►
From YouTube: Security Tooling Working Group (October 25, 2022)
A
A
Many
people
here
so
we'll
I,
don't
even
think
we're
gonna
try
to
do
the
agenda.
Well,
we'll
do
part
of
it.
Let
me
show
my
screen
this
window.
A
That's
the
worst
part
I
have
like
700
game
windows
and
I,
never
know
which
one
to
share
okay.
So
if
everyone
has
a
logged
in
or
I'm
sorry
signed
in,
thank
you.
Anyone
who
hasn't
can
someone
paste
this
link
I
I,
just
pasted
it
a
minute
ago
to
sign
it.
So
there's
the
s-spom
everywhere
agenda,
which
we've
basically
been
focusing
on
for
this
point
before
we
kind
of
move
to
s-bomb
everywhere.
Is
there
anyone
here
with
any
tooling
items
they
have
in
mind.
A
I
will
listen,
yeah
all
right,
so
the
s-bomb
everywhere
agenda
Vicki
had
a
suggestion.
In
the
last
meeting
we
had,
which
was
in
September,
it's
been
like
a
freaking
month,
but
is
that
everyone
introduced
themselves,
not
just
a
new
people
in
the
chat,
and
this
is
something
I'd
like
to
do
kind
of
from
every
meeting
from
this
point
forward
so
like,
for
example,
I'll
put
in
my
chat,
you
know
I'm
Josh,
I,
work
at
Ancor
and
and
co-lead
of
the
everywhere
group.
A
So
if
everyone
could
just
do
something
similar,
so
everyone
knows
you,
everyone
else
is
who
you
work
for
that
kind
of
stuff.
I
think
it
would
be
valuable,
I'm
not
going
to
push
it.
So
if
you
don't
that's
fine,
but
yeah
I
think
it
would
be
appreciated.
I've
got
one
bit
of
update
I
guess
for
the
python
Library
funding.
I,
don't
think
it's
Kate
here.
Did
you
show
up
Kate
I
can't
see
it
showed
up.
Hi
hi
and
you
snuck.
A
B
Okay,
so
the
library
the
contractors
have
been
working
on
for
the
last
month
on
establishing
the
test
bed
to
check
the
libraries
and
that
code
is
now
public.
They've
been
working
with
the
Java
stuff
to
test
it
and
they're
going
to
be
switching
now
that
they've
got
the
python
going
to
be
looking
at
using
it
for
fleshing
out
and
cross-checking
the
python
stuff
is
working.
B
If
I
guess
so
and
they've
also
started
having,
as
of
last
Thursday,
as
our
you
know,
requested
public
meetings,
and
so
anyone
who's
interested
is
welcome
to
you
know,
drop
in
on
the
Thursday
meeting
and
talk
about
the
progress
and
if
you
start
to
look
at
if
you're
following
the
python
live
the
python
tools,
repo
you'll
see
that
the
refactoring
has
started.
B
And
you
know
if
you've
got
issues
with
the
python
tools
as
they
are
today.
You
know,
please,
you
know
please
it's
a
good
time
to
start,
including
in
your
I've,
got
concerns
about
this
area.
I,
don't
think
this
is
right,
because
this
is
what's
starting
to
get
addressed
now.
A
And
something
that
just
showed
up
in
my
GitHub
notifications-
I
haven't
properly
digested
it
yet.
But
the
Brandon
Lum
asked
the
hip
folks
to
start
generating
spdx.
They
generate
cycle
and
DX
apparently,
and
the
response
was
the
spdx
library
is
terrible.
We
don't
want
to
use
it
and
he
just
told
them
about
this
and
they
seem
interested.
So
hopefully
we
can
get
some
some
I
guess
eyeballs
from
those
folks.
B
A
Cool
so
I'll
I'll
put
all
the
right
people
connected
to
that
later
today,
which
I
thought
was
very
exciting
all
right,
so
I
I
want
to
jump
to
the
next
one
too
Kate,
because
there's
been
some
activity
in
this
I
saw
in
your
draft
document.
Do
you
want
to
fill
this
in
on
kind
of
what
we're
looking
at
here.
B
So
what
we've
done
is
we've
started
working
with
the
sisa
team
and
if
you
look
at
the
first
page,
that's
had
some
group
wordsmithing
from
this
group
as
well
as
from
that
group,
so
come
up
with
a
common
set
of
what
the
definitions
are
and
where
there's
you
know,
concern
points
and
things
like
that.
What
we
want
to
do
is
come
up
with
one
set
of
definitions
that
both
groups
can
use
and
then
working
with
the
sisa.
B
You
need
to
put
out
the
one
pager
and
have
it
up
on
their
site,
so
I
think
the
path
we're
all
pretty
much
aiming
towards
from
the
discussions.
You'll
see
certain
visibility
on
you
know
when
are
they
used
and
things
like
that,
so
the
next
couple
slides
are
being
sort
of
populated
just
to
make
sure
we
have
the
clarity
based
on
the
discussions
we
had.
So
we'll
probably
be
talking
about
that
beyond
that.
B
It's
you
know
earlier
stages,
and
this
is
also
related
to
the
software
life
cycle
phase,
as
opposed
to
a
cicd
flow,
but
you
should
be
able
to
map
these
into
when
in
a
CI
CD
flow
as
well.
A
That's
awesome,
I
I'm,
very
excited
to
see
sisa
and
this
group
working
together
on
this,
which
is
perfect
and
there's
Justin
you
you
can
fill
us
in
with.
Can
you
drop
a
link
in
the
notes?
Maybe
there's
a
there's,
a
Sissa,
tooling
working
group,
or
what
do
you
call
it?
A
working
group
I
forget
the
name
you
have
for
it,
but
yeah
birthdays,
we're.
C
Extreme
working
group-
it's
a
working
group,
but
the
assistant
lawyers
like
a
worksheim
for
some
reason
that
yeah.
D
E
Yeah
you'd,
like
me,
you
want
me
to
drop
like
the
general
notes
document
or
something
yeah
yeah.
A
A
C
A
So
we've
got,
we've
got
a
couple
more
things
here:
I,
don't
is
Kathy
on
the
call.
A
I,
don't
think
so.
No
so
this
one,
the
use
cases
probably
needs
some
love
and
attention.
There
is
I,
don't
think
anything
particularly
exciting
has
happened
with
this
in
a
while
I,
don't
have
a
lot
to
add.
I'll
I'll
spend
some
time
looking
at
it
later
and
see
what
we
should
do
with
it.
Maybe
maybe
just
get
rid
of
it
is,
is
the
first
step
for
now
the
ntia
documents.
This
one
is
interesting.
A
Actually
Kate
is
has
her
name
on
it,
but
I'm
going
to
talk
about
it
a
little
bit,
because
there
is
a
proposal
that
Kate
and
I
put
together
to
fund
this,
and
rather
than
turn
these
documents
specifically
into
something
useful,
what
we
want
to
do
and
I
think
I
I'm
not
going
to
show
the
CNC
of
landscape
again
because
I
keep
showing
it.
But
what's
that
yep
everyone
knows
what
it
is.
I'll
assume,
if
you
don't
go,
look
it
up,
but
the
idea
is
there's.
A
This
landscape
is
really
nice
and
we
want
to
create
something
similar.
Just
for
s-bomb.
There
is
a
what
did
they
call
it?
A
mapping
working
group
I
think
now
in
the
open
ssf
that
Chris
Robinson
is
running
and
their
intent
is
to
create
something
similar,
but
for
all
of
the
open,
ssf
I
talked
to
them
last
week,
they're
comfortable
letting
us
do
our
own
thing
for
the
moment,
there's
no
intention
of
interfering.
They
view
our
work
as
complementary,
so
deep,
but
anyway
we
want
to
put
this
together.
A
If
everyone
wouldn't
mind
looking
at
it
adding
comments,
some
of
it's
filled
out
pretty
well.
Some
of
it
still
needs
a
little
help.
But
fundamentally
we
want
to
go
to
the
governing
board
and
say
give
us
some
money
and
we're
going
to
get
this
done
and
then
the
idea
is
once
it's
created.
Once
we
have
a
landscape,
we're
hopeful.
The
projects
themselves
will
keep
their
particular
piece
updated
because
there's
obviously
an
incentive
for
projects
to
be
current
and
I.
A
Guess
discoverable
on
this
so
and
and
part
of
that
would
be
taking
I
just
lost
taking
the
ntia
documents
in
question
will
end
up
as
inputs
to
this,
and
one
one
thing
of
note
is
Chris
Robinson
krobe,
as
many
of
you
know,
he
generously
offered
to
put
together
like
a
little
mock-up
for
us
of
this
and
that
call
I
had
with
them.
Last
week.
A
Yeah
yeah
and
he's
good
at
that
stuff.
If
you
ask
me
to
make
a
mock-up,
it
would
be
no
one
would
fund
anything
so
I'm
very
excited
anyway.
I
need
to
get
him
that
data
I
haven't
done
it
yet,
but
it's
I'd
say
this
is
going
along
as
well
as
it
can
be.
We
take
any
input,
otherwise,
just
Kate
now
keeps
slogging
along
it'll
still
probably
be
a
month
or
more
before.
This
is
ready
to
present
to
anybody.
I
ran
about
attack
last
week.
A
I
would
say
they
were
ambivalent,
that
I
don't
think
they
were
particularly
opposed
or
against
it.
Basically,
they
want
more
details
right
and
we
just
don't
have
them
all
yet
and
part
of
the
more
details.
Was
things
like
go
talk
to
the
diagramming
committee.
Part
of
the
details
were
like
give
us
an
example.
You
know
what
what
is
the
purpose?
What
are
we
going
to
get
out
of
this,
and
so
well?
I
guess
one
other
thing-
and
this
is
something
maybe
for
this
group
to
to
discuss
and
I
would
gladly
take
input
right
now.
B
E
E
The
open
source
projects
get
a
little
bit
bigger
of
an
icon,
and
then
everybody
else
gets
the
smaller
icons
and
you
don't
have
to
be
a
member.
It
just
is
the
landscape
of
the
tools
out
there
right
and.
A
Casey,
what
I
have
a
quick
question?
Does
this
the
cncf
landscape
includes
like
proprietary
companies
right
yeah.
E
They
all
do
anybody,
can
anybody
can
do
a
pull
request
and
have
their
company
to
any
of
that
any
of
those
sections,
but
the
the
thing
to
remember
when
you're
doing
it
is
that
you
have
to
get
specific
enough
and
accurate
enough
on
the
categories
so
that
companies
want
to
will
be
able
to
identify
who,
what
their
primary
service
right.
B
So
there's
work
going
on
here
to
take
the
ntia
efforts
from
before
and
in
the
Seesaw
working
group,
get
agreement
on
the
categories,
and
so
in
that
C
said
yes,
bomb,
tooling
working
group
there's
focus
on
getting
those
categories
identified
so
part
of
the
exercise
of
the
life
cycle
and
typing.
You
know
where
these
types
of
tools
is
to
fit
into
that,
together
with
some
other
information
to
start
having
like
a
set
of
five
type
of
properties,
that
we
want
to
standardize
on
yeah.
F
But
Kate
I
think
the
the
those
two
statements
may
be
in
conflict
because
I.
F
Of
the
tools,
categories
and
some
of
the
tools
intentionally
cover
multiples
of
those
categories.
B
E
One
category
per
company-
and
now
we
may
just
have
one
cat,
because
we
we
will
get
overly
focused
on
tools
that
are
s-barm
related,
but
the
landscape
shouldn't
just
be
an
s-bomb.
It
should
be
any
open
source
security
tooling,
so
we
may
have
just
one
category:
that's
SCA
for
all
I
know
I'm
just
putting
it
out
there
so
that
we,
because
it
has
to
we,
can't
get
really
down
in
the
weeds.
They
have
to
be
fairly
high
level.
Well,.
E
B
E
F
Yeah
I,
actually
just
to
check
on
it.
I
went
to
do
a
quick
look
and
it
looks
like
it
is
actively
maintained.
The
cncf
actively
maintains
that.
F
A
Wow
I,
like
it
I
like
it,
it
makes
me
happy
cool
so
again,
if
anyone
has
comments
or
anything
like
I'd
love
it.
If
you'd
review
this
and
and
identify
potential
problems,
one
of
the
other
aspects
is:
if
you
look
at
the
like
the
tasks,
the
expectations
everything
says,
hours
and
estimate
is
to
be
determined.
We
hope
to
go
out
to
potential
contractors
with
this
and
just
say
like
fill
it
in.
A
What
do
you
think
it's
going
to
take,
and
hopefully
it
won't
be
terrible,
but
again
like
we
literally
have
no
idea
and
I
guess
Tracy
on
that
regard.
If
you
have
any
insight
into
like
what
the
lift
looks
like
to
do
something
like
this
I
would
value,
even
just
like
guesses,
because
I
don't
even
have
a
yes.
E
Hard
to
get
it
to
get
it,
get
it
set
up,
so
you
can
build
it
and
then,
over
the
course
of
two
years
we
probably
it.
You
know
it
became
a
living
kind
of
landscape.
A
F
No,
the
you
know
it
takes
48
40
hours
to
get
started,
I.
Think
the
real
question
is,
it
hasn't
been
valuable
enough,
I
think
at
least
for
the
cncf.
The
answer
I
think
has
been
yes,
so
I
think
the
idea
is.
Hopefully
we
can
say
yes
here
too,
and
if
we
can't,
then
we
shouldn't
do
it,
but
no.
A
E
E
A
E
A
That's
right
and
there's
another
group
David
that's
focused
on
that.
They
know
about
us.
They
understand
that
they
understand
and
expect
this
work
to
spill
into
their
realm
and
they're.
Okay
with
that,
so
I
think
everyone
is
happy
and
and
if
nothing
else,
they
also
see
us
as
a
sort
of
guinea
pig
for
like
what
would
this
look
like
if
we
did
it
elsewhere?
How
much
would
it
cost?
You
know
that
kind
of
stuff,
so,
okay.
A
A
We've
got
the
scope
and
purpose
document.
I,
don't
know
if
Brandon's
done
anything
on
that
and
I
haven't
even
looked.
This
was
this
document
here?
No,
that's
that's
my
document.
This
document,
which
I
don't
think,
has
been
touched
in
a
while
I
need
to
I
need
to
have
I'll,
see
Brandon
tomorrow
in
Detroit.
So
I'll
bug
him
about
this
a
little
bit
and
we'll
see
if
we
can
come
up
with
a
little
bit
of
a
plan.
C
A
A
Maybe,
not
maybe
Tracy
left
all
right,
Tracy's.
Not
here,
that's
fine!
Well,
we'll
get
back
to
that.
Then
I
I
want
to
talk
about
something
new
I,
just
I've
been
kind
of
kicking
around,
and
this
came
about
because
I
want
to
give
some
background
first.
So
there's
this
one
page
overview
which
Kate
volunteered
to
do,
but
it
really
came
about
because
of
an
Apache
ask
and
basically
someone
said
Apache
should
generate
us
bombs
and
then
what
we
ended
up
with
here
was
Mark
and
I
go
way
back
and
he
said
like
I
want.
A
A
Basically,
they
want
the
open
ssf
to
tell
people
what
to
do
right,
like
what
should
an
open
source
project
publishing
s-bombs
look
like,
and
this
obviously
ties
into
the
work
Kate
is
doing
on
this
because
we
have
to
Define
like
what
what
is
an
s-bomb
right?
What
what
should
you
do
like?
There's
these
ideas,
Source
build
deploy,
runtime
Kate.
Did
you
have
a
comment.
B
Yeah
there's
also,
there
is
a
document
that
basically
is
exactly
which
Fields
need
to
be
filled
in
for
the
minimum
for
ntia.
Yes,.
A
And
and
I
I
have
a
link
to
that
here
so
anyway,
the
the
link
in
the
notes
which
is
down
here
at
the
very
bottom
I
put
in
this
is
kind
of
what
I
started
kicking
around
is.
Please
do
not
read
into
this
in
any
way
as
as
attempting
to
be
like
you
know,
you
know,
Canon
guidance
or
anything.
It's
just
I
think
open
source
projects.
A
There
are
some
that
want
to
know
what
should
I
do
to
publish
an
s-bomb
and
today
that
I'm,
aware
of
I
would
gladly
accept
a
correction
in
this
statement,
but
I
am
not
aware
of
any
guidance
telling
people
like
make
an
s-bomb
put
it
here.
Name
it
this
that
that
I
know
of
and
and
the
ntia
document
obviously
doesn't
specify
it
just
says
what
should
be
in
it.
G
B
C
A
C
Not
systematically
the
commons
project
is
now
doing
it
with
Cyclone,
so
there
are
examples
of
it
out
there
and
there's
a
pull
request
to
enable
it
for
all
Apache
projects.
So,
but
the
point
is
the
file
name
structure
will
need
to
follow
the
format
of
whatever
the
ecosystem
is
so
Maven
has
one
thing:
npm,
presumably,
would
be
something
different
right.
B
F
Would
expect
s-bombs
typically
I
mean
you
know,
I
would
suggest
the
naming
convention
be
a
lot
like
many
other
things.
You
know
if
it's
for
a
package
name
of
package,
Dash
version,
ID
or
version
string.
If
you
want
to
use
that
term
and
then
whatever
the
conventional
extension
is.
G
G
A
I
I
can't
hear
anything
because
Brian
and
Thomas
were
talking
at
the
same
time:
I'll
let
I'll
let
Brian
go
first
and
then
let's
use
hands
after
this.
Okay.
C
Sorry
I
I
was
gonna,
say
I.
Don't
that's
not
a
choice
that
this
group
has
you're
not
going
to
change
the
maven
standard
for
one
file.
It's
not
happening
just
like
any
of
these
other
ones,
so
capturing
and
circulating
what
the
standard
would
look
like,
I
think
makes
sense,
but
defining
it
it's
not
gonna.
A
C
A
G
So
it's
either,
you
publish
it
next
to
the
release
artifacts
or
within
the
artifacts
depends.
What
about
the
ecosystem
says,
and
several
ecosystems
have
dedicated
repository
structures
that
you
have
to
follow
for
so
we
can
I
considered
as
bombs
to
be
like
a
metadata
file
and
a
lot
of
the
package
managers
Define
based
explicitly.
This
is
where
you
have
to
put
it,
and
this
is
the
the
hashes
and
all
the
other
stuff
or
in
the
Manifest
that
you
have
to
basically
specify
that
this
file
exists
and
for
a
lot
of
the
packet
manager.
G
This
is
basically
written
out
for
other
purposes
there,
and
you
basically
have
to
follow
that
at.
C
G
What
we
did
and
that's
what
we
told
basically
to
our
customers,
was
basically
look
ice.
Bombs
are
just
metadata.
We
follow
whatever
the
package
manager
dictates.
So,
okay,
your
two
and
that's
the
nice
thing.
Then
there's
existing
tooling
that
well,
it's
not
perfect
in
the
open
source
Community,
but
at
least
some
open
source
tooling
is
out
there.
That
knows
how
to
grab
that
that
data,
because
it's
basically
it's
defined,
but
a
lot
of
tools,
don't.
G
F
Well,
if
nothing
else,
I
think
what
you
just
said
is
actually
I
think
the
key
which
is
the
particular
package
mail.
This
is
generally
considered
metadata.
You
you
do
whatever
the
standard
for
metadata.
For
that
package
is
in
general
use,
I
mean
we.
There
still
is
a
standard
extension
for
these.
You
generally
prefer
those
well.
C
That's
okay,
the
what
was
I
gonna
say.
The
the
survey
of
these
seems
like
an
appropriate
question
to
kick
over
to
the
securing
software
repos
working
group,
because
most
of
these
ecosystems
have
people
there.
We
could
quickly
circle
the
wagons
and
make
sure
that
we
have
an
understanding
of
what
that
looks
like.
C
A
A
good
idea,
I
mean
and
and
maybe
maybe
we
put
naming
files
and
where
to
locate
them
out
of
scope,
and
maybe
it's
as
easy
as
just
saying,
generate
spdx
and
Cyclone
DX
follow
the
ntia,
minimums
and
optionally
sign
the
thing,
and
then
that
might
be
like
because
my
intent
here
is
first
of
all
not
to
generate
like
months
of
discussion,
because
that's
not
helpful
to
anybody,
but
then
also
to
use
this
as
a
vehicle
to
better
understand,
what's
happening
in
the
world.
And
it's
clear.
There's
a
lot
going
on
already.
G
Again,
it's
elaborative
ways,
but
it
follows
the
standard
of
the
package
manager.
So
again,
it's
how
you
look
at
how
you
look
at
things
for
the
people
in
the
python
ecosystem.
It
makes
perfect
sense.
You
can
zoomed
in
this
way,
for
maybe
the
next
perfect
sense.
The
other
side
is
that
and
and
said
I.
Don't
think
it's
that
difficult,
because
for
us,
when
we
did
the
check
most
of
these
archives
are
like
kind
of
like
zip-based
archive
kind
of
stuff
and
I
just
search
on
the
file
extension.
G
G
Inside
the
zip
and
besides
it
basically,
so
we
just
actually
for
me
even
you
have
to
place
it
beside
it,
and
so
you
would
just
download
you
would
just
check
the
file
name.
It's
like
the
source,
little
jar.
We
would
just
basically
check
the
file
name
and
see
if
there
is
a
similar
package,
name
or
package
name,
Will
jar,
the
replace
jar
with
SPD
Axel
Json,
and
if
it
was
there,
then
we'll
we'll
pull
it.
D
Yeah
I
mean
you
know,
the
emphasis
we're
using
is
is
the
life
cycle
stuff.
We
want
recess
bombs
in
our
CI
pipelines
and
the
OSI
artifact
respect
has
gone
a
long
way
for
oci
compliant
images,
as
well
as
any
artifacts
to
store
s-bombs
relative
related
to
the
binaries
you
produce
and
push
an
artifactory,
and
things
are
I
mean
they're
and
there's
automatic
verification
from
the
clients
and
stuff
like
that.
There's
work
with
sigster
to
do
these
things,
so
it
fits
into
a
larger
ecosystem,
so
signage
and
Association.
D
D
Ocr
factory
version
2
includes
the
ability
to
associate
media
types,
including
s-bombs
and
jfrog,
and
other
artifactory
providers
have
already
implemented
that
stuff,
in
fact,
I
think
other
and
Docker
and
stuff
isn't
really
proprietary
stuff.
So
people
are
having
this
concepts
are
pushing
to
images
here.
Registry,
but
again,
artifactories
are
not
just
oci
images,
but
can
be
any
binary
right.
D
A
That's
very
exciting,
okay,
so
we
should
look
that
up
too
something
about
I'll.
Just
add
a.
D
Yeah
I
know
that
a
lot
of
Docker
actions
and
things
are
doing
this
automatically
as
well.
They
have
Docker
actions
that
push
to
and
use
that
spec
right
now,
too
and
I
think
there's
cosine
support,
I.
Think
a
colleague
of
mine
just
fixed
a
bug
in
one
of
the
predicates
for
the
in
Toto
signature
that
goes
into
into
recore.
A
Yep
I
remember
that
we
got
that
I
think
sift
had
a
similar
bug,
cool
all
right
as
I
love
that
what
five
bullets
created
a
ton
of
discussion,
this
amuses
me:
okay,
I,
guess:
here's
here's
my
answer,
I'm
going
to
create
a
GitHub
issue
for
this
I
haven't
created
an
issue
yet,
but
I
would
like
to
create
one
and
I.
A
All
right
we'll
take
that
as
a
no.
If
people
could
review
this
I
would
I
would
truly
appreciate
it.
The
only
other
thing
we
have
on
our
list,
which
I've
lost,
is
the
there's
the
purpose
document
which
I
don't
think
we've
done
a
lot
with
over
the
last
kind
of
month.
We
need
between
travel
and
getting
covered,
I
kind
of
fell
off
the
horse
in
terms
of
keeping
some
of
this
rainbow.
A
So
I
don't
want
to
spend
any
time
on
this
today,
because
I'd,
rather
just
we'll,
escape
and
get
back
to
work,
but
I
will
I'm
gonna
put
some
thoughts
and
ideas
together
in
GitHub
if
everyone
can
make
sure
they
review
it.
I'll
put
some
stuff
in
the
slack
Channel
as
well
over
the
next
couple
days,
but
are
there
any
other
comments
or
questions,
or
should
we
free
ourselves.