►
From YouTube: Security Tooling Working Group (June 7, 2022)
A
D
A
D
A
C
A
A
C
C
C
C
C
A
A
C
A
C
So
so
I
I
think
what
I've
been
telling
folks
is
every
working
group
think
about
which
work
streams
or
which
parts
of
those
at
least
make
sense.
So
at
least
we
can
get
kind
of
get
the
thinking
going.
I
think
the
goal
is
to
eventually
have
a
broader
kind
of
throw
through,
but
you
know
what,
let's
just
start
talking
about
and
thinking
about
it
and
you
know:
that'll,
give
brian
more
material
to
work
with
than
coordination.
A
A
I
mean
yes
because
look
I'll
be
just
completely
frank.
Like
most
of
these
working
groups
have
meetings
and
saying,
oh
I
do
that.
That's
that's
our
group
like
is
it?
Are
you
actually
doing
anything,
whereas
I
feel
like
the
work
streams,
have
very
specific
funding
requirements
and
goals,
and
so
saying,
oh,
this
group,
that
only
has
meetings.
A
E
Yeah,
well
I
mean
I
know,
some
of
the
working
groups
are
actually
talking
about
these
work
streams
right
and
certainly
david's
in
all
of
them,
so
he
or
at
least
the
majority.
So
I
mean
like
robe
from
the
last
the
best
practices
right,
one
of
the
breaking
out.
He
knew
a
sig
specifically
around
stream.
One
for
the
education
components
is
one
example.
So,
and
certainly
there
are
others
but
yeah.
E
I
think
there
is
some
logical
tie-in
from
the
working
group
to
these,
because
coming
up
to
the
actual
meeting
of
the
work
a
couple
weeks
ago,
the
working
groups
were
actively
working
on
these
projects,
or
at
least
certain
people
in
a
number
of
them.
So
I
don't
think
they're
mutually
exclusive,
but
I
agree
that
you
know
you
can
and
certainly
not
be
in
a
working
group
and
work
on
these.
E
These
work
streams,
I
just
think
you're
other
than
the
tac
meeting,
which
kind
of
sits
over
everything
and
discusses
these
if
you're,
if
you're,
only
going
to
one
or
two
working
groups.
How
else
are
you
going
to
hear
about
it?
If
it's
not
discussed?
I
do
think
it
should
be
at
least
loosely
tied
and
it
should
be
some
updates
in
each
one
of
these
variant.
C
C
You
know
they've
been
doing
education
stuff
since
they
were
founded,
so
it
kind
of
makes
sense
that
that
stream
is
at
least
they
at
least
do
some
of
the
things
I
I
don't
think
we
want
to
say
you
know
the
working
group
does
everything
in
that
stream
necessarily
or
multiple
working
groups,
because
the
goal
of
that
of
that
document
was
more
to
identify
what
needs
doing.
We
very
expressly
avoided
the
who,
because
it's
it's
hard
to
get
even
agreement
on
what
needs
doing
and
the
who
does
them
is
a
is
yet
another
step.
C
C
But
I
I
do
think
it's
fair
to
say
hey
at
least
for
the
working
groups.
If
there's
parts
that
you
think
you
know
you
can
contribute
to
helping
and
and
working
on
something
you'll
raise
that
start
the
discussion,
you
know
you
know
I
I
just
don't
want
to
wait
forever
for
for
the
a
lot
of
the
folks
who
are
involved
in
actually
solving
these
problems,
who
know
how
to
solve
these
problems
are
in
these
meetings.
A
A
C
C
C
C
Thank
you,
everyone,
okay,
and
should
we
include
linters
non-security
in
scope,
so
I'm
gonna
open
that
up
to
the
floor,
because
I
I'm
not
sure
we
have
not
answered
that
originally,
it
wasn't,
for
it
was
only
for
the
security
tools,
but
there
are
good
arguments
for
it.
Frankly,
I
think
there's
arguments
either
way.
Does
anyone
have
a
strong
preference
they
want
to
raise.
A
C
Contacted
them
so
far
it's
been
a
you
know,
trying
to
document
what
people
already
do
and
you'll
notice
that
a
lot
of
I
won't
say
I
I'm
sure
I
can't
say
all,
but
many
many
many
tools
have
a
mechanism
for
disabling
things,
but
that's
actually
part
of
the
challenge.
Is
that
how
it
does
then?
You
know
it
varies,
which
means
you
have
to
insert
a
comment
for
each
one,
and
maybe
that's
okay,
but.
C
A
C
A
C
Yeah
now
one
one
thing
that
you
can
probably
consider
an
error.
I
realized
after
I
started
writing
this
spec.
I
think
once
you
say,
fall
finder
ignore
it'll,
ignore
it
will
basically
disable
the
next
warning,
but
that
warning
may
be
many
lines
later
and
I
think
it
just
the
next
warning,
no
matter
how
far
down
it
is,
which
isn't
right
really
either
actually,
because
if
you
inserted
an
ignore
line
and
then
later
change
the
code
to
fix
it,
you
don't
want
the
ignore
to
go
to
trigger
many
many
lines
later.
C
I'm
gonna
have
to
check.
I
have
it's
been
a
while,
since
I've
looked
at
the
flock
I
undercode
for
that,
but
it's
possible
that
a
tool
whether
or
not
flaw
finder
does
I
wouldn't
be
surprised
if
some
other
tool
does
it.
We
probably
ought
to
check
for
that,
because
it
should
be
the
first
next
code
line
that
you're
ignoring
not
the
next
warning
three
thousand
lines
later
yotam.
D
D
Way
forgot
that
that
file
is
there
and
it
simply
is
not
aware
of
any
vulnerabilities
that
sit
in
that
structure
tree
structure.
So
so
I
think
maybe
something
that
we
want
to
promote
is
is
some
kind
of
guidelines
for
how
to
to
report
it
to
some
some
kind
of
transparency.
Like
there's
a
difference
between
you
said
there
are
zero
vulnerabilities
and
there
are
zero
vulnerabilities,
but
there
are
five
that
were
skipped
because
you
silence
them.
C
Okay,
I
I
there's
nothing
in
here
about
excluding
files.
This
is
a
per
message
within
the
file,
but
but
your
point's
still
well
taken
that
hey
report.
I
I
probably
shouldn't
note
the
report
that
flaw
finder
does
where
it
says.
I
ignored
this
many,
but
you
know
you
know
yeah.
You
know
this
many
found
this
many
were
ignored,
but
you're
absolutely
right
and.
F
B
Yes,
hi
everyone,
I
I
just
thought
it
to
actually
talk
a
little
bit
more
at
the
higher
level.
The
point
you
guys
were
talking
about
the
the
you
know,
adoption
of
this
kind
of
standard.
So
to
so
to
speak
I
mean
you
know,
I'm
an
old
standards,
guy,
I'm
possibly
in
many
standards
effort-
and
I
always
tell
people
you
know
to
be
successful
in
establishing
a
standard-
is
absolutely
key
to
have
the
critical
players
in
that
field
involved
and
get
their
buying
from
the
get-go.
B
If
we,
if
we
don't
ensure,
we
have
that,
then
it's
kind
of
a
waste
of
time,
I'm
afraid
because-
and
I
think
the
other
thing
is
the
challenge
here-
is
that
I
don't
know
that
the
people
who
are
you
know
producing
those
tools
that
would
be.
The
implementers
have
a
big
incentive
to
implement
this,
because
I
mean
it's
a
kind
of
vendor
lock-in
type
of
situation
right
they
they
don't
have
much
incentive
to
help.
You
move
from
one
tool
to
another.
They
they'd.
B
B
But
otherwise,
if
everybody
is
kind
of
the
same
level,
they're
all
hoping
they
can
get
the
biggest
market
share,
it's
very
very
difficult.
So
I'm
sorry,
you
know,
I
think
I
wouldn't
put
too
much
effort
until
you
can
secure
some
level
of
commitment
from
some
of
the
tool
providers
and
just
as
a
last
piece
of
information.
B
You
know
this
is
a
specification
that
will
be
implemented
by
tools
and
you
would
want
to
use
the
community
specification
framework
to
develop
that
to
get
the
right
ip
protection.
Yeah,
that's
assignment
stuff.
Just
so
you
know
it's
much
easier
to
do
it
from
the
get-go
than
trying
to
do
it.
After
once,
people
have
started
contributing.
C
B
Absolutely
I
mean
you
know,
I
don't
expect
you
to
just
say:
oh
okay,
easy
enough
I'll
go
fix
that
I'm
just
you
know.
This
is
a
fair
warning,
I'm
just
letting
you
know
in
my
opinion,
that's
my
experience
so
and
I
always
question
when
people
are
embarking
standards,
effort
where
they
don't
have
critical
mass.
C
A
Well,
I
mean
look
part
of
the
reason.
The
open
ssf
exists
is
to
help
shepherd
things
like
this
along
right
I
mean
the
history
of
security,
is
throwing
our
hands
in
the
air
and
declaring
problems
too
hard
like
if,
if,
if
we
don't
try,
we
fail
automatically,
so
I
I
think
we
should
also
be
mindful
of
that.
C
B
Exactly
you
know
you,
you
have
a
I.
I
think
this
is
a
solvable
problem
and
there
is
nothing
wrong
in
trying
to
address
it,
but
you
know,
I
think,
before
you
spend
too
much
time
into
figuring
out
all
the
technical
details
you
have
to
look
at.
You
know
who
is
going
to
implement
it.
Otherwise,
you're
just
wasting
your
time.
You
know
the
world
is
full
of
standards
that
are
just
collecting
dust.
C
B
E
A
All
right,
cool
and
then
we'll
move
on
to
the
link
I
put
in
there,
so
I
created
it.
I
I
talked
long
ago
about
wanting
to
build
a
project
to
measure
security
tools
and
not
measure
for
goodness,
but
rather
measure
in
a
way
that
shows
what
tools
do
well
or
what
they
don't
necessarily
do.
Well,
because
I
know
a
lot
of
the
tools
that
exist.
E
C
Okay,
so,
but
of
course,
I
think
we
all-
we
all
understand
that
the
dependencies,
obviously
I
mean
most
software
today-
is
mostly
the
dependencies.
So
you
know
having
these
s,
bombs
is
thinking,
you
know,
has
value,
so
there's
got
to
be
a
way
to
you
know,
fund
or
do
something
to
make
these
things
much
easier
to
install
and
use.
C
A
A
C
A
So
my
original
thought
was
to
identify
kind
of
blind
spots
as
specifically
s-bomb
in
this
case,
but
I
would
like
to
see
many
other
security
projects
doing
the
tools
I
should
say
doing
similar
things,
but
initially
I
was
thinking
of
just
capturing
blind
spots
and
s-bombs,
where
s-bomb
scanners,
where
you
could
say
like
this
scanner
I
mean
my
favorite
example,
is:
is
the
resilient
blog
post?
I
won't
post
again
but
like
they,
they
look
for
log4j
and
there's.
In
fact,
I
I
checked
in
the
palantir
test
suite
into
this
repo
I
created
just
so.
A
I
don't
lose
it
again
where
there's
like
all
these
weird
instances
of
log4j
like
packaged
up
in
weird
ways,
and
it's
not
meant
to
be
maliciously
hidden,
because
that's,
I
think,
outside
the
scope
of
anything
we
want
to
do,
but
just
like
this
is.
This
is
how
java
is
distributed
and
some
tools
found
a
lot
of
it.
A
Some
tools
didn't
find
any
of
it,
and
I
think
that
was
my
original
thought
was
starting
to
build
a
corpus
of
tests
that
you
could
run
like
an
s-bomb
scanner
against
and
say,
like
this
scanner
is
really
good
at
finding
python
stuff.
The
scanner
is
really
good
at
finding
roomy
stuff
whatever
and
then
also
using
that
as
a
way
for
projects
to
say,
like
we
suck
at
finding
java
jars
in
jars
like
we
can
fix
that
with
a
patch
or
whatever.
A
But
at
this
point
just
running
the
damn
tools
is
the
challenge
they're
really
hard
to
use.
I
was,
I
was
floored
by
how
difficult
nearly
all
these
tools
are
to
run,
and
that
was
not
my
expectation
at
all.
So
I
think
my
first
step
is
just
going
to
be
identifying
the
projects
that,
because
obviously
there
has
to
be
limited
scope
but
identifying
the
projects
that
I
think
have
the
most
promise,
and
at
this
point
obviously
this
is
just
me.
A
So
it's
literally
what
I
think,
but
if
it
was
a
larger
group,
then
it
would
be
a
group
decision
but
and
then
working
with
them
to
make
sure
like
it's
easy
to
use
and
we're
setting
it
up
correctly
and
then
creating
a
data
set
to
go
out.
You
know
to
run
them
against,
but
but
yeah.
I
I
think,
I'm
shocked
by
what
I've
learned
so
far
and
now.
A
The
problem
with
s-bomb
is
going
to
be
adoption
if
the
tools
are
all
garbage
which
at
the
moment
I
shouldn't
say
garbage
garbage
is
too
strong
if
the
tool,
if
the,
if
the
the
the
entry
point
into
this
tooling,
requires
like
a
full-time
person
to
set
up
and
run
that's
going
to
be
too
much
friction
for
most
organizations.
I
think
right
and
so
they're
just
going
to
be
like
well.
I
can't
do
it.
I'm
done.
F
Yep,
okay,
agree:
I
like
the
idea-
and
I
think,
as
you
mentioned
previously,
that
that
ties
directly
into
the
work
stream
nine
goals
kind
of
yeah.
I
was
mainly
wondering
about
the
to-do
in
the
repository
that
you
that
you
posted,
because
if
you
asked
you
asked
for
folks
who
could
help
out-
and
it
says
basically
identify
more
s-bomb
scanners
and
all
that
stuff,
so
that
seemed
to
be
more
like
an
information
gathering
exercise
primarily
as
step
one
and
then
take
it
together.
A
C
C
C
A
H
A
A
Just
checking
yeah
it's
I'm
not
ignoring
them
on
purpose,
actually,
for
what
it's
worth.
I
know
this.
The
cyclone
dx
has
a
git
repo.
Well
many
get
repos
with
their
their
tooling
is
easy
to
run,
and
I've
run
some
of
their
stuff
before,
but
I
decided
I'd
start
with
spdx,
because
I've
just
never
run
any
of
the
spdx
tools
and
now.
A
B
A
For
what
it's
worth
most
of
these
tools,
don't
even
really
have
installation
instructions
that
can
be
followed
by
humans
like
there's
no
getting
started.
It's
it's
a
it's!
Your
typical
open
source
project,
where
it's
just
like
a
smattering
of
information
spread
across
the
repository
in
a
way
that,
if
you're,
not
a
part
of
the
group,
you
literally
can't
decipher-
and
I
that
is
a
bug
right.
Like
that's
a
bug
we
should
file
and
say,
like
you,
have
no
getting
started
instructions.
How
do
I
run
your
project
and.
A
Yes,
but
I
ran
theirs,
that's
the
thing
right.
I
could,
because
they
have
a
docker
container,
I
could
run
the
docker
container,
it
ran
and
then
it
it
ran
for
a
very
long
time
and
made
my
laptop
make
a
lot
of
noise
and
then
it
crashed,
which
with
no
with
no
error
message
but
and
that's
the
thing
right.
Some
of
these
have
some
getting
started
instructions.
Some
of
the
like
some
of
the
I
forget
which
one
there
was
one.
A
I
tried
running
that
like
there
were
getting
started
instructions
and
I
just
couldn't
get
it
to
work
and
I
assumed
they
changed
something,
but
they
didn't
update
their
instructions
and
again,
like
that's
a
bug
those
should
be
filed
and
eventually
we
will
get
there.
But
but
at
this
point
I
just
want
to
like
identify
stuff
and
see
what
it
does
and
tinker
more
than
I
want
to
reach
out,
because,
obviously
we
all
know
once
you
reach
out
to
an
open
source
project
and
start
filing
bugs
it
becomes
a
generous
amount
of
effort
to
to
be.
F
A
B
A
Over,
I
think
so,
right
exactly
exactly
and
part
of
it
too
is
like
how
many
of
these
instructions
are
dead.
There's
a
couple
I
saw
that
hadn't
had
commits
in
like
two
years
I
mean
there's
been
a
lot
of
work
on
s-bombs
in
the
last
two
years,
so
I
suspect
anything
that
hasn't
been
updated
in
two
years.
A
If
it
runs
it's
not
going
to
generate
what
I
want,
and
so
I
mean
that's
part
of
it
too
is
just
figuring
out
like
what's
alive,
what's
dead,
what
should
be
dead?
You
know
it's
going
to
be
many
different
layers
and
again
like
this
is
part
of
the.
I
think
the
treat
in
in
working
on
projects
like
this
is
like
there's
so
much.
I
don't
even
know
I
don't
know,
and
and
as
I
work
on
it,
I
learned
so
many
things
that
I
didn't
even
imagine.
C
A
I
see
so
it
didn't
see
like
this.
Like
that's
a
great
example
david,
that's
exactly
what
I'm
talking
about
like
bringing
the
ability
to
say:
hey,
spdx
s,
bomb
generator,
and
in
fact
this
I
didn't
this
didn't
turn
up
in
my
list
of
of
going
through
the
spdx
tools,
and
it
looks
like
this
one
looks
like
it's
not
terrible,
so
yeah.
C
A
C
B
C
A
Exactly
exactly
and
like
they're,
the
s
bomb
world
is
huge,
and
so
everything
is
going
to
have
to
do
something
well
and
and
not
other
things,
and
I
think
part
of
this
I'd
love
to
be
able
to
say,
like
you
need
a
ruby
s-bomb
generator
here
are
the
s-bomb
generators
that
scan
ruby
here
are
the
s-bomb
generators
that
don't
and
then
I
know,
don't
look
at
this
stuff
because
I
don't.
I
don't
need
that
right.
I
need
this
over
here.
C
D
F
A
F
A
D
Yeah,
just
as
a
quick
anecdote
like
I
ran
20
containers
and
took
four
scanners
and
out
of
those
four
out
of
those
20.
Only
three
had
reported
the
same
number
of
vulnerabilities
and
even
the
three
that
were
identical
in
the
number
of
vulnerabilities
they
weren't
the
the
same
vulnerabilities
like
they
had.
You
know
one
missing
from
that
one
and
the
different
one
that
is
present
in
another
one.
So
the
number
is
the
same.
Those
are
different
vulnerabilities,
so
yeah.
D
A
F
A
C
D
H
A
A
C
A
A
All
right
there,
I,
I
guess
one
thing
I
just
looked
at
there's
no
there's
the
next
meeting
is
during
the
open,
ssf
or
the
linux
foundation.
Open
source
summit,
so
obviously
that'll
be
canceled
and
the
one
after
that
is
july
5th,
which,
like
I'm
out
of
town
for-
and
I
bet
a
lot
of
people
will
be
so
we'll
we'll
start
that
out
with
probably
jory
at
some
point,
but
all
right.