►
From YouTube: Security Tooling Working Group (August 16, 2022)
C
E
Yeah,
I
have
a
request
toward
the
end
when
we
go
over
the
agenda
items,
it's
not
specific
necessarily
to
the
work
that's
being
done
here,
but
it
is
somewhat
relevant.
So
when
we
get
to
the
end
of
the
current
agenda,
I
have
a
request.
Can.
F
F
B
F
F
All
right,
I
assume
that
great,
that's
why
I'm
everywhere,
all
right,
the
s-bomb
everywhere
click
the
link.
You
get
the
doc
there's
an
agenda
item
for
today.
Well,
agenda
section-
I
guess
so
to
for
anyone
who
wasn't
here
I'll,
just
kind
of
summarize
where
we're
going
there
is
there's
a
github
repo,
which
is
we
do
not
have
in
the
meeting
info.
I
will
add
that
later
david.
Do
you
mind?
Can
you
probably
get
her
repo
for
me,
quick
and
just
paste
it
in
the
chat
which.
D
F
F
We
should
submit
pull
requests.
We've
got
some
to
do
items
in
this
document
here
around.
You
know
filling
out
some
more
of
the
scope
as
well
as
we've
got
a
charter.
That's
not
really
filled
out
there
there's
plenty
of
work
to
do
so
if
anyone
would
like
to
volunteer
that'd,
be
lovely,
but
anyway,
if
we
oops,
I
just
closed
my
my
town,
apologies.
F
A
F
Great,
so
here
are
the
I
put
an
old
business
section
in
this
is
what
we
talked
about
last
week
and
we'll
kind
of
briefly
go
over
some
of
this,
and
then
we
can
tackle
some
of
the
new
things
now.
Obviously,
not
all
of
the
old
things
are
done
and
it's
coming
so
I'll
give
a
status
update
on
the
python
library
funding.
F
F
This
issue
for
the
s
bam,
lab
spdx
library,
funding.
We,
the
the
quick
background,
is
we
have
an
spdx
python
library
in
desperate
need
of
attention,
and
so
we
asked
the
open
ssf
tac
if
they
would
be
willing
to
fund
bringing
the
library
up
to
snuff
and
they
unanimously
voted.
Yes,
which
is
great.
So
now
it's
going
to
the
governing
board,
where
the
governing
board
theoretically
will
approve
the
spend
and
then
we
can
get
this
moving
and
like,
for
example,
spdx
2.3
came
out
a
couple
days
ago,
like
the
python
library.
F
Doesn't
I
don't
think
it
even
does
2-2
correctly,
but
that's
it.
This
is
great
right.
This
is
a
good
example
of
what
the
sig
can
do
and
why
it
will
be
good
to
fund
it.
I
guess
is
what
we'll
say
when
we
go
to
potential
donors
and
funding
sources
of
showing
that
it's
not
just
a
money
fire,
we
can
actually
turn
your
investment
into
work
and
progress.
F
So
yeah
I'm
excited
about
this
one.
I
think
if
anyone
has
questions
just
speak
up,
I'm
not
gonna,
because
I'm
sharing
my
screen
it's
hard
to
see
if
someone
has
their
hand
raised.
So
if
something
like
david
or
someone
could
maybe
just
yell
out,
if
there's
a
hand
raise
otherwise,
let's
keep
moving.
Kate
is
working
on
a
one-page
overview
for
s-bombs,
so
this
one
is
ongoing.
I
don't
know
what
else
to
say.
I
talked
to
her
about
it.
She
said
she's
working
on
it.
She
was
busy
with
spdx23
stuff.
F
F
G
Yeah,
so
the
s
bomb
use
cases
it's
still
in
progress.
I
think
that
it
is
being
tracked
in
that
yeah
right
there.
I
yeah.
I
think
that
it's
I
really.
What
would
be
helpful
would
be
to
get
some
some
clarity
around
the
assumptions
at
the
top
that
state
explicitly
the
like
the
types
of
s
bonds
and
getting
a
little
more
clarity
around.
That
is
that
still
in
the
document,
I
don't
know.
F
What
do
you
mean
by
types?
Do
you
mean
yes,
binary.
G
I
guess,
like
the
question
is
my
ask:
is
to
get
feedback
on
the
interpretation
of
those
types
to
find
by.
I
guess
like
defining
those
types,
a
little
more
comprehensively,
okay,
but.
F
I
The
I
you
might
be
able
to
reuse
some
of
the
nti
wording.
However,
build
is
going
to
be
just
looking
at.
It
is
going
to
be.
I
Interesting
in
that
you
know,
you
can
create
s-bombs
during
a
build
process,
or
you
can
interpret
that
as
meaning
formulation
how
something
was
built
which
are
entirely
two
different
things.
Yeah.
D
G
D
D
D
Yeah
now
I
actually
have
some
problems
because
I
think
there's
some
important
things
missing
here,
but
probably
one
of
the
most
obvious
ones
is
there's
nothing
that
talks
about
and
now
ilk
there's
consuming
for
views,
but
nothing
about
doing
risk
analysis
specifically
and
nothing
about.
I
need
to
do
an
inventory
of
all
my
products
across
my
organization
which
have
this
vulnerable
component
in
them,
and
you
can
argue
that
consume
might
be
helpful
to
that.
But
it's
a
lot
like
you
know,
hey
a
keyboard
might
be
helpful
for
writing.
Programs.
G
And
maybe
that
it
can
so
in
the
github
on
that
main
readme,
there
is
a
bit
that
we
drive
into
scoping
the
the
intention
around
this
effort,
and
I
don't
know
if
maybe
we
can
tighten
scope
to
kind
of
have
those
better
boundaries.
I
don't
know.
I
So
one
thing
that
I'm
looking
at
just
under
the
types
of
s-bombs
is
yeah.
The
list
seems
to
include
both
what
something
is,
and
the
life
cycle
in
which
something
is
is
is
created
at
those
are
entirely
two
different
things.
I
I
Source
s-bombs
not
overly
useful
for
most
security
use
cases,
but
for
some
build
time,
s-bombs
very
useful
for
most
security
use
cases
and
then
you've
got
deploy
runtime.
These
are
sdlc
lifecycle,
things
which
are
two
entirely
different
parts
of
the
life
cycle,
but
there's
other
parts
to
the
sdlc
as
well.
I
Now
in
cyclone
dx,
we
we
differentiate
what
something
is
versus
the
life
cycle
in
which
something
was
produced.
We
had
agreement
between
in
austin
just
so.
Everyone
knows
folks
and
cyclone
dx
folks
met
up
in
austin
at
the
ossf
conference,
and
it
was
interesting
because
kate
and
I
we
we
both
had
agreements
that
life
cycle
is
really
really
important.
I
The
ntia
docs
just
so
everyone
knows
life
cycle
was
for
the
most
part
emitted
from
the
conversation.
It
was
purely
focused
on
software
vendors
to
software
consumers,
so
the
life
cycle
was
really
the
well
the
deploy
right,
what
you
are
delivering
to
the
market.
F
Steve
thank
you
for
that
that
background.
Okay,
what
are
we
doing?
We're?
Does
anyone
else
have
any
other
kind?
I
guess
no.
You
know
I
want
to
move
on,
because
I
don't
want
a
rat
hole
in
this.
I
think
if
anyone
has
any
comments
or
suggestions,
we
have
a
github
issue
and
we
have
a
document
like
let's
bring
the
work
there
and
go
to
town
and
we'll
check
back
in
on
this
at
the
next
meeting
and
and
see
how
things
are
going
all
right,
cool,
let's
keep
moving.
F
We've
got
ntia
documents
into
something
more
friendly,
which
we
have
spx
cyclone
dx
and
suid.
Steve
said
that
cyclone
dx
has
a
tool
center,
which
is
more
updated,
obviously
than
the
ntia
documents.
I
actually
haven't
looked
at
your
your
tool
center
at
all.
How
big
is
this?
This
is
pretty
big,
so
this
is
one
of
my
concerns.
I
guess
I
have
with
this
is
like
this
is
an
untenable
list,
and
I
don't
I
don't
know
what
what
I
expect
or
what
I
mean
yet,
but
I
feel
like
I
would
like
anything.
G
And
I
think
that's
why,
like
so
to
me,
like
you,
know,
referencing,
cycling,
dx
more
as
a
specification
or
a
format
allows
you
to
kick
the
technical
downstream
bulk
of
the
documentation,
that's
actually
being
actively
maintained
without
it,
like
kind
of
cluttering
the
conversation,
I
guess
I
think
that
was
my
in
this
particular
thread.
That
was
what
I
was
attempting
to.
F
B
H
Is
maybe
I
can
say
a
few
words
about
this,
so
kate
and
I
met
last
week
for
some
reasons.
Kate
just
invited
me.
So
there
was
not
an
intention
to
exclude
vicky
and
david
was
also
on
the
list
and
we
kind
of
came
up
with
this
template
to
our
understanding.
H
So,
if,
like
somebody
is
in
the
need
of
a
particular
s-bom
tool
to
fulfill
some
particular
use
case,
that
will
be
discussed
and
defined
in
the
other
use
case,
then
we'll
take
these
use
case,
descriptions
for
instance,
or
classifications
and
put
them
into
yeah,
whatever
kind
of
data
format.
But
there
needs
to
be
some
that
we
can
feed
into,
for
instance,
another
instance
of
the
elf
landscape
or,
for
instance,
the
the
cyclone
dx
tool
center.
But
I
think
that
would
be
the
purpose
that
somebody
who's
looking
for
some
tooling
can
search
that
place.
H
For
let's
say
something
that
can
help
them
fulfill
the
their
needs
and
then,
of
course,
maintains
maintenance
is
always
an
issue.
Interestingly,
like
again,
the
lf
landscape
use
case
is
very
good
one
because
it
works
in
a
very
distributed
fashion,
so
the
the
tool,
maintainers
distributors
and
so
on,
could
kind
of
maintain
the
data
themselves
kind
of
taking
the
burden
of
us
to
having
to
provide
a
100,
up-to-date
list
of
things.
H
So
that
was
really
just
the
the
the
idea
behind
that
and
yeah.
So
in
that
sense
to
vicky's
comment,
I'm
wondering,
isn't
the
aren't
the
nti
documents
like
a
good
starting
point
to
to
kind
of
at
least
fill
some
initial
visualizations,
some
tooling
something
with
data.
C
What's
the
I,
I
guess,
I'm
not
seeing
a
bigger
plan
for
this
s
bomb
everywhere
initiative
here
and
what
the
moving
parts
are,
and
if
this
is
one
of
those
moving
parts,
where
does
it
fit
in
and
who's
the
target
audience
and
just
I,
I
think,
we're
missing
a
whole
lot
of
context
here
and
we
jumped
immediately
into
into
implementation
rather
than
jumping
into
better
planning,
and
so
I
I
think
this
is
very
much
kind
of
a
cart
before
the
horse
and
a
default
for
activity,
and
I
just
don't
know
where
this
particular
piece
fits
in
and
what
we're
trying
to
accomplish
with
it.
C
G
Can
can
you
be
a
little
more
specific
on
this
and
then
also
like
actionable?
I
think
yeah.
C
So,
with
the
other,
with
the
other
mobilization
plan,
sigs
that
I'm
in
the
first
step
has
been
to
look
at
the
plan,
which
was
put
together
very
very
quickly
to
present
in
washington
was
the
first
look
at
what
had
been
put
together
quickly
and
iterate
on
what
had
been
learned
since
then
and
refine
and
come
up
with
a
plan
for
what
are
the
moving
pieces?
What
would
we
like
to
accomplish
in
year,
one
year
two
year,
three?
C
How
can
we
come
up
with
an
actual
project
plan
for
this
and
for
s
bomb
everywhere?
I
don't
get
the
sense
that
we
know
that,
and
I've
been
in
all
of
the
publicly
announced
as
bomb
everywhere
meetings,
although
there
have
been
a
number
of
conversations
that
have
happened,
kind
of
along
the
edges,
so
I've
been
in
all
of
those
conversations
that
I
have
known
about,
and
I
still
don't
see
that
we
have
a
project
plan
and
everybody's
just
kind
of
off
doing
their
own
thing
and
it
doesn't.
C
Of
those,
this
is
one
of
those
pieces,
I'm
like
okay,
this
could
be
important,
but
where
does
it
fit
in
and
what's
its
prioritization?
And
I'm
not
looking
for
over,
like
to
add
a
bunch
of
bureaucracy
to
the
process,
but
I
would
like
some
sort
of
process
because
right
now
it
kind
of
feels
haphazard
and
chaotic.
G
C
G
C
C
I
think
I
think
that
could
be
part
of
what
the
group
does,
if
that,
if
that
does
not
exist,
I
mean
first
look
to
see
whether
it
does
exist.
If
it
doesn't
exist,
hire
someone
to
develop
that
market
data,
but
the
goal
is
s-bomb
everywhere
right.
What
does
that
mean,
and
what
do
we
require
in
order
to
make
that
happen?
F
No
you're
absolutely
right
like,
but
we
need
someone
to
write
this
down
and
and
make
it
a
thing
like
there's
this
scope
section
of
the
readme
that
cameron
and
I
started
putting
together
but
like
this.
Is
this
part
here?
The
draft
this
needs
a
new
line,
but
like
this
is
what
was
written
down
in
that
that
document,
and
so
we
we
don't.
C
I
would
love
it
if
the
I
mean
not
to
point
fingers,
but
you
are
kind
of
driving
the
bus
and.
C
I
am
totally
writing
it
down
absolutely
to
provide
some
sort
of
feedback
and
guidance,
but
I
would
love
as
a
community
if
we
could
come
together
and
shape
the
direction
of
this
rather
than
everyone
running
off
to
do
their
own
thing
and
then
coming
back
and
trying
to
kind
of
coordinate
those
things
and
put
them
together
into
a
puzzle
that
we
don't
even
know
the
shape
of
yet.
G
So
that's
the
intent
behind
the
reaper
as
well,
and
so,
like
you
know,
the
active
participation
in
the
repo,
I
think,
will
help
overwrite
anything.
That
is
not.
You
know
proper
today
and
is
open
for
merge
requests.
C
Absolutely,
but
I
do
think
that
we
could
use
a
bit
more
a
better
framework
around
this
than
hey
there's
a
thing
to
just
go
ahead
and
do
it
setting
up
expectations
coming
up
with
you
know,
action
items
you
know,
standard
project
and
program
management,
sort
of
stuff,
I
think,
would
be
very
helpful
right
now
and
yes
josh.
I
am
writing
it
down
and
I
will
be
working
on
that.
C
F
And
look
so
david,
I'm
going
to
let
you
speak
in
just
a
second,
but
I
wanted
to
address
a
couple
things
from
vicki.
First,
it
is
disorganized,
I'm
not
a
good
organizer.
I
need
help
with
that.
I'm
very
much
the
crack
den
open
source
development
model
person,
and
so
we
build
the
bus
as
we
go
down
the
road
and-
and
I
I.
F
Is
great,
but
that
means
someone
has
to
do
it
and
and
so
vicki's
going
to
help
and
anyone
who
wants
to
help
vicky
like
please,
please
get
involved
in
help.
This
is
there's
nothing
that
annoys
me
more
than
a
bunch
of
people
who
show
up
to
meetings
and
and
moan
and
then
never
help
like
that's
not
going
to
cut
it.
So
if
you
want
it
done
you're
going
to
do
it
and
and
that's
great
but
yeah,
that's
like
that's.
F
D
Yeah,
so
I
I
I
think,
vicki's
on
something
in
terms
of
hey,
let's
step
back,
what's
the
goal
here,
so
you
know
when
I
see
this
whole
s-bomb
everywhere.
What
I
think
is
the
intent
is,
we
need
specific
tools
easily
available
and
I
would
say
certain
kinds
of
them
need
to
be
freely
available,
open
source
tools,
because
otherwise
we
won't
get
them
everywhere.
I,
and
in
particular
I
have
in
mind
three
specific
categories.
At
least
the
first
two
I
think
need
to
be
open
source
widely
available.
D
D
Number
three
is,
I
am
an
organization
I
just
heard
about
this:
really
bad
vulnerability,
which
products
have
it
that's
much
higher
level
than
the
hey.
I
want
to
be
able
to
read
an
s-bomb,
don't
care,
I
don't
just
want
to
read
an
s-bomb.
I
want
to
read
an
s-bomb
to
do
something.
D
Now
I
actually
do
care
because
of
course
we
don't
want
to
rewrite
those
tools,
eight
gazillion
times
we
need
to
have
formats
and
so
on,
but
I
think
those
are
the
three
primary
use
cases.
I
acknowledge
that
those
other
use
cases
like
analyzing
a
final
comp
product
to
figure
out.
What's
in
it,
I've
me
I'm
sure
that
that
people
will
need
those
tools.
D
I
also
don't
think
it's
a
losing
battle
if,
if
you've
got
a
bunch
of
bits
and
you're
trying
to
figure
out
what's
in
it,
the
one
thing
I
can
be
sure
of
is
that
you're
almost
certainly
wrong.
D
D
D
To
do
cover
those
three
cases
we're
doing.
Well.
Sorry,
can
you
make
sure
you
write
all
this
down?
Yes,
I've
actually
written
this
down
else
first,
but
I
will
let's
see
here:
where
would
you
like
me
to
write
this
down?
Do
you
want
to
write
this
in
the
s
bomb
everywhere,
sing
agenda,
meeting,
meeting
notes.
D
Okay,
yeah,
so
I
I'm
sure
there's
other
cases.
As
I
said,
you
know,
there
are
other
things
that
people
want
to
do
for
sure,
but
I
I
would
like
to
kind
of
focus
and
let's
figure
out
the
cases
we
most
care
about
and
then
basically,
at
least
for
the
first
two
get
tools
into
people's
hands
that
just
do
the
job
well
quickly
and
people
can
move
on
with
their
lives.
F
Cool.
Thank
you,
david
tracy,.
B
So
when
I
throw
my
hand
before
I
forget
so
when
I
you
know
listen
to
this
conversation,
what
I
believe
is
one
of
our
challenges.
Is
that
josh?
Can
you
scroll
down
to
let's
go
where
you
were
where
it's
the
section
on
our
scope?
B
So,
for
example,
if
we
just
look
at
that
first
sentence
that
scope
sentence-
you
know:
barriers
to
generation,
consumption
and
adoption
of
s-bombs.
What
are
those
barriers
do
we
have?
We
do
we
have
a
clear
idea
of
what
those
barriers
are.
I've
been
in
this
business
a
long
time
we've
been
generating
s-bombs
for
20
years.
B
To
be
quite
honest,
I
don't
really
end
at
many
different
levels,
all
the
way
down
to
the
all
the
different
types
that
you're
talking
about,
but
there
are
barriers
that
companies
are
going
through
right
now
in
terms
of
the
generation
of
them.
In
the
devops
pipeline,
the
consumption
of
them
getting
them
outside
of
the
text
file
and
being
able
to
consume
them.
B
So
maybe
that's
a
conversation
for
our
future.
You
know,
maybe
we
can
all
think
about
the
barriers
and
have
a
discussion
someplace.
Maybe
out
in
I
don't
github.
Discussions
are
great
too.
If
we're
going
to
focus
everything
on
github,
it
might
be
benefit
us
to
use
the
discussions
to
have
these
kinds
of
discussions.
So
when
we're,
when
we
have
the
time
we
can
sit
down
and
start
throwing
out
some
ideas
and
understand
and
in
this
case
identify
what
we
believe
the
barriers
are.
F
D
No,
it's
an
old
hand.
Sorry.
F
I
Yeah,
so
it's
interesting
the
the
three
things
that
david
pointed
out
in
terms
of
the
generation.
I
think
there's
a
lot
of
tools
that
do
this
today.
We're
kind
of
swimming
in
tools
which
is
actually
one
of
the
problems,
actually
there's
a
lot
of
choice
regardless
of
python
or
java
or
javascript,
or
what?
What
not
there's
a
lot
less
tools
as
you
go
down
for
risk
analysis,
there's
a
lot
less
tools
and
then
you
go
down
to
the
identification
of
products
in
my
organization,
there's
even
fewer
of
those
tools.
I
I
think
there's
one
other
classification
of
tools
that
simply
don't
exist
at
all,
which
I
just
want
to
maybe
put
on
the
radar,
the
owa
software
component
verification
standard.
I'm
not
sure
if
anyone
knows
what
that
is,
but
it's
it's
a
way
to
measure
and
improve
software
supply
chain
insurance
very
similar
to
salsa.
I
would
equate
scvs
as
a
little
bit
wider
scope
a
little
less
prescriptive,
whereas
salsa
is
narrowly
scoped
and
more
prescriptive,
both
with
the
same
you
know
intent,
but
anyway,
the
scbs
project.
I
I
may
not
be
able
to
and
that
kind
of
transparency
just
does
not
exist
today,
so
we're
hoping
that,
with
this
taxonomy
and
maturity
model
that
you
know,
I
think
we
have
a
chicken
and
egg
issue,
and
I
think
this
is
a
really
great
opportunity
for
ossf
to
potentially
fund
this
new
classification
of
tools,
which
I
don't
think
exists
today.
F
I
I
F
All
right,
bunny,
you
were
next.
A
Yeah,
just
one
one
quick
go
back
for
tracy
for
the
barriers
to
adoption.
Are
you
envisioning?
Actually,
you
know
doing
some
user
research
there
to
get
a
ground
truth
sense
of
what
those
barriers
are
or
are
there
links
that
perhaps
already
capture
the
barriers
that
I
can
look
through
to
help
to
help
start
that
documentation
in
github.
B
I
don't
think
we
know,
and
you
know
in
terms
of
doing
any
kind
of
research
that
would
have
been
something
that
would
be
approved
to
spend
some
money
on,
but
am
I
personally
going
to
sit
down
and
do
research
on
this?
No
I'm
just
pointing
out
that
when
we
look
at
you
know
if
we
were
to
take
this,
our
our
scope
here
and
set
it
in
front
of
a
handful
of
dc's.
B
First
thing
they
would
say:
ask
us
is
what
problem
are
you
trying
to
solve
and
we
have
not
defined
that
and
that's
why
I
feel
like
it's
confusing,
because
I
think
we
all
come
to
this,
and
this
is
what
I've
seen
it's
not
a.
I
don't
want
anybody
to
think
that
I'm
picking
on
anyone,
but
I
feel
like
we
all
come
to
this
with
an
agenda.
B
We've
all
worked
on
s-bombs
we're
excited
to
finally
have
people
to
talk
about.
S-Bombs
too.
We
want
everybody
to
know
what
we're
doing
and
what's
happening
and
how
we,
you
know
how
we've
interfaced
with
them,
how
we've
used
them,
but
we
haven't
as
a
group
to
find
the
problems
that
we're
trying
to
solve,
and
if
that
means,
we
need
to
go
out
to
get
some
funding
to
do
some
research,
then
maybe
that's
what
we
have
to
do.
D
Yeah
two
completely
different
topics.
I,
I
guess
I'll
think
of
a
reverse
order.
First
of
all,
as
far
as
the
you
know,
gy,
I
agree
with
you.
Always
it's
important
to
always
start
with.
Why
are
you
doing
this?
That's
why
I
was
focusing
on
those
three
use
cases.
The
second
use
two
use
cases
the
risk
analysis
using
an
s-bomb
and
identification
of
products
in
an
organization
that
have
a
that
probably
have
a
key
vulnerability
using
s-bombs.
D
I
think
you're,
really
the
the
driving
goals
and
the
generate
s-bombs
is
merely
because
that's
a
necessary
precondition.
You
can't
analyze
create
s-bombs
unless
you
have
s-bombs
so
I'd,
certainly
I'd
like
to
at
least
propose
that
that
be
an
answer
to
the
question,
and
you
know,
if
you
don't
disagree
with
my
answer
great,
then,
let's
figure
out
what
the
right
answer
is.
Let
me
push
back,
although
not
very
much
against
steve.
I
actually
agree
with
steve
that
is
important
to
be
able
to
answer
the
question.
I
have
this
thing.
D
I
I
would
think
that
a
tool
designed
to
do
risk
analysis
of
software
components
based
on
an
s-bomb
would
also
be
able
to
answer
the
question:
is
this
s-bomb
I'm
getting
even
useful
for
my
purpose,
so
I
well.
I
agree
that
the
function
is
useful.
D
I
think
that
that
would
just
be
part
of
a
tool,
because,
if
you're
trying
to
analyze
an
s-bomb
to
answer
a
question,
you
should
be
able
to
figure
out
wait
a
minute.
This
input
for
this
input
and
not
answer
the
question
I'm
designed
to
answer
so
I
agree
with
the
need
for
it,
I'm
hoping
that
that
can
just
be
embedded
in
one
of
those
other
two
cases
that
I
mentioned.
If
I'm
wrong,
please
help
me
understand.
Why
can.
D
Think
the
answer
is
no,
because
if
it
because
tool
means
automation
and
if
we're
not
meeting
automation,
I
don't
care.
If
I
I
think
that
the
the
time
when
we
only
when
software
components
have
three
or
four
reused
components
in
them,
transitively
is
long
in
the
rear
view
min
here.
We've
gotta
have
automation
for
this
stuff.
G
Like
a
pipeline,
or
I
mean
a
script
that
invokes
multiple
tools
to
repeat
the
same
type
of
thing
but
allows
another
tool
to
attest.
To
I
mean
I
I'm
trying
to
understand,
I'm
I'm
attempting
to
reconcile.
How
is
it
that
a
tool
can
provide
from
within
itself
a
verifiable
means
of
what
it
is
producing
without
some
sort
of
observation
occurring
on
the
tool
itself
like
like
an.
D
I
can
answer
that
one
at
least
the
way
I
think
you
mean
it,
but
others
can
jump
in
here.
Real
quick.
I
mean.
I
know
that
the
let
me
let
me
just
be
specific
about
the
us
government,
although
they
are
by
no
means
the
only
customer
they're
getting
a
lot
of
pushback
from
closed
source
vendors
who
do
not
want
to
reveal
a
lot
of
information.
D
I
understand
that.
So
you
know
one
possibility
of
the
obvious
possibility
is
hey
I'm
a
close
source
vendor.
I
will
tell
you
the
top
level
components.
I
won't
tell
you
the
full
transitive
closure
and
a
and
if
they
do
that,
the
obvious
way
is
to
market
okay,
I
gave
I
I
do
include
component
x.
I
won't
tell
you
what
component
x
contains.
D
So
you
can
within
an
s-bomb
signal.
I
stop
here
and
that
could
be
a
big
warning
flag
to
a
tool
that
says:
okay,
I
got
an
s-bomb,
but
it
doesn't
include
most
the
information.
I
need
to
do
my
job.
G
Yeah
that
helps
quite
quite
a
bit
actually
so
yeah.
Thank
you.
F
All
right,
let's,
let's
make
sure
we
write
this
down
too.
This
is
good
steve
taylor,
you're
next.
J
Yeah,
so
just
kind
of
taking
what
david
was
saying
for
for
risk
analysis.
There
are
tools
like
open
policy
agent
that
can
be
leveraged.
That
will
allow
us
to
take
the
information
that
the
s
bombs
contain
and
make
decisions
upon
whether
something
is
what
for
lack
of
a
better
word,
trustworthy
or
not,
and
the
reason
why
I
kind
of
lean
towards
a
open
policy
agent
is
because
my
view
of
what
is
risky
is
going
to
be
different
than
another
person's
view
of
risky.
J
So
you
can't
do
a
single
kind
of
stamp
on
the
risk
level
for
something
it's
going
to
have
to
be
driven
by
each
individual
organization
and
even
possibly
each
individual
team
and
within
the
organization
on
what
they
think
risk
is.
So
I
think
that's
where,
when
we
look
at
risk
that
we
we
need
to
have
the
data
available,
so
it's
easy
to
consume
to
make
those
decisions.
A
Yeah
I
just
wanted
to
agree
and
and
put
a
perspective
on
what
tracy
said.
I
mean
I
think
that
would
be
great
for
us
to
level
set
on
the
problems
from
two
different
perspectives:
the
problems
faced
by
people
who
want
to
produce
s-bombs,
as
well
as
people
who
want
to
consume
us
bombs,
especially
in
an
automated
fashion,
and
I
think
that
level
thing
in
the
problems
and
then
identifying
the
use
cases,
some
of
which
you
know.
I
like
some
of
the
ones
that
have
been
most
helpful
for
me.
A
A
The
thing
is
just
telling
people,
let's
not
just
produce
one,
to
produce
one
for
with
some
tool
for,
for
the
sake
of
producing
one,
but
trying
to
produce
them
with
meaningful
data
that
solves
the
problems
that
could
include
confidence
scoring
different,
tooling
different,
whatever
it
might
be
to
let
automated
tools
make
higher
order
decisions.
F
Yeah,
I
agree.
I
agree
completely
all
right
we're
almost
out
of
time.
I
want
to
use
the
last
couple
of
minutes
to
run
through
this
list
and
make
sure
we
have
everything
captured.
We
need
to
capture
someone
just
just
yell
if,
if
there's
anything,
we're
missing
so
we've
got,
I
think
he's
going
to
start
working
on
goals
and
purpose
for
the
group
now
I'll
create
issues
in
github.
E
Yeah,
so
I
mean
this
is
more
relevant.
What
you're
talking
about
is
more
relevant.
If
you
want
to
go
through,
I
mean.
E
Essentially,
this
is
a
high
level
I'll
make
it
real,
quick
we're
developing
wipro
the
coe
within
wipro's
cto
office
is
developing
a
tool
that
is
essentially
a
aggregate
aggregation
of
pipeline
and
security
tooling,
in
line
with
the
salsa
frameworks,
sdlc
requirements
for
securing
the
supply
chain,
essentially,
what
we're
doing
is
bringing
together
the
capability
of
either
integrating
existing
or
provisioning
from
the
ground
up
a
complete
pipeline
solution
and
with
the
capabilities
of
letting
you
know
where
you
are
from
a
salsa
providence
perspective.
E
At
what
level
you
are
incorporating
functionality
like
generating
s-bombs,
as
well
as
key
functionality
of
pulling
in
a
bunch
of
different,
obviously
open
source
tools
to
start,
but
beyond
that,
integrating
proprietary
vulnerability
and
other
scanning
tools
into
one
cohesive
dashboard
to
completely
build
and
manage
the
reporting
around
this.
So
it's
still
in
its
development
phase.
What
I'm
looking
for
is
trying
to
gauge
some
interest,
and
I'm
doing
this
quite
rapidly.
E
I'd
rather
have
a
longer
conversation
on
it,
but
I
know
that
you
want
to
cover
some
of
the
rest
of
this,
but
essentially
this
would
be
a
complete
software
supply
chain
security
tool
to
allow
developers
to
fully
provision
manage
and
maintain
secure
development
environments
from
check-in
all
the
way
to
deployment
and
providing
consistent
and
continuous
capabilities
around
what
their
their
security
posture
is
in
line
with
salsa
and
it'll
incorporate
spdx
and
other
capabilities
for
s
bombs
as
well,
so
very
high
level.
E
You
know
I'll
have
some
things
in
diagrams
to
present
at
a
future
state,
but
really
what
I'm
looking
for
is
if
this
type
of
aggregation
and
tooling
is
of
interest
to
anyone
to
see
if
any
of
the
people
within
the
the
group
would
be
willing
to.
As
we
reach
the
mvp
stage,
do
some
user
acceptance
testing
talk
through
some
of
the
functionality
and
see
if
there
are
areas,
maybe
of
improvement,
and
do
some
of
that
initial
walk
through
with
us?
So
I'm
looking
for
volunteers
to
potentially
help
us
in
the
coming
months.
E
F
Nice,
that's
very
exciting,
all
right
all
right,
I'm
gonna
tear
through
this
really
fast.
Now
all
right.
What
do
we
have
new
business
I'll
open,
an
issue
for
clearly
defined
goals
and
purpose?
Actually
we
kind
of
have
an
issue
for
this
already.
I
don't
know
I'll,
because
we
started
cameron
and
I
there
was
an
issue
for
may.
E
F
D
Frankly,
I
think
I
think
the
bigger
issue-
and
this
is
what
vicky
hinted
at-
is
we
need
to
figure
out
okay.
What
are
we
focusing
on
so.
F
Work
yeah
I'll
just
make
a
note
here.
C
Yeah
this
this
stuff
I
will
be
looking
at,
is
very,
very
closely
aligned
and
if
not
exactly
the
stuff,
that
tracy's
been
talking
about,
really
defining
the
problems.
And
then
you
know
looking
at
how
we
can
or
whether
we
will
even
defining
whether
we
will
try
to
solve
the
problems,
but
because
some
things
might
not
end
up
in
scope
or
that
sort
of
stuff.
So
tracy.
I
would
love
to
collaborate
with
you
on
that.
It
sounds
like
you've
got
a
lot
of
good
thoughts
as
well.
F
So
tracy
had
to
bail,
she
put
a
message
in
the
chat
earlier:
okay,
so.
C
C
Really
just
what
I
will
be
looking
at
is
starting
to
iterate
with
people
on
the
scope
and
project
plan
for
the
s
bomb
everywhere.
Initiative.
C
It
certainly
would
be
a
piece
okay
and,
as
bunny
asked,
defining
whether
there
are
barriers
and
whether
there's
prior
art
or
research
and
all
that
sort
of
goodness.
So.
A
C
Coming
up
with
a
plan
for
this
group,
what
are
we
going
to
tackle?
How
are
we
going
to
tackle
it?
What's
the
basic
first
pass
order
of
operations
to
try
and
just
sort
of
get
a
better
sense
of
that,
and
what
do
we
need
funding
for.
A
F
Will
I'm
gonna
open
a
second
issue
for
this
and
reference
it
from
the
first,
because
I
think
it's
a
big
enough
question
so
I'll
this?
This
will
be
an
issue.
Vicky's
thing
will
be
an
issue
and
then
what
else
do
we
have
here
steve?
How
do
you
want
to
deal
with
your?
I
guess
bomb
analysis
tool.
I
don't
know
what
to
call
this.
I
I
Standard
the
verification
standard
was
published
a
few
years
ago
and
we
have
a
working
group
that
meets
every
two
weeks
on
a
thursday
morning.
I
believe
that
is
coming
up
with
the
maturity
model
and
we
are
working
through
that.
I
believe
we
have
the
taxonomy
pretty
well
done
now
minus
a
few
minor
issues.
The
next
step
is
going
to
be
working
on
the
maturity
model
itself.
I
How
defining,
how
difficult
certain
things
are
going
to
be
able
to
achieve,
and
when
once
that's
done,
then
it's
really
just
a
matter
of
creating
the
pdf
for
human
consumption
and
the
json.
Once
the
json
is
available
that
you
know
again,
if
you
could
hook
up
tools
to
op
open
policy
agent
or
whatever,
because
quite
frankly,
different
groups
have
different
expectations
for
what
would
be
in
a
bill
of
material.
If
I'm
a
legal
department,
I'm
going
to
certainly
ask
for
certain
things,
then
my
security
department
will.
F
Okay,
all
right
cool,
I'm
just
going
to
open
an
issue,
steve
and
assign
it
to
you
and
ask
you
to
add
a
link
to
the
readme
for
all
this,
because
I
don't
want
to
duplicate.
But
I
also
want
to
make
people
aware.
A
F
All
right,
let's
see
steve
taylor
opa,
can
help
to
find
steve
taylor
to
is
there
an
like
a
work
item
from
this?
Is
there
something
you
want
to
do
more
with
this?
This
request.
G
Or
do
you
have
any
like
regular,
like
examples
of
of
how
this
could
be
implemented
in
opa.
F
I
wonder
if
we
lost
steve,
I
bet
we
did
okay,
I
don't.
I
can't
think
of
a
work
item
off
that
at
the
moment,
which
is
fine.
It's
we're
about
out
of
time
anyway.
If
anyone
has
anything
else,
bring
it
to
the
list
open
an
issue,
there's
slack
whatever
floats
your
boat
is
fine.
I
like
this.
I
think
this
was
a
great
meeting
and
I
think
vicki
and
tracy
asked
some
really
hard
questions
and
that's
perfect.
So
thank
you
very
much
for
that.
A
F
A
Echo
that
josh
and
just
say
that
I've
attended
these
meetings
in
the
past
and
this
one's
been
quite
productive
and
I
think,
there's
been
a
a
good
dial,
a
good,
healthy
dialogue
and
thanks
again
josh
for
your
leadership
and
steve
thanks
for
joining
us
for
this
session.
It
was
definitely
interesting
to
hear
your
input.