►
From YouTube: Security Tooling WG Meeting (April 12, 2022)
B
B
A
A
A
Thank
you.
Everyone
for
coming
we'll
start
out.
We've
got
a
dock
from
david
wheeler.
If
anybody,
if
everyone
hasn't
taken
a
look
at
it,
it's
actually
kind
of
cool
david
is
he's
part
of
the
open
ssf,
but
he
also
works
on
a
tool
called
flaw
finder
and
he
wants
to
create
like
a
standard
for
all,
like
static
analyzers,
to
use
to
know
to
ignore
things.
There's
a
couple
comments
from
daniel
who
isn't
here
either
in
the
doc.
It's
cool,
give
it
a
look.
A
A
C
C
Last
week
I
said
I
started
working
on
a
draft,
but
I
don't
think
we
actually
agreed
on
that
was
work.
We
do
this.
It
was
just
a
hey
idea.
Won't
we
create
a
draft
to
to
to
start
working
on
this,
so
I
think
procedurally,
I
think
what
we
need
to
do
is
you
know
people
look
have
had
time
to
look.
Is
this
something
that
we
as
a
group
want
to
create
on
create
as
a
little
project?
And
if
so,
I
I
think.
C
Basically,
you
know
if
there's
general
agreement
here,
send
an
email
to
the
tax
saying
hey,
we
plan
to
start
this
up
as
a
new
little
project.
Let
us
know
if
there's
an
issue
usu,
I
would
not
expect
there
to
be
one,
but
I
think
the
tac
wants
to
start
getting
notified
of
projects
instead
of
being
surprised,
which
seems
like
a
reasonable
desire.
C
The
other
issue,
of
course,
is
that
we
need
to
you
know
kind
of
look
at
it
and
start
working.
There
are
some
questions
about
well,
like
you
know,
I
think
the
overall
goal
of
this
proposal
is.
We
want
some
magic
text
within
a
comment.
The
one
of
the
questions
is
what
the
magic
text
should
be.
I
propose
security
security,
underscore
report
call
and
ignore
it
could
be
no
lint.
It
could
be
some
other
things.
We
don't
have
to
make
that
decision
today.
C
C
If
the
code
never
changes,
this
is
fine
as
soon
as
anything
changes.
Basically,
the
suppression
is
by
hey
on
this
file
on
this
line.
It
just
turns
out
to
be
terrible
for
long-term
maintenance,
because
anytime,
you
make
a
change.
Suddenly,
all
those
suppressed
false
reports
show
up
again
having
it
is.
A
simple
inline
comment
works
much
better
in
terms
of
knowing
what's
been
suppressed
and
handling
editing
of
files.
C
C
A
C
Fair
enough,
but
but
I
I
think
I
I
the
reason
I
I
want
to
actually
get
a
general
consensus
and
raise
up
to
the
attack.
It's
not
so
much
that
we
want
to
suppress
work
because
I
agree.
I
think
it's
the
much
more
coordination.
In
other
words,
in
this
particular
case,
I
would
be
shocked
if
there
was
any
problems,
but
somebody
else
may
know
something
that
we
don't
know
about
it's
possible,
for
example,
although
I
know
pretty
sure
this
isn't
true,
you
know
some
other
working
group
is
doing
something
similar.
C
D
C
C
Have
this
project
as
a
working
group
item,
it
may
eventually
may
not
be
called
a
project.
I
guess
doc.
Things
may
in
the
future,
be
called
something
else
other
than
a
project.
Some
people
find
that
word
confusing,
but
we'll
we'll
find
once
we
find
out
what
the
word
is.
We
can
change
that
and
somebody
needs
to
tell
the
talk
josh.
How
about
you
tell
the
talk?
I
hear
you
have
some
relationship
with
the
pack.
A
C
E
C
A
There
is
a
lot
of
confusion
in
the
space
of
the
attack,
the
technical
advisory
council
on
how
projects
and
working
groups
are
related
and
things
like
project
donations,
work
and
it's
all
kind
of
a
mess
right
now
and
it's
being
worked
out,
but
fundamentally
the
way
it
stands
right
now
is
basically
working
groups
get
to
create
projects
and
there's
basically,
nothing.
The
tech
can
do
about
it.
It's
which
I'm
okay
with
the
the
intent
is
you
don't
want
the
tac
like
controlling
things.
I
guess
to
use
the
term
well,.
C
C
A
C
A
Yeah
yeah,
totally
and
now
kind
of
adding
on
to
that
there's.
One
of
the
things
I
want
to
see
us
do
as
a
group
is
measuring.
I
I
feel,
like
the
improved
aspect
of
our
objectives,
being
able
to
measure
and
decide
what's
doing
something
well
or
not,
is
important
and
so,
like,
I
think,
a
natural
extension
of
this
project
david
is
we
we
want
the
ability
to
say
okay.
This
is
how
we
think
tools
should
note
false
positives,
but
then
also
build
test
cases
and
see
which
tools
are
doing
this
well
or
not.
A
Measuring
we're
getting
to
that,
so
that
is
where,
if
we
don't
don't
even
put
that
down
david
because
I
think
that's
something
I
want
to
talk
about
next,
so
then
is
everyone
good
with
this.
Do
we
want
to
talk
about
this
particular
item
anymore?
Before
we
move
on
it,
it
feels
simple.
I
mean
it's
an
awesome
idea.
C
A
C
I
don't
know,
but
right
right,
okay,
so
next
steps
reach
out
to
some
tool
makers
to
find
out
their
preferences
and
or
what
they
do.
That's,
I
think
that
that's
I
think,
that's
fair
enough.
I
won't
be
able
to
do
anything
for
let's
see
here,
five
more
days
because
I'm
pressing
on
an
april
17
deadline,
but
after
that
I
should
be
able
to
do
some
reach
outs,
but
you
know
what
it
shouldn't
be.
C
C
C
A
My
guess
david
is
this:
isn't
the
right
place
to
ask
that
question?
I
think
it
would
be
easier
to
take
such
a.
I.
I
think
this
is
where
I
would
like
to.
I
don't
have
a
plan
right
now
and
I
don't
want
to
start
writing
it
down
now,
but
having
kind
of
an
expected
progression
of
creating
some
of
these
projects
and
tools,
like
obviously
david,
has
a
lot
of
interest
in
it,
there's
going
to
be
other
people
of
interest,
but
how
do
people
blog
their
interest
right,
which
maybe
it's
a
file
in
github?
A
I
I
don't
know,
but
I
have
a
suspicion
if
we
mail
the
list
and
say
like
th,
these
are
the
things
we
need
people
to
do,
and
I
don't
just
mean:
oh:
does
anyone
have
any
connections?
I
mean
like
actual
work
items,
because
I
one
thing
I
found
is
in
in
whenever
you
work
with
an
open
source
project,
there's
always
people
who
come
to
you
and
say
I
want
to
help
and
when
you're
like.
Oh
here's,
a
list
of
all
the
issues
that
have
ever
been
filed
pick
one
and
fix
it
like
that.
A
D
May
I
interrupt
here,
please
allow
me
to
introduce
myself
so
pablo
pavlak,
I'm
working
in
on-app,
so
I'm
leading
security
subcommittee,
a
group
there
and
I
just
joined
your
meeting-
it's
my
first
time
so
awesome
nice
to
nice
to
meet
you
guys.
In
fact,
in
onap
we
are
using
the
sonar
cloud
for
the
static
analysis.
D
C
D
C
C
C
C
C
A
C
A
C
A
A
Yeah
awesome,
thank
you
all
right
cool.
So
the
only
other
thing
on
the
list,
then
is.
There
is
a
list
of
proposed
ideas
that
were
discussed
in
the
last
meeting.
I
went
through
the
meeting
notes
and
I
pulled
out
some
of
the
things
that
there
was
interest
in
and
I
I
think
this
is
where
the
concept
of
oh
david.
Do
you
have
a
comment.
F
F
C
C
Can
you
analyze
code,
but
does
the
tool
completely
and
fully
and
unmistakably
understand
the
exact
environment
and
situation
that
the
software
being
analyzed
is
is
being
used
in
the
answer
is
generally
no,
so
I'm
not
sure
that
non-disabled
makes
much
sense,
but
hey
if
it
does.
Let's
talk
about
that
certainly
worthy
of
discussion,
and
I
will
say
flaw:
finder
is
one
tool
that
does
support
faults.
C
You
know
positive
suppression
and
one
of
the
options
that
flaw
finder,
specifically
supports,
is
called
ignoring,
ignores,
which
is
the
hardest
thing
I've
ever
found
to
document
where
you
know
normally
I'll.
You
know,
it'll,
look
at
all
it'll
ignore
lines
that
are
marked
as
ignore,
but
if
you
turn
on
the
ignore
ignore
option,
it'll
ignore
the
ignores.
C
A
I
love
it
and
I'm
a
huge
fan
of
having
these
discussions
and
even
if
the
discussion
comes
out
with
a
a
negative
result,
essentially
saying
we
don't
care,
it's
still
very
valuable
to
note
that,
like
we
discussed
this
thing
and
we
came
to
no
conclusion-
or
we
decided
not
to
do
this
because
it
keeps
coming
up
otherwise
cool
all
right.
Well,
thank
you,
david.
Both
david.
C
A
C
A
A
I
want
to
deviate
from
maybe
what
we'll
say
a
traditional
working
group
might
look
like,
because
I
think
a
lot
of
working
groups
talk
too
much
and
I'm
very
much
of
the
opinion.
If
someone
wants
to
do
something,
they
should
just
go,
do
it
and
find
people
who
are
interested
in
working
on
it
like,
for
example,
my
primary
interest
in
this
group
is
to
measure
tools.
That
is
what
I
want
to
do.
A
It's
something
I
have
a
lot
of
personal
interest
in
and
it's
something
that
I
think
is
good
for
the
industry,
and
I
talked
about
this
last
time
and
so
like
I
I.
How
do
I
want
to
make
this
happen?
I
don't
have
time
at
the
moment,
so
it'll
be
probably
a
week
or
two
before
I
do
anything
but
like
in
and
david
wheeler.
This
is
where
I
think,
your
input,
just
as
the
open
ssf
kind
of
representative,
is
valuable
like
if
someone
wants
to
start
doing
something.
What
what
do
we
want
them
to
do?
A
C
Well,
I
think
we
need
to
differentiate
between
dead
and
completed.
I'm
fully
willing
to
believe
that
some
specs
you
write
them,
you're
done
and
then
it's
all
you
know
and
then
your
main
problem
is
making
sure
people
know
to
use
it
where
it
makes
sense.
Not
just
you
know
it's
dead.
If
it's
dead,
then
we
should.
I
don't
know
if
we
should
delete
the
repo,
but
we
should
at
least
clearly
mark
it
as
archived.
You
know.
G
A
Which
I
mean
that
github
lets
us
do
that,
but
I'm
I'm
seeing
kind
of
even
before
that
point,
like
let's
say
I
decide,
I
want
to
write
a
tool
to
measure
things
and
I
create
a
repo
and
I
add
a
readme
and
then
I
disappear
like
what
you
know.
What
I
mean
I
mean
right.
I
don't
want
that
situation
where
we
have
30
repos
with
a
readme
and
maybe
six
lines
of
python
checked
in
and
like
that's,
not
helpful
right.
C
Right,
I
I
agree
with
you,
so
I
I
think
that
I
I'm
a
believer
in
minimal
process,
but
not
no
process
right.
So
I
think
that
the
first
step
of
that
is,
instead
of
just
hey,
random,
creating
a
repo
you
first
show
up.
You
know
in
a
discussion
mailing
list
in
some
public
forum
be
a
meeting
or
a
mailing
list.
C
Have
that
discussion?
Hey,
is
this
worth
doing?
Will
somebody
else
support
this,
or
at
least
does
everybody?
Do
people
think
this
is
a
reasonable
idea
and
then,
when
they
start
doing
stuff,
you
know
now
something
what
something
that
some
working
groups
do?
Is
they
do
a
quick
hey,
our
current
active
projects?
What's
the
status
and
that
way
we
can
quickly
identify?
C
If
there's
nothing
happening
and
nothing
ever
happens,
it
quickly
becomes
obvious
that
it's
it's
either
dead
or
best
art
or
or
at
best
complete,
but
probably
dead,
and
then
we
can
archive
it
and
move
it
off.
But
I
think
that
there's
another
good
reason
to
raise
it
up
within
the
working
group
and
really
up
to
the
tack,
which
is
we
want
to
minimize
the
chance
of
it
being
dead
by
getting
multiple
people
working
it.
So
the
more
people
we
make
aware
of
it.
C
A
A
No
like,
for
example,
I'm
interested
in
med
like
for
let's
say
I
want
to
build
something
to
measure
how
static
analyzers
ignore
comments
right,
like
I
think,
that's
a
natural
progression
of
from
your
project
into
what
I
I
want
to
do
of
the
measuring
and
pushing
the
whole
industry
forward.
Is
there
something
that
already
does
this
right?
C
C
C
G
But
there
is
some
rules
about.
You
know
what
is
expected
as
a
basic
requirement
for
things
to
be
accepted,
and
there
are
things
like
w3c
as
a
community
group
concept,
which
you
know
they
require
at
least
three
people
to
say
yeah.
I
think
that's
a
good
idea.
I'd
be
interested
in
participating
in
this,
so
you
might
want
to
set
some
kind
of
you
know:
threshold
like
this
basic
requirements
before
just
saying,
yeah
sure
stop
whatever
you
want.
G
I
think
that
makes
sense
and
you
probably
have
to
expect
to
do
a
little
bit
of
you
know,
house
cleaning
every
now,
and
then
I
mean
we
have
that
in
hyper
ledger,
where
we
still
have
set
the
bar
actually
on
purpose
really
low,
and
you
know
after
six
months
or
so
we
have
what
we
call
labs
towards
their
people
and
part
of
them.
Who
are
volunteering
to
keep
an
eye
on
what's
going
on
in
that
space
and
then,
if
we
spot,
you
know
repos
that
have
not
been
active
for
several
months.
G
A
Yeah
yep,
I
agree
so
on
and
that
that
actually
reminds
me
of
one
other
thing.
So
this
group-
and
I
don't-
I
don't
think
this-
is
exactly
the
right
place
to
answer
the
question,
but
we
have
a
mailing
list
and
there's
a
github
discussions
page
and
I
detest
having
two
places
are:
does
anyone
have
like?
Does
anyone
feel
strongly?
I
would
love
to
like
murder
the
github
discussions
and
say
take
it
to
the
list.
A
A
C
Yeah,
because
I
I
agree
with
you,
it's
not
the
the
the
github
ones
are
wrong
necessarily,
but
I
agree
you
know
if
there's
too
many
places,
then
I
won't
see
it.
I
already
struggle
with
I've
got
main
lists.
I've
got
slack.
I
got
too
many
things
to
monitor
and
that's
another
one.
I
don't
I
I
didn't
even
wasn't
aware,
existed.
A
I
like
what
we
talked
about
for
the
project,
so
here's
what
I
want
to
do,
then
I
want
to
take
what
we've
written
up
and
turn
it
into
a
a
document
with
just
some
basic
expectations.
I
I
hope
and
expect
this
group
to
create
many
projects
in
the
future,
and
so
I
think
I
I
think
what
arnold
said
makes
a
lot
of
sense
of
having
some
basic
expectations
just
to
lay
the
groundwork.
A
It's
less
clear
than
I
would
like,
but
so
when
I
took
over
as
the
lead
for
this
group,
and
it's
I'm
not
looking
to
be
the
the
iron
fist
here
by
any
means,
I
strongly
believe
that
working
groups
are
what
the
members
make
them
to
be.
But
I
want
to
see
this
group
make
push
push
all
of
the
the
security
tooling
in
the
open
source
space
forward
and
the
the
way
I
described
this
in
the
last
meeting
was
we
have
a
yodam's
here
from
brazilian
and
brazil
when
long4j
happened,
resilient,
put
out.
A
There's
a
if
you
look
in
the
notes.
Last
the
last
one
there's
a
link
to
a
resilient
blog
post,
so
they
basically
wrote
like
they
put
together
some
tests
of
a
bunch
of
log4j
scanners,
and
then
they
put
out
their
findings
and,
for
example,
I
work
for
a
company
called
acor
and
we
have
a
tool
called
gripe,
which
is
keith
still
here.
A
Do
things
like
measure
a
bunch
of
tools
like
that's
what
I'm
really
interested
in
is
writing
a
test
suite
or
or
finding
someone
already
doing
this
and
working
with
them,
but
kind
of
testing,
vulnerability,
scanners
and
s-prompt
scanners
and
static
analyzers,
and
all
these
tools
and
saying
these
are
what
the
findings
look
like
and
my
intent
isn't
to
say
this
one's
the
best.
My
intent
is
to
give
the
industry
kind
of
a
baseline
to
say
this
is
what
your
tool
does
well.
G
Yeah
there
is
a
there's
a
risk
in.
I
think
I
don't
know
how
far
you
can
take
this.
I
mean
you,
don't
want
to
end
up
with
some
liability
issues
by
you
know
being
seen
as
ranking
tools
or
grading
them,
because
people
will
be.
You
know,
entitled
to
complain
and
say
no,
that's
unfair
assessment
of
her
tool,
and
I
think
there
is
a
you
know.
A
I
don't
think
it's
risky
at
all.
I
think
it's
it's
it's
risky
when
you're
not
completely
open.
I
think
we
are
the
open
ssf.
This
is
an
open
working
group.
It's
going
to
be
open
source
projects
and
yeah
there's
going
to
be
people
who
complain
about
their
tools
and
like
whatever
we
don't
intend
to
rank
commercial
tools
if
they
want
to
be
ranked
that's
great,
but
the
intention
is
to
put
the
focus
on
open
source
tooling
and
use
this
as
a
way
to
say
like
okay,
open
source
tooling.
A
Here
are
the
features
you
do
well
like
here's,
some
things
you
could
maybe
work
on
like
open
issues
and
do
the
work
and
if
you
don't
like
it
like
fix
your
damn
tool,
that's
how
this
works.
I
think
I
think
complaining
and
saying:
oh,
that's
not
fair,
like
whatever
life
isn't
fair,
we'll
fix
your
damn
tools.
A
But
that
all
said,
if
you
have
a
suggestion
on
where
you
think
this
group
could
could
go
and
benefit
the
open
source
universe,
I'm
all
ears
like
I'm,
I'm
very
much
of
the
attitude
if
you
want
to
make
something
happen,
make
it
happen
like
this
is
not
going
to
be
a
group
of
oh,
we
should
go.
Do
this
like
go,
do
it,
you
know,
make
it
a
thing.
I
think
that's
that's
how
we
we
have
progress.
A
H
Yeah,
I
just
need
to
go
commute.
I'm
saying
what
I
was
going
to
say
it's
kind
of
like
what
micro
does
like
the
they
just
released
their
you
know,
ranking
they.
They
focus
on
commercial
dues,
but
it
does
like,
like
just
just
pushes
the
industry
forward
like.
I
know
that
I
think
it
was
a
synopsis
who
didn't
rank
well
in
this
year's
test
and
they
put
up
a
blog.
H
Basically
it
it
hurts
them
in
a
personal
place
that
they
want
to
improve.
If
we
can
do
something
that
is
like
industry,
acceptable
standard,
even
for
open
source
project,
no,
not
to
involve
any
commercial
tools,
and
maybe
people
the
commercial
tools
will
come
and
want
to
show
how
they
hold
against
that
benchmark.
A
A
C
A
C
A
C
Yeah
absolutely
yeah.
I
wish
you
you
you,
you
awesome
did
if
you
could
tell
us
what
the
problem
was.
Maybe
we
could
find
wait,
but
I
agree
you
know,
let's
you
know
if,
if
there's
a
problem
using
it,
if,
if
there's
a
way
to
improve
it,
that's
great,
I
will
say
that
I
worked
a
while
back
with
some
mate
and
the
juliet
folks
developing
test
suites
and
the
big
challenge
we
had
were
dewitt
clauses.
A
And
and
that's
fine
and-
and
I
think
dewitt
clauses
are
a
very
real
concern,
but
I
also
think
now
now
you
you'll
understand
this
better
than
I
will.
If
someone
comes
to
us
and
sends
us
like
a
plug-in
or
whatever,
to
make
their
tooling
work,
I
presume
there's
no
concern
of
dewitt
right
if
they're,
the
ones
who
submitted
this
right
and
that's.
A
C
Right
and
in
fact
you
know
the
the
way
people
some
people
get
around
to
it
clauses
is
I'm
a
really
big,
org
and
I'll
redo.
The
analysis
myself,
which
is
a
crappy
way
to
deal
with
it,
but
I
I
can
tell
you:
what's
it's
what
the
us
government
does,
you
know
they'll
analyze
the
tools
and
then
they'll
have
reports,
and
you
can't
share
them
outside
of
some
very,
very
limited
fora,
and
if
you
think
that's
terrible,
don't
worry,
I
agree
with
you.
A
C
A
Yep,
I
I
agree
and
look
if
they
want
to
come
play
in
our
sandbox,
that's
great,
and
if
they
don't
that's
great
too,
like
I
don't
it
doesn't
bother
me
either
way
like
I'm,
not
going
to
say
no
close
source
measuring,
because
that
would
be
foolish,
but
I'm
also
not
going
to
seek
it
out
for
the
very
reason.
Just
you
describe
fair
enough.
It's
like,
I
don't
think
me
or
you
or
the
open,
ssf
or
the
linux
foundation
wants
to
get
sued.
So.
C
E
E
C
A
Awesome:
okay,
okay,
so
we're
we're
out
of
the
issues
and
arnold.
I
I
truly
want
to
thank
you
for
your
comments.
I
I
appreciate
any
any
input.
Anyone
has
whether
I
necessarily
agree
with
it
or
not.
I
think
it's
valuable
to
discuss
all
aspects
of
everything
we
want
to
do
and
I
think
what
I
would
what
I
would
like
to
make
sure
we
do
is
just
if
anyone
has
ideas
or
suggestions
or
comments
like
take
it
to
the
list.
A
A
So
I'm
I'm
not
I'm
never
going
to
want
to
use
this
meeting
to
make
you
know
decisions
or
or
anything
like
that,
just
because
it's
not
representative
of
the
the
larger
group
so
cool.
I
have
nothing
else.
Unless
someone
has
something
oh
jory
put
in
open
ssfd
george,
do
you
want
to
quickly
explain
what
that
is?
Yes,.
B
Super
super
duper
fast,
open,
ssf
day
will
be
on
june
20th
in
austin
texas.
It's
what's
called
an
add-on
event
to
the
open
source
summit,
which
is
also
home
to
the
global
security,
vulnerability,
reporting
and
supply
chain
security,
con
tracks
and
linux
security.
So
lots
of
different
security,
focused
events
happening
in
texas
and
they've.