that
you
pointed
out
David
are
equal
for
them.
License
management
and
vulnerabilities
were
both
cases
that
they
were
using,
then
the
other
thing
that
they
that
they
said,
which
I
feel
like
needs
to
be
written
down
somewhere.
If
we
can
all
agree
on
this,
it
would
be
amazing.
G
Is
this
idea
that
s-bombs
have
only
generated
for
a
specific
use
case
right
and
they're
not
and
and
I
I
that
turned
my
thinking
around,
so
that
maybe
other
people
in
this
room
already
were
thinking
about
things
in
that
way,
I
like
that
for
me,
that
was
kind
of
revelatory
to
think
about
that
in.
In
those
terms,
yeah.
E
If,
if
what
I
said
said,
nobody
cares
about
licenses,
that's
absolutely
not
what
I
meant
to
say.
My
point
is
that
different
people
have
different
values
on
these
for
a
number
of
governments.
They
don't
give
a
darn
in
order
to
sue
the
government,
you
have
to
get
their
permission.
Okay,
they
do
care
in
a
broad
sense,
but
it's
not
their
current
pain
point
for
others.
Licensing
is
the
issue
for
others
like
Siemens.
It's
both.
Clearly,
we
want
s-bombs
to
be
able
to
support
both
use
cases.
B
K
Hands
I
mean
I,
mean
I
mean
my
experience
has
been
the
same
and
I've
recounted
to
this
to
the
Cyclone
VX
marketing
people
is
that
use
cases
are
super
important
and
I
point
I
reference
in
the
chat,
the
link
to
the
cycle
of
X
use
cases
at
the
top
of
the
list
and
I
run
my
own
internal
work
group
on
us
bombs
and
IBM.
It
always
comes
down
to
the
use
cases
and
different
people
come
to
the
groups
of
different
use
cases.
There
are
17
use
cases
there.
E
I
I
I
I,
don't
know
which
we
there
are
several.
This
is
here.
I
can
open
a
issue
on
you
know
trying
to
identify
the
use
cases,
although
frankly.
E
B
G
Right
Daniel
can
I
just
say
David.
Would
we
be
happy
to
participate
in
that
tools?
Okay
exploration
discoveries.
E
K
Snap
but
I'll
also
again,
the
list
of
use
cases
on
that
website
is
just
the
current
set
there
I
mentioned
earlier
in
the
chat
that
there's
operational
bombs,
machine
learning,
bombs
and
C
bombs,
cryptographic
bombs,
there's
a
new
there's
another
executive
order
from
the
government
from
December
just
20,
whatever
22nd
for
cryptographic,
bombs
or
Quantum
security.
There's
group
grips
already
established
working
on
those
things
at
oasp.
So
just
let
you
know
new
use
cases
coming.