►
From YouTube: Security Tooling WG Meeting (April 12, 2022)
B
I
think
that's
fine
yeah
give
folks
like
a
little
five
minute
breather,
because
I'm
just
following
jeff
and
eric
from
the
last
meeting
over
here
so
and
patricia
and
let's
see
yeah.
So
that's
no
problem.
We
can
do
a
little
five
minute.
Breather
awesome.
B
Yeah,
just
because
I
I've
just
updated
it,
and
you
know
some
people
do
kind
of
offset
their
calendars
for
like.
Oh,
I
only
start
my
meetings
at
like
15
after
the
hour
and
so
and
when
they
see
that
it's
1105
to
you
know
noon,
they
may
be
like.
A
A
We
have
a
pretty
tame
agenda
and
david's,
not
here
david
wheeler
isn't
here,
which
is
fine.
I
put
the
agenda
in
the
docs.
It's
it's
pretty
light
today
which,
which
I
don't
think
is
a
bad
thing
necessarily,
let
me
so.
A
Thank
you.
Everyone
for
coming
we'll
start
out.
We've
got
a
dock
from
david
wheeler.
If
anybody,
if
everyone
hasn't
taken
a
look
at
it,
it's
actually
kind
of
cool
david
is
he's
part
of
the
open
ssf,
but
he
also
works
on
a
tool
called
flaw
finder
and
he
wants
to
create
like
a
standard
for
all,
like
static
analyzers,
to
use
to
know
to
ignore
things.
There's
a
couple
comments
from
daniel
who
isn't
here
either
in
the
doc.
It's
cool,
give
it
a
look.
A
It's
it's
definitely
worth
reading,
I'm
not
going
to
talk
about
it
without
david
or
david
here
it's
his
thing.
I
don't
think
there's
a
lot
for
us
to
do
about
it.
I
think
if
he
wants
to
do
it,
he
does
it,
which
is
cool
all
right.
Everyone
sign
in
also
thank
you.
A
C
Okay,
so
I
think
technically
we
haven't
agreed
on
whether
or
not
this
is
a
project.
This
working
group
actually
wants
to
work
on
did.
Did
we
do?
Do
we
agree
on
that?
I
think
we
agreed
on
that.
So
that's
I
think
step
one
is,
let's
see
here
last
week.
C
Last
week
I
said
I
started
working
on
a
draft,
but
I
don't
think
we
actually
agreed
on
that
was
work.
We
do
this.
It
was
just
a
hey
idea.
Won't
we
create
a
draft
to
to
to
start
working
on
this,
so
I
think
procedurally,
I
think
what
we
need
to
do
is
you
know
people
look
have
had
time
to
look.
Is
this
something
that
we
as
a
group
want
to
create
on
create
as
a
little
project?
And
if
so,
I
I
think.
C
Basically,
you
know
if
there's
general
agreement
here,
send
an
email
to
the
tax
saying
hey,
we
plan
to
start
this
up
as
a
new
little
project.
Let
us
know
if
there's
an
issue
usu,
I
would
not
expect
there
to
be
one,
but
I
think
the
tac
wants
to
start
getting
notified
of
projects
instead
of
being
surprised,
which
seems
like
a
reasonable
desire.
C
The
other
issue,
of
course,
is
that
we
need
to
you
know
kind
of
look
at
it
and
start
working.
There
are
some
questions
about
well,
like
you
know,
I
think
the
overall
goal
of
this
proposal
is.
We
want
some
magic
text
within
a
comment.
The
one
of
the
questions
is
what
the
magic
text
should
be.
I
propose
security
security,
underscore
report
call
and
ignore
it
could
be
no
lint.
It
could
be
some
other
things.
We
don't
have
to
make
that
decision
today.
C
C
Yeah,
I
I
will
do
a
quick
observation,
if
you
don't
mind
of
why
this
as
opposed
to
something
else,
josh,
if
you
can
give
me
just
a
moment
to
to
make
the
pitch
there
are
some
tools
that
eliminate
false
negatives
other
ways
in
particular,
I
do
a
lot
of
fun
and
exciting
things
with
breakman
and
well
railroader,
two,
where
the
the
suppression
of
false
negatives
is
in
a
separate
json
file.
C
If
the
code
never
changes,
this
is
fine
as
soon
as
anything
changes.
Basically,
the
suppression
is
by
hey
on
this
file
on
this
line.
It
just
turns
out
to
be
terrible
for
long-term
maintenance,
because
anytime,
you
make
a
change.
Suddenly,
all
those
suppressed
false
reports
show
up
again
having
it
is.
A
simple
inline
comment
works
much
better
in
terms
of
knowing
what's
been
suppressed
and
handling
editing
of
files.
C
C
Okay
is
anybody,
does
anybody
have
maybe
maybe
the
right
way
josh?
If
you
is,
does
anybody
object
to
this
as
a
project.
A
C
Fair
enough,
but
but
I
I
think
I
I
the
reason
I
I
want
to
actually
get
a
general
consensus
and
raise
up
to
the
attack.
It's
not
so
much
that
we
want
to
suppress
work
because
I
agree.
I
think
it's
the
much
more
coordination.
In
other
words,
in
this
particular
case,
I
would
be
shocked
if
there
was
any
problems,
but
somebody
else
may
know
something
that
we
don't
know
about
it's
possible,
for
example,
although
I
know
pretty
sure
this
isn't
true,
you
know
some
other
working
group
is
doing
something
similar.
C
D
C
Don't
mind
I'm
gonna,
I'm
gonna
claim
in
the
notes
here
that
there
there
was
general
consensus
on
adding
this
as
a
working
group
as
a
working
group
item.
Is
that
what
I'm
hearing.
C
Have
this
project
as
a
working
group
item,
it
may
eventually
may
not
be
called
a
project.
I
guess
doc.
Things
may
in
the
future,
be
called
something
else
other
than
a
project.
Some
people
find
that
word
confusing,
but
we'll
we'll
find
once
we
find
out
what
the
word
is.
We
can
change
that
and
somebody
needs
to
tell
the
talk
josh.
How
about
you
tell
the
talk?
I
hear
you
have
some
relationship
with
the
pack.
A
C
A
Fine,
let.
C
Me
write
josh
will
email
to
tac
that
we
plan
to
add
this
as
a
project
yeah.
E
C
For
quirky,
for
for
coordination
I
mean
you
know
I
if
the
tax
says
no,
don't
do
that
I'll
eat.
My
hat,
if
I.
A
There
is
a
lot
of
confusion
in
the
space
of
the
attack,
the
technical
advisory
council
on
how
projects
and
working
groups
are
related
and
things
like
project
donations,
work
and
it's
all
kind
of
a
mess
right
now
and
it's
being
worked
out,
but
fundamentally
the
way
it
stands
right
now
is
basically
working
groups
get
to
create
projects
and
there's
basically,
nothing.
The
tech
can
do
about
it.
It's
which
I'm
okay
with
the
the
intent
is
you
don't
want
the
tac
like
controlling
things.
I
guess
to
use
the
term
well,.
C
C
A
C
Nobody's
gonna
fight
this
really
really
it's
I'm
up.
I'm
requesting
do
at
least
this
little
process
jig,
so
that
there's
so
that
nobody's
surprised-
and
hopefully
hopefully
we
get
some
people
to
help
us.
A
Yeah
yeah,
totally
and
now
kind
of
adding
on
to
that
there's.
One
of
the
things
I
want
to
see
us
do
as
a
group
is
measuring.
I
I
feel,
like
the
improved
aspect
of
our
objectives,
being
able
to
measure
and
decide
what's
doing
something
well
or
not,
is
important
and
so,
like,
I
think,
a
natural
extension
of
this
project
david
is
we
we
want
the
ability
to
say
okay.
This
is
how
we
think
tools
should
note
false
positives,
but
then
also
build
test
cases
and
see
which
tools
are
doing
this
well
or
not.
C
Okay
potential
future,
although
I
think
that's
a
completely
different
project.
A
Measuring
we're
getting
to
that,
so
that
is
where,
if
we
don't
don't
even
put
that
down
david
because
I
think
that's
something
I
want
to
talk
about
next,
so
then
is
everyone
good
with
this.
Do
we
want
to
talk
about
this
particular
item
anymore?
Before
we
move
on
it,
it
feels
simple.
I
mean
it's
an
awesome
idea.
C
A
C
I
don't
know,
but
right
right,
okay,
so
next
steps
reach
out
to
some
tool
makers
to
find
out
their
preferences
and
or
what
they
do.
That's,
I
think
that
that's
I
think,
that's
fair
enough.
I
won't
be
able
to
do
anything
for
let's
see
here,
five
more
days
because
I'm
pressing
on
an
april
17
deadline,
but
after
that
I
should
be
able
to
do
some
reach
outs,
but
you
know
what
it
shouldn't
be.
C
Just
me
I,
I
suspect
some
other
folks
here
have
some
connection
to
some
static
analyzers.
You
know
so
I
mean
david.
I
can
I
can
talk
to
the
rats
folks.
They
don't
have
that
many
connect.
C
C
I
probably
should
not
be
the
one
talking
to
brakeman.
If
you
wanted
to
talk
to
brakeman,
what
are
is
it?
Does
anybody
else
have
any
connection
to
any
other
static
analysis
tools
that
they
might
be
able
to
quickly
talk
to
about
their
interest
in
this
sort
of
thing.
A
My
guess
david
is
this:
isn't
the
right
place
to
ask
that
question?
I
think
it
would
be
easier
to
take
such
a.
I.
I
think
this
is
where
I
would
like
to.
I
don't
have
a
plan
right
now
and
I
don't
want
to
start
writing
it
down
now,
but
having
kind
of
an
expected
progression
of
creating
some
of
these
projects
and
tools,
like
obviously
david,
has
a
lot
of
interest
in
it,
there's
going
to
be
other
people
of
interest,
but
how
do
people
blog
their
interest
right,
which
maybe
it's
a
file
in
github?
A
I
I
don't
know,
but
I
have
a
suspicion
if
we
mail
the
list
and
say
like
th,
these
are
the
things
we
need
people
to
do,
and
I
don't
just
mean:
oh:
does
anyone
have
any
connections?
I
mean
like
actual
work
items,
because
I
one
thing
I
found
is
in
in
whenever
you
work
with
an
open
source
project,
there's
always
people
who
come
to
you
and
say
I
want
to
help
and
when
you're
like.
Oh
here's,
a
list
of
all
the
issues
that
have
ever
been
filed
pick
one
and
fix
it
like
that.
A
D
May
I
interrupt
here,
please
allow
me
to
introduce
myself
so
pablo
pavlak,
I'm
working
in
on-app,
so
I'm
leading
security
subcommittee,
a
group
there
and
I
just
joined
your
meeting-
it's
my
first
time
so
awesome
nice
to
nice
to
meet
you
guys.
In
fact,
in
onap
we
are
using
the
sonar
cloud
for
the
static
analysis.
D
C
C
Okay,
do
you
have
any
do
you
have
any
contact
with
the
folks
at
sonar
cloud.
D
Well,
I
do
have
fruit
only
hansen
from
atnt
david.
Maybe
you
know
him.
D
C
C
Okay,
yeah,
I
mean
this
seems
like
the
false
pause
of
something
is
pretty
much
almost
every
tool.
You
know
it's
pretty
unusual
of
a
tool
that
doesn't
have
false
positives.
If
you
know
a
static
analysis
tool,
I'm
sure
we.
C
C
C
A
C
And
you
know
what,
if
we
do,
if
we
get
serious
research,
we
could
as
an
appendix
how
people
have
done
it
in
the
past.
Just
you
know
just
so
that
people
will
know.
Oh,
we,
we
did
look
at
what
was
already
done
and
done.
A
C
My
current
repo
is
to
start
with
a
google
doc
edit
and
then
move
it
into
github.
My
experience
has
been
that
trying
to
initial
docs
are
a
lot
easier
to
wiggle
on
on
google
docs.
Until
you
start
getting
things
down,
github
is
really
good
for
tracking
things.
Once
things
are
a
little
more
solid.
A
Okay,
can
you
also
take
an
action
item
to
submit
a
pull
request
to
add
this
to
the
readme
in
the
security
tooling,
because
there's
an
active
projects.
We
need
to
prune
the
list,
because
some
of
this
isn't
very
active
but
right.
You.
A
Yeah
awesome,
thank
you
all
right
cool.
So
the
only
other
thing
on
the
list,
then
is.
There
is
a
list
of
proposed
ideas
that
were
discussed
in
the
last
meeting.
I
went
through
the
meeting
notes
and
I
pulled
out
some
of
the
things
that
there
was
interest
in
and
I
I
think
this
is
where
the
concept
of
oh
david.
Do
you
have
a
comment.
F
F
Sorry,
I
just
wanted
to
make
a
comment
with
regards
to
the
previous
item.
Let
me
just
lower
the
hint,
no,
it's
not
automatic,
so
there
are
several
articles
out
there,
just
based
in
one
example
in
in
the
chat
that
have
a
kind
of
a
counter
argument
for
using
comments
to
disable
static
analysis.
F
I
don't
want
to
talk
about
that,
because
I
think
it's
actually
a
useful
tool
to
be
able
to
do
that,
but
in
one
of
the
sections
in
this
article
in
particular.
F
Well
there
is
a
list
of
mechanisms
that
can
be
supplemental
to
that
and
such
as
non-disabled
rules
by
default,
and
I
was
wondering
whether
it's
a
goal
of
these
work
davids
is
is
looking
into,
or
maybe
this
could
be
a
goal
of
that
tool
or
that
capability
to
be
able
to
define
things
that
should
not
be
disabled.
C
I
haven't
really
thought
about
that,
but
I
mean
we.
We
certainly
could
the
the
problem
with
non-disableable
warnings
is
that
you
then
have
to
have
absolute
confidence
that
there
is
never
ever
a
case
where
the
tool
is
wrong.
C
Can
you
analyze
code,
but
does
the
tool
completely
and
fully
and
unmistakably
understand
the
exact
environment
and
situation
that
the
software
being
analyzed
is
is
being
used
in
the
answer
is
generally
no,
so
I'm
not
sure
that
non-disabled
makes
much
sense,
but
hey
if
it
does.
Let's
talk
about
that
certainly
worthy
of
discussion,
and
I
will
say
flaw:
finder
is
one
tool
that
does
support
faults.
C
You
know
positive
suppression
and
one
of
the
options
that
flaw
finder,
specifically
supports,
is
called
ignoring,
ignores,
which
is
the
hardest
thing
I've
ever
found
to
document
where
you
know
normally
I'll.
You
know,
it'll,
look
at
all
it'll
ignore
lines
that
are
marked
as
ignore,
but
if
you
turn
on
the
ignore
ignore
option,
it'll
ignore
the
ignores.
C
A
I
love
it
and
I'm
a
huge
fan
of
having
these
discussions
and
even
if
the
discussion
comes
out
with
a
a
negative
result,
essentially
saying
we
don't
care,
it's
still
very
valuable
to
note
that,
like
we
discussed
this
thing
and
we
came
to
no
conclusion-
or
we
decided
not
to
do
this
because
it
keeps
coming
up
otherwise
cool
all
right.
Well,
thank
you,
david.
Both
david.
C
Right
and
I
I'll
just
put
a
little
note
at
the
bottom
of
the
existing
dock,
obviously
we
will
need
to
work
it,
but
at
least
now
it's
noted
in
there
well
something
to
work
on.
Thank
you.
Yeah.
A
Awesome
is
that
link
in
there.
A
C
A
A
I
want
to
deviate
from
maybe
what
we'll
say
a
traditional
working
group
might
look
like,
because
I
think
a
lot
of
working
groups
talk
too
much
and
I'm
very
much
of
the
opinion.
If
someone
wants
to
do
something,
they
should
just
go,
do
it
and
find
people
who
are
interested
in
working
on
it
like,
for
example,
my
primary
interest
in
this
group
is
to
measure
tools.
That
is
what
I
want
to
do.
A
It's
something
I
have
a
lot
of
personal
interest
in
and
it's
something
that
I
think
is
good
for
the
industry,
and
I
talked
about
this
last
time
and
so
like
I
I.
How
do
I
want
to
make
this
happen?
I
don't
have
time
at
the
moment,
so
it'll
be
probably
a
week
or
two
before
I
do
anything
but
like
in
and
david
wheeler.
This
is
where
I
think,
your
input,
just
as
the
open
ssf
kind
of
representative,
is
valuable
like
if
someone
wants
to
start
doing
something.
What
what
do
we
want
them
to
do?
A
Just
create
like
a
private
repo
and
go
to
town
and
tell
everyone
do
we
want
to
create,
like
I
don't
want
to
have
a
tools
working
group
with
30
dead,
repos
right
that
feels
silly
to
me.
So
I'm
I'm
curious
what
our
thoughts
are
for
kind
of
next
steps
in
that
regard,.
C
Well,
I
think
we
need
to
differentiate
between
dead
and
completed.
I'm
fully
willing
to
believe
that
some
specs
you
write
them,
you're
done
and
then
it's
all
you
know
and
then
your
main
problem
is
making
sure
people
know
to
use
it
where
it
makes
sense.
Not
just
you
know
it's
dead.
If
it's
dead,
then
we
should.
I
don't
know
if
we
should
delete
the
repo,
but
we
should
at
least
clearly
mark
it
as
archived.
You
know.
G
A
Which
I
mean
that
github
lets
us
do
that,
but
I'm
I'm
seeing
kind
of
even
before
that
point,
like
let's
say
I
decide,
I
want
to
write
a
tool
to
measure
things
and
I
create
a
repo
and
I
add
a
readme
and
then
I
disappear
like
what
you
know.
What
I
mean
I
mean
right.
I
don't
want
that
situation
where
we
have
30
repos
with
a
readme
and
maybe
six
lines
of
python
checked
in
and
like
that's,
not
helpful
right.
C
Right,
I
I
agree
with
you,
so
I
I
think
that
I
I'm
a
believer
in
minimal
process,
but
not
no
process
right.
So
I
think
that
the
first
step
of
that
is,
instead
of
just
hey,
random,
creating
a
repo
you
first
show
up.
You
know
in
a
discussion
mailing
list
in
some
public
forum
be
a
meeting
or
a
mailing
list.
C
Have
that
discussion?
Hey,
is
this
worth
doing?
Will
somebody
else
support
this,
or
at
least
does
everybody?
Do
people
think
this
is
a
reasonable
idea
and
then,
when
they
start
doing
stuff,
you
know
now
something
what
something
that
some
working
groups
do?
Is
they
do
a
quick
hey,
our
current
active
projects?
What's
the
status
and
that
way
we
can
quickly
identify?
C
If
there's
nothing
happening
and
nothing
ever
happens,
it
quickly
becomes
obvious
that
it's
it's
either
dead
or
best
art
or
or
at
best
complete,
but
probably
dead,
and
then
we
can
archive
it
and
move
it
off.
But
I
think
that
there's
another
good
reason
to
raise
it
up
within
the
working
group
and
really
up
to
the
tack,
which
is
we
want
to
minimize
the
chance
of
it
being
dead
by
getting
multiple
people
working
it.
So
the
more
people
we
make
aware
of
it.
C
C
Hopefully,
I'll
live,
not
just
zombie.
A
A
No
like,
for
example,
I'm
interested
in
med
like
for
let's
say
I
want
to
build
something
to
measure
how
static
analyzers
ignore
comments
right,
like
I
think,
that's
a
natural
progression
of
from
your
project
into
what
I
I
want
to
do
of
the
measuring
and
pushing
the
whole
industry
forward.
Is
there
something
that
already
does
this
right?
C
Right,
I
I
get.
I
guess
I,
although
I
wouldn't,
I
wouldn't
normally
call
it
out.
Maybe
we
should.
Whenever
I
do
research
step,
one
is
always
literature
search.
You
know.
What's
already
being
done,
you
mentioned
the
look
for
duplicate
efforts
ex
you
know
related
efforts,
etc.
C
You
know
you're
doing
a
good,
a
asking
ask
working
group
and
do
do
some.
Some
web
searches
can
find
out
a
lot.
C
G
If
I'm
interject,
I
mean
it's
very
common
in
places
where
we
allow,
you
know
kind
of
interested
people
to
just
go
ahead
and
start
new
work
and
and
just
to
see
where
it
goes
to
have
some
amount
of
requirements
as
to
you
know,
what's
expected,
especially
in
terms
of
you
know
how
many
people
are
actually
interested
in
working
on
something
like
this,
because
if
you
really
only
have
one
person
you
know
you
can
have
doubts
about
the
the
you
know
how
much
momentum
this
is
going
to
go
to
take
and
it
will
get
and
and
how
long
it's
going
to
last
right,
and
so
you
know
in
hyperledger,
we
have
notion
of
labs
where
anybody
can
make
a
position
to
start
a
lab.
G
But
there
is
some
rules
about.
You
know
what
is
expected
as
a
basic
requirement
for
things
to
be
accepted,
and
there
are
things
like
w3c
as
a
community
group
concept,
which
you
know
they
require
at
least
three
people
to
say
yeah.
I
think
that's
a
good
idea.
I'd
be
interested
in
participating
in
this,
so
you
might
want
to
set
some
kind
of
you
know:
threshold
like
this
basic
requirements
before
just
saying,
yeah
sure
stop
whatever
you
want.
G
I
think
that
makes
sense
and
you
probably
have
to
expect
to
do
a
little
bit
of
you
know,
house
cleaning
every
now,
and
then
I
mean
we
have
that
in
hyper
ledger,
where
we
still
have
set
the
bar
actually
on
purpose
really
low,
and
you
know
after
six
months
or
so
we
have
what
we
call
labs
towards
their
people
and
part
of
them.
Who
are
volunteering
to
keep
an
eye
on
what's
going
on
in
that
space
and
then,
if
we
spot,
you
know
repos
that
have
not
been
active
for
several
months.
G
A
Yeah
yep,
I
agree
so
on
and
that
that
actually
reminds
me
of
one
other
thing.
So
this
group-
and
I
don't-
I
don't
think
this-
is
exactly
the
right
place
to
answer
the
question,
but
we
have
a
mailing
list
and
there's
a
github
discussions
page
and
I
detest
having
two
places
are:
does
anyone
have
like?
Does
anyone
feel
strongly?
I
would
love
to
like
murder
the
github
discussions
and
say
take
it
to
the
list.
A
A
I'll
send
an
email
about
this
I'll,
give
myself
a
to-do.
A
C
Yeah,
because
I
I
agree
with
you,
it's
not
the
the
the
github
ones
are
wrong
necessarily,
but
I
agree
you
know
if
there's
too
many
places,
then
I
won't
see
it.
I
already
struggle
with
I've
got
main
lists.
I've
got
slack.
I
got
too
many
things
to
monitor
and
that's
another
one.
I
don't
I
I
didn't
even
wasn't
aware,
existed.
A
I
like
what
we
talked
about
for
the
project,
so
here's
what
I
want
to
do,
then
I
want
to
take
what
we've
written
up
and
turn
it
into
a
a
document
with
just
some
basic
expectations.
I
I
hope
and
expect
this
group
to
create
many
projects
in
the
future,
and
so
I
think
I
I
think
what
arnold
said
makes
a
lot
of
sense
of
having
some
basic
expectations
just
to
lay
the
groundwork.
A
G
So
I
I
have
another
comment,
who's
kind
of
more
general
is
you
know
with
regard
to
the
group
and
the
reason
I'm
here
today
to
be
a
fair
is
I
wanted
to
know
what
this
group
is,
things
he's
going
to
be
doing
and,
and
I
think
it
it
needs
to
be
said-
clearly
what
it
does
and
what
it
doesn't
do,
and
you
know
initially
when
I
came
to
open
ssf,
I
was
like
oh
okay,
so
there
is
a
group
that
focuses
on
developing
all
the
tools
within
openssf
and
that's
not
the
case,
because
there
are
things
like
scorecard,
criticality
score
that
are
not
under
this
working
groups
purview.
A
It's
less
clear
than
I
would
like,
but
so
when
I
took
over
as
the
lead
for
this
group,
and
it's
I'm
not
looking
to
be
the
the
iron
fist
here
by
any
means,
I
strongly
believe
that
working
groups
are
what
the
members
make
them
to
be.
But
I
want
to
see
this
group
make
push
push
all
of
the
the
security
tooling
in
the
open
source
space
forward
and
the
the
way
I
described
this
in
the
last
meeting
was
we
have
a
yodam's
here
from
brazilian
and
brazil
when
long4j
happened,
resilient,
put
out.
A
There's
a
if
you
look
in
the
notes.
Last
the
last
one
there's
a
link
to
a
resilient
blog
post,
so
they
basically
wrote
like
they
put
together
some
tests
of
a
bunch
of
log4j
scanners,
and
then
they
put
out
their
findings
and,
for
example,
I
work
for
a
company
called
acor
and
we
have
a
tool
called
gripe,
which
is
keith
still
here.
A
Do
things
like
measure
a
bunch
of
tools
like
that's
what
I'm
really
interested
in
is
writing
a
test
suite
or
or
finding
someone
already
doing
this
and
working
with
them,
but
kind
of
testing,
vulnerability,
scanners
and
s-prompt
scanners
and
static
analyzers,
and
all
these
tools
and
saying
these
are
what
the
findings
look
like
and
my
intent
isn't
to
say
this
one's
the
best.
My
intent
is
to
give
the
industry
kind
of
a
baseline
to
say
this
is
what
your
tool
does
well.
G
Yeah
there
is
a
there's
a
risk
in.
I
think
I
don't
know
how
far
you
can
take
this.
I
mean
you,
don't
want
to
end
up
with
some
liability
issues
by
you
know
being
seen
as
ranking
tools
or
grading
them,
because
people
will
be.
You
know,
entitled
to
complain
and
say
no,
that's
unfair
assessment
of
her
tool,
and
I
think
there
is
a
you
know.
A
I
don't
think
it's
risky
at
all.
I
think
it's
it's
it's
risky
when
you're
not
completely
open.
I
think
we
are
the
open
ssf.
This
is
an
open
working
group.
It's
going
to
be
open
source
projects
and
yeah
there's
going
to
be
people
who
complain
about
their
tools
and
like
whatever
we
don't
intend
to
rank
commercial
tools
if
they
want
to
be
ranked
that's
great,
but
the
intention
is
to
put
the
focus
on
open
source
tooling
and
use
this
as
a
way
to
say
like
okay,
open
source
tooling.
A
Here
are
the
features
you
do
well
like
here's,
some
things
you
could
maybe
work
on
like
open
issues
and
do
the
work
and
if
you
don't
like
it
like
fix
your
damn
tool,
that's
how
this
works.
I
think
I
think
complaining
and
saying:
oh,
that's
not
fair,
like
whatever
life
isn't
fair,
we'll
fix
your
damn
tools.
A
But
that
all
said,
if
you
have
a
suggestion
on
where
you
think
this
group
could
could
go
and
benefit
the
open
source
universe,
I'm
all
ears
like
I'm,
I'm
very
much
of
the
attitude
if
you
want
to
make
something
happen,
make
it
happen
like
this
is
not
going
to
be
a
group
of
oh,
we
should
go.
Do
this
like
go,
do
it,
you
know,
make
it
a
thing.
I
think
that's
that's
how
we
we
have
progress.
A
H
Yeah,
I
just
need
to
go
commute.
I'm
saying
what
I
was
going
to
say
it's
kind
of
like
what
micro
does
like
the
they
just
released
their
you
know,
ranking
they.
They
focus
on
commercial
dues,
but
it
does
like,
like
just
just
pushes
the
industry
forward
like.
I
know
that
I
think
it
was
a
synopsis
who
didn't
rank
well
in
this
year's
test
and
they
put
up
a
blog.
H
Basically
it
it
hurts
them
in
a
personal
place
that
they
want
to
improve.
If
we
can
do
something
that
is
like
industry,
acceptable
standard,
even
for
open
source
project,
no,
not
to
involve
any
commercial
tools,
and
maybe
people
the
commercial
tools
will
come
and
want
to
show
how
they
hold
against
that
benchmark.
A
A
C
Right
I
mean
it,
I
would
I
would
not
call
it
complete.
On
the
other
hand,
you
don't
really
have
to
I
mean
you
could
just
use
it
as
it
is,
there's
nothing
that
that
you
know
that
prevents
its
use,
as
is
the
big.
A
C
Oh,
oh,
how
can
you
say
such
a
thing?
I'm
sure
no
one's
ever
experienced
that
do
they
not
lock
the
I
guess
they
don't
lock
their
dependencies.
A
C
Yeah
absolutely
yeah.
I
wish
you
you
you,
you
awesome
did
if
you
could
tell
us
what
the
problem
was.
Maybe
we
could
find
wait,
but
I
agree
you
know,
let's
you
know
if,
if
there's
a
problem
using
it,
if,
if
there's
a
way
to
improve
it,
that's
great,
I
will
say
that
I
worked
a
while
back
with
some
mate
and
the
juliet
folks
developing
test
suites
and
the
big
challenge
we
had
were
dewitt
clauses.
C
Does
it
affect
open
source
tools?
No,
but
it
does
affect
a
lot
of
the
other
tools.
A
And
and
that's
fine
and-
and
I
think
dewitt
clauses
are
a
very
real
concern,
but
I
also
think
now
now
you
you'll
understand
this
better
than
I
will.
If
someone
comes
to
us
and
sends
us
like
a
plug-in
or
whatever,
to
make
their
tooling
work,
I
presume
there's
no
concern
of
dewitt
right
if
they're,
the
ones
who
submitted
this
right
and
that's.
A
C
Right
and
in
fact
you
know
the
the
way
people
some
people
get
around
to
it
clauses
is
I'm
a
really
big,
org
and
I'll
redo.
The
analysis
myself,
which
is
a
crappy
way
to
deal
with
it,
but
I
I
can
tell
you:
what's
it's
what
the
us
government
does,
you
know
they'll
analyze
the
tools
and
then
they'll
have
reports,
and
you
can't
share
them
outside
of
some
very,
very
limited
fora,
and
if
you
think
that's
terrible,
don't
worry,
I
agree
with
you.
A
C
A
Yep,
I
I
agree
and
look
if
they
want
to
come
play
in
our
sandbox,
that's
great,
and
if
they
don't
that's
great
too,
like
I
don't
it
doesn't
bother
me
either
way
like
I'm,
not
going
to
say
no
close
source
measuring,
because
that
would
be
foolish,
but
I'm
also
not
going
to
seek
it
out
for
the
very
reason.
Just
you
describe
fair
enough.
It's
like,
I
don't
think
me
or
you
or
the
open,
ssf
or
the
linux
foundation
wants
to
get
sued.
So.
C
No,
we
we
want
to
stay
absolutely
legal
now,
one
of
my
personal
hobby
horses
is,
I
would
love
to
see.
Dewitt
clauses
rendered
not
enforceable,
but
that
is
not
the
remit
of
this
group.
So
so,
if
you
want
to,
if
you
want.
E
C
If
you
want
to
tilt
that
windmill
with
me,
come
talk
to
me.
E
That
could
that
could
be
a
new
working
group
right.
I
think
david
you've
set
a
new
record
two
wonderful
visual
images
for
my
brain
to
savor
for
the
rest
of
the
day
you
on
a
hobby
horse
and
you
greco-roman
wrestling.
C
And
tilting
at
windmills,
okay,
so
all
right
I
will.
I
will
try
to
provide
less
imagery
in
the
future.
Today.
A
Awesome:
okay,
okay,
so
we're
we're
out
of
the
issues
and
arnold.
I
I
truly
want
to
thank
you
for
your
comments.
I
I
appreciate
any
any
input.
Anyone
has
whether
I
necessarily
agree
with
it
or
not.
I
think
it's
valuable
to
discuss
all
aspects
of
everything
we
want
to
do
and
I
think
what
I
would
what
I
would
like
to
make
sure
we
do
is
just
if
anyone
has
ideas
or
suggestions
or
comments
like
take
it
to
the
list.
A
A
So
I'm
I'm
not
I'm
never
going
to
want
to
use
this
meeting
to
make
you
know
decisions
or
or
anything
like
that,
just
because
it's
not
representative
of
the
the
larger
group
so
cool.
I
have
nothing
else.
Unless
someone
has
something
oh
jory
put
in
open
ssfd
george,
do
you
want
to
quickly
explain
what
that
is?
Yes,.
B
Super
super
duper
fast,
open,
ssf
day
will
be
on
june
20th
in
austin
texas.
It's
what's
called
an
add-on
event
to
the
open
source
summit,
which
is
also
home
to
the
global
security,
vulnerability,
reporting
and
supply
chain
security,
con
tracks
and
linux
security.
So
lots
of
different
security,
focused
events
happening
in
texas
and
they've.
B
Given
us
some
space
ahead
of
the
conference
to
host
our
own
open
ssf
day,
I'm
hoping
to
make
sure
that
that
everyone
in
the
working
groups
are
aware
that
they're
welcome
to
come
a
day
early,
we're
looking
for
folks
who
might
be
interested
in
and
participating
in,
like
discussions
and
breakouts
and
conversations
and
stuff
on
those
days
as
well.
B
So
if
you
plan
to
be
there,
let
me
know-
and
I
can
definitely
make
sure
that
you
are
kept
in
the
loop
for
the
activities
that
day
and
that
week
related
to
openssf.