►
From YouTube: Security Tooling Working Group (December 6, 2022)
A
B
And
and
I
have
not
been
able
to
make
it
to
this
working
group
for
a
while
one
of
my
team
has
been
joining,
but
I
wanted
to
make
sure
I
could
check
in.
A
Okay,
so
neither
of
us
really
knows
what
the
current
state
is.
I
think
I'm
I'm
part
of
the
chaos
project
and
we
have
a
risk.
We
have
a
risk
working
group
that
focuses
on
some
of
the
things
that
are
related
to
security.
Some
of
the
things
that
are
really
more
related
to
licensing
and
dependency
age
and
I
mean
I'm
a
maintainer
for
a
tool
called
auger.
B
Excellent
I'm,
the
guy
who
doesn't
shut
up
about
us
Bob
all.
B
I
I
ran
the
ntia
foundational
definition
piece
and
now
I'm
at
sisa
and
I'm
wow
the
lead
on
the
executive
order
side
of
things.
So
it's.
B
Well,
I
also
get
to
try
to
encourage
the
two
data
formats
to
play
a
little
nicer
together,
yeah.
A
A
Oh
yeah,
no,
that's
exactly!
It
only
comes
out.
It
only
happens
during
meetings
yesterday
the
network
went
out
on
my
campus
and
I
had
to
tell
her
to
my
phone
for
three
Zoom
calls.
B
A
I
can
I,
I
can
certainly
represent
the
chaos
Community
and
what
we've
done
another
great
resource
I,
don't
know
if
you've
met
her
is
Sophia
Vargas,
yeah,
she's
she's
at
Google.
She
probably
doesn't
come
to
the
tooling
meetings,
but
I
think
she's
active
on
a
couple.
Other
OS,
open,
ssf
groups
and
she's
she's
been
real
active
in
our
risk
working
group
as
have
I
and
David
wheeler
and
Kate
Stewart,
so
yeah.
A
My
first
meeting
here
so
here
to
learn
but
yeah.
If
you
want
to
connect
on
a
band,
just
private
message
me
an
email
or
I
can
do
the
same.
Well.
My
zoom
has
this
really
weird
issue
right
now
or
it
cuts
off
the
drop
down
for
everyone
versus
a
person.
A
A
D
E
D
E
D
E
E
E
E
Yeah
there's
stuff
out
there
we
haven't
been,
you
know,
terribly
though
Allen
knows
about,
because
he's
Alan
and
I
bam
Facebook
a
whole
lot,
a
little
bit
on
on
on
LinkedIn
there's
a
website
all
got
Tara
I'm,
putting
the
chat.
It's
mostly
just
one
page
right
now,
but
there's
stuff
behind
it.
We're
gonna
turn
on.
E
Well,
it's
a
practical
application
of
all
the
stuff
we're
about
it
started
in
2019
when
I
was
with
Unisys,
you
know,
got
a
bit
of
budget
started
the
Marine
living
Research
Center.
You
know,
Airbnb
on
the
water,
makes
huge
money
in
a
marina
or
on
anchor,
but
it's
just
crazy
people
doing
it,
but
making
good
money
so
I
instigated
someone
making
a
solar
powered
smart
boat
on
anchor
down
in
the
keys
that
makes
400
more
money
because
it's
an
upscale
instead
of
a
budget
hospitality.
E
D
D
D
Don't
know
why
it's
accidental
at
this
point
sign
in
on
that
document,
and
then
the
first
item
on
this
says
introduce
yourself
in
the
chat
and
instead
of
doing
like
formal
intros,
because
there's
usually
a
ton
of
people
here
we
just
paste
like
a
little
intro
like
I'll
paste,
random
I,
just
pasted
mine
only
down
I'll
paste
it
to
everyone
like
just
something
like
that
for
for
everyone
to
know
who
everyone
else
is
and
like
actually
Sean
just
did
that.
D
So
thank
you,
Sean
and
then
we
have
a
one
item
in
the
tooling
agenda
from
George
and
then
we'll
go
to
s-fum
everywhere,
where
we
have
a
document.
We've
been
working
on
to
kind
of
Define
some
of
the
goals
and
purpose
so
George
I
will
let
you
take
this
away.
C
This
sounds
like,
as
if
I
had
something
prepared,
so
a
little
bit.
C
No,
like
the
background,
is
the
following:
I'm
I'm
in
the
hospital
of
Ericsson
and
I've,
been
talking
to
various
folks
in
the
company
trying
to
kind
of
get
them
excited
to
to
join,
like
the
open
ssf
at
large,
and
some
of
them
reacted
to
the
tooling
working
group,
at
least
to
the
name
of
it,
and
I
was
wondering,
but
right
now,
as
you
rightfully
said,
the
the
tooling
working
group
is
focusing
on
the
s-bomb
topic
and
focus
is
good.
C
I
wanted
to
basically
bring
the
question
really
just
as
a
question
interest
check
to
this
group
wondering
if
there
is
interest
in
expanding
a
little
bit
again
the
scope
of
the
tooling
working
group
in
terms
of
talking
a
bit
about
security
tooling
as
such
and
again
s-bomb
is
one
part
of
that,
and
that
was
basically
it
it's
an
interest
check
from.
From
my
end,
not
a
fully
flushed
out
proposal.
C
I
I
happen
to
know
that
the
open
ssf
will
put
more
focus
on
tooling.
As
such,
we
could
like
there's
so
much
tooling
out
there
that
there
could
be
benefit
in
basically
just
maybe
reviewing
tools.
There's
again,
we
are
looking
at
landscapes,
for
instance,
maybe
that's
something
to
to
work
on.
C
Maybe
there
is
a
way
to
connect
this
more
to
the
alpha
omega
project
which
by
itself
again
releases
an
Omega
tool
chain
and
so
on,
so
nothing
new
that
you
guys
are
probably
not
yet
aware
of
anyway.
So
but
again,
I
just
wanted
to
get
a
feel
for
that.
But
again
I'm
wondering
if,
as
you
said,
Josh
the
the
attendance
is
a
little
bit
low,
it's.
It
might
be
better
to
send
out
an
email
to
the
mailing
list
or
to
the
slack
Channel,
to
get
let's
say
a
broader
feedback
on
that.
C
But
again
it's
it's
not
a
proposal
to
to
kind
of
get
something
or
to
change
anything,
but
rather
to
facility
or
to
get
feedback
and
thoughts
perspectives
on
on
this
yeah,
so
that
that
was
basically
the
the
whole
thing
I
wanted
to
bring
up
here.
D
That
that's
great
I
mean
I,
can
I'll
fill
everyone
else
in
on
kind
of
what
I
know
and
where
I
stand
is.
So
this
group
has
struggled
to
get
any
traction
doing
just
something
more
broad,
because
that
was
originally
the
intent
and
when
I
took
it
over
to
turn
it
into
the
s-bahn
group
it
they
were
talking
about
like
just
dissolving
it
completely
because
there
just
wasn't.
D
A
A
D
E
You
know
I,
think
I've
said
this
on
the
in
this
working
group.
I
know,
I've
said
it
in
the
in
yours,
Islands,
yeah,
I
think
this
is
one
of
the
big
issues
you
know
we
need
to.
You
know.
I
was
just
sitting
here
thinking.
I
should
actually
just
sit
down
and
write
a
list
I'm
in
most
of
the
bloody
working
groups,
but
I
don't
know
if
anybody's
actually
written
down
the
working
groups
much
less
trying
to
correlate
them
to
each
other.
You
know
we
need.
We
need
a
map
so.
D
E
E
There's
a
presentation:
I
think
it
was.
Maybe
it
was
a
missed
call.
Last
week
there
was
somebody
shared
a
list
that
was
great.
You
know
I,
can't
think
of
who
that
was
in.
E
D
It
where
that
was
the
the
it's
it's
in
the
agenda,
s-bomb
know-how,
I
forget
who
did
it
yeah
I,
don't
know
if
it's
in
the
notes,
but
but
that's
that's
just
the
s-bomb
tools
for
wait.
What
were
you
talking
about?
I
was
talking
about
open,
ssf
working
groups.
Is
that
what
you
meant.
F
E
F
I
I
just
share
a
document
in
the
in
the
chat.
In
the
last
slide,
you
will
see
more
or
less
a
map
that
of
all
the
working
groups.
It's
in
the
slide
number
101.
C
What
right,
that's
the
one
I've
been
using
internally
a
lot
and
then
people
ask
me:
oh
this
security,
tooling
thing
that
sounds
interesting.
What
are
they
doing
but
yeah?
Maybe
let's
have
some
conversations
with
with
other
folks
to
see
if
we
can
do
something
around
it.
Okay,
but
I
think
that
that
kind
of
covers
it,
I
don't
want
to
hijack
this
and
I
guess
I
wanted.
You
guys
wanted
to
talk
about
the
the
s-bomb
topic
so
good,
let's
see
if
we
can
have
more
conversations
around
this
going
forward.
Yeah.
E
E
There's
there's
a
special
Technical
Community
for
cyber
security
but
started
eight
years
ago
and
faded
out.
John
Johnson
has
revived
that
I'm
in
the
steering
committee
with
some
of
the
other
folks
on
that.
So
we're
trying
to
revive
that
so.
D
E
I
was
going
to
say
you
know
so
I,
you
know
I'm
and
I'm
I'm
coming
up
to
speed
on
it,
but
it's
like
this
sort
of
page
I'm
looking
at
here.
You
know
all
sorts
of
stuff
going
on
all
sorts
of
communities
and
threads
and
whatnot
and
John's
John
Johnson
is
a
long
timer
there
yeah.
So
how
do
we
navigate
the
influence
to
connect
those
dots
there,
similar
to
here
similar
to
what
Ellen's
doing
in
the
federal
government
all
across
the
various
touch
points
of
the
supply
chain
top
and
going
on?
So.
D
Awesome
all
right,
I'm
gonna
share
my
screen
and
we'll
we'll
jump
over
to
s-bomb
everywhere
and
while
I
get
this
all
working
Alan
graciously
offered
to
kind
of
give
an
overview
of
everything
happening
at
sisa
for
s-bomb
right
now.
So
Ellen.
Do
you
want
to
kind
of
take
that
away?
I.
B
Will
try
to
do
that
as
briefly
and
succinctly
as
possible?
Two
broad
buckets
inside
U.S
government
that
we
try
to
firewall
between
one?
Is
the
government
regulation
side
of
things?
So
this
is
the
executive
order
which
is
ultimately
going
to
require
everything.
The
US
government
purchases
having
an
s-bomb
as
well
as
coordinating
across
the
US
government,
DOD
things
like
that
and
trying
to
make
sure
that
right,
a
random
Army
lab
doesn't
reinvent
this
stuff.
B
The
thing
that
I
think
is
more
relevant
is
we
have
five
public
working
groups
that
are
focused
on
enhancing
and
refining
and
scaling
the
idms
bond
right.
We
know
that
the
work
is
actually
going
to
be
done
by
the
community
by
open
source
tools
by
commercial
tools.
We
want
to
support
that.
B
We
have
five
work
streams
that
support
that.
So
very
briefly,
Vex
everyone
familiar
with
the
idea
of
the
vulnerability
exploitability
exchange,
one
of
the
worst
named
projects
in
infosec,
but
probably
one
of
the
more
useful
ones
right.
This
is
the
ability
to
share
a
machine,
readable
advisory
that
says
that
your
product
is
not
affected
or
a
project
is
not
affected
by
a
vulnerability.
B
Two
Andre
sharing
and
exchanging
s-bombs
Chris
is
involved
in
this
is
heavy
on
the
commercial
side,
but
essentially
there
really
isn't
a
way
to
move
software
metadata
around
at
scale
and
so
right.
How
do
you
sort
of
say,
and
especially
for
s-bombs
right
if
you've
got
a
commercial
proprietary
provider,
they
want
to
share
with
their
customers?
What
does
that?
Look
like
three
and
I'm
going
in
the
order
of
the
calendar?
Not
in
the
priority
three
is
on-ramps
and
adoption.
B
How
do
we
make
it
easier
and
cheaper
for
folks
to
understand
and
use
s-bomb
they're
doing
things
like
offering
procurement
guidance
if
you're
gonna
buy
something
or
sell
something?
How
do
we
make
it
easy
to
integrate
s-bomb
into
that
process?
B
Four
is
cloud
much
of
the
discussion
around
how
we're
going
to
use
s-bombs
deals
with
on-prem
software
and
users
of
on-prem
software.
Very
few
people
have
said
you
know
Alan.
The
future
of
software
is
on
premise,
and
so
what
does
this
mean
for
a
cloud
environment?
What
do
customers
want?
How
do
we
deal
with
not
impossible
problems
such
as
right,
Cloud,
Services
change
quickly?
B
Some
of
them
are
harder,
such
as
Dynamic,
provisioning
and
infrastructure
as
code,
and
things
like
that
means
that
software
doesn't
actually
exist
in
any
real
form
until
it's
delivered
and
then
there's
some
fun
issues
that
that
group
is
working
on
to
say
well,
can
we
have
service
transparency
so,
if
I'm
using
a
service
and
that
service
needs,
another
service
can
I
have
visibility
around
that
ecosystem
and
the
fourth
one
is
tooling,
and
implementation
they've
been
working
on
some
of
the
things
that
this
group
has
also
been
working
on,
including
how
do
we
integrate
where,
in
the
software
life
cycle,
the
sbon
data
is
captured
and
they're
going
to
be
hopefully
doing
some
work
on
things
like
a
tooling
taxonomy?
B
How
do
we
describe
software
tools
that
are
relevant
to
s-bomb
and
and
hopefully
some
plug
Fest
as
well?
So
that's
the
short
overview
and
it
wants
to
know
more
I'll
paste,
an
email
in
the
chat,
oops.
D
Cool
and
and
just
to
clarify,
if
you
you,
can
email
them
and
ask
to
be
added
to
the
calendar,
invite
and
then
you
get
to
attend
the
meetings
and
complain
about
Microsoft
teams,
which
is
my
favorite
part,
so
all
right
cool
that
was
great.
Does
anyone
have
anything
else
before
we
get
back
to
the
document
in
question?
We've
been
working
on.
G
G
G
Maybe
it's
a
more
generic
question
like
I'm,
not
sure.
What's
the
best
way
to
to
ask
the
question
like
maybe
it's
for
s
bomb
everywhere?
Maybe
it's
for
you
know
that
that
first
group,
that
Alan
just
mentioned
working
on
Vex,
like
how
is
that
group
differing
from
this
effort.
D
I
think
our
answers
are
going
to
be
the
same,
and
it's
that
there's.
We
have
no
intention
of
trying
to
pick
a
format
or
a
winner,
and
rather
it's
an
ecosystem
and
we're
all
going
to
do
our
best
to
cooperate
and
Empower
everybody
like
the
The
View
we
have
in
s-bomb
everywhere.
Is
we
expect
tools
to
take
in
Cyclone,
DX
and
spdx
and
to
Output
Cyclone,
DX
and
spdx,
and
that
is
the
and.
H
D
D
D
G
This
is
useful
for
me,
because
I
was
actually
trying
to
do
something
similar
this
past
couple
of
weeks
and
our
organization
is
more
focused
on
the
security
findings
which
relate
to
Vex
and
I
did
find
that
Cyclone
DX,
for
instance,
has
some
of
these
attractions.
You
can
make
them
part
of
s-bomb
and
I
wasn't
able
to
to
do
this
with
spdx,
but
it's
it
sounds
like
you're
saying.
The
goal
of
the
group
is
really
to
enable
the
standard
and
just
make
this
happen.
So,
let's.
B
Go
ahead
so
so,
unfortunately,
the
true
data
formats,
the
leads
of
some
of
the
data
formats,
don't
necessarily
play
well
together
and
there's
perhaps
a
little
too
much
strategic
competition
between
them.
I
think
one
of
the
things
that
we
as
the
community
can
do
is
say,
do
what
you
want,
innovate
what
you
want
we're
interested
in
a
core
interoperability
model
and
if
you
want
to
add
more
features
as
a
competitive
thing,
that's
great,
but
we're
going
to
focus
on
the
basics
to
scale
it
for
the
entire
ecosystem.
G
That
that
makes
a
lot
of
sense
and
then
I
guess
then
I
that
answers
my
my
question.
I
do
have
a
quick
follow-up
where,
as
far
as
scope,
so
Vex,
for
instance,
is
usually
used
for
or
csap
or
something
like
that.
It's
usually
used
for
incidence
response.
While
a
lot
of
the
s-bomb
things
that
you
see
in
the
industry
are
you
know,
pre-production
pre-shipping,
you
know
gather
the
bill
of
materials.
Put
it
in
one
place.
Are
we
trying
to
get
a
format
that
captures
everything
like
the
entire?
As
they'll
say?
G
B
So
the
fun
part
of
s-bomb
is
right.
It
really
does
affect
the
entire
life
cycle
of
software.
No
one
should
be
making
software
without
knowing
what
they
have.
Once
you
have
an
s-bomb,
you
can
implement
it
into
a
lot
of
great
use
cases,
compliance
vulnerability,
management,
all
sorts
of
fun
things.
What
we
want
to
do
is
sort
of
foster
that
the
current
state
of
play
is
that
s-bomb
generation
is
necessarily
well
ahead
of
s-bond
consumption,
because
until
recently
no
one
had
piles
of
s
bombs
sitting
around.
B
So
why
would
anyone
pay
for
a
tool?
Why
would
anyone
spend
time
working
on
an
open
source
project?
That's
starting
to
change,
as
people
are
sort
of
realizing
this
and
so
I
think
again,
what
we
want
to
do
is
emphasize
the
interoperability
across
the
supply
chain.
At
least
that's
that's
my
take
on
how
we
can
do
this
and
then
tying
it
back
to
s-bomb
everywhere.
I
Just
to
say,
in
addition,
that
I've
been
working
on
a
research
and
Tooling
in
that
area
and
what
we
try
to
achieve
is,
at
the
end,
to
have
an
s-bomb
that
that
has
as
much
data
as
possible,
combining
the
analyze
build
time
and
other
types
of
face
bombs.
So
I
think
this
is
the
long-term
goal
and
there
are
gaps
in
producing
every
s-bomb
type
on
the
path
and
how
we
are
working
on
some
tooling.
That
can
generate
build
time
and
package
time,
which
is
missing.
I
Currently
the
most
usefulness
from
source
and
and
post
build
analysis,
and
there
are
some
gaps
in
runtime
and
build
time.
But
the
final
goal
is
to
have
data.
That's
exclusive
and
I
I
think
that
both
specs
are
going
into
a
direction
where
they
are
as
complete
as
possible,
and
it's
long
term.
I
D
Like,
where
are
you
building
this?
Is
it
part
of
sister
or
something
else.
I
Currently,
for
build
time
and
run
time,
it's
not
something
it's
something!
That's
going
to
be
open
source,
but
at
the
moment,
I'm
playing
with
time
real
time,
solutions
that
are
in
the
very
early
proof
of
Concepts
stage.
So
I
hope
that
the
beginning
of
next
year,
we'll
have
something
to
show
okay.
D
All
right,
I'm
going
to
open
this
document,
then
I'll
paste
it
in
the
chat
for
anyone
who
can't
find
it
because
there's
too
many
links
and
all
this
stuff.
So
this
is
the
thing
we've
been
working
on
for
a
couple.
It's
been
like
a
month
now
or
more
I
think,
but
basically
the
structure
we
have
is
to
define
the
the
s-bomb
everywhere
like.
Why
are
we
here?
Why
are
we
doing
this?
D
And
the
group
has
gone
through
a
handful
of
changes
since
its
Inception
and
it
was
announced
as
part
of
a
larger
I
forget
what
they
called
it.
The
the
Linux
Foundation
had
their
work
streams,
but
basically,
if
you
look
towards
the
bottom
here,
some
of
these
requirements,
that's
the
I,
think
the
approach
and
requirements
are
still
the
old.
D
And
basically
the
group
has
come
to
the
consensus
that
we
don't
expect
the
s-bomb
everywhere
group
to
actually
do
any
work.
We
want
this
group
to
you
laugh.
It's
I
mean
it
you'll.
It
makes
sense.
Our
intent
is
to
spend
money
like
the
open.
Ssf
has
money
to
spend
on
some
of
this
stuff.
So
we
want
to
connect
some
of
the
projects
with
funding
that
might
need
them.
D
Like
an
example,
is
we
the
the
spdx
python
Library
needed
help
and
the
open,
ssf
paid
I
think
it
was
like
250
Grand
or
something
to
fund
bringing
the
python
spdx
Library
up
to
Snuff.
So
it's
like
a
proper
good
library.
Now
that
people
can
use-
and
there
are
other
libraries-
obviously
that
that
have
these
concerns-
so
that's
one
example
and
then
also
we
have
an
interest
in
a
landscape.
D
D
It's
just
a
nice
way
to
categorize
various
companies
and
tooling
into
what
they're
doing
and
how
they
work,
and
we
think
having
something
like
that
for
s-bomb,
not
just
open
source
F-bomb,
like
literally
the
entire
s-bomb
ecosystem,
could
have
value
and
part
of
that
as
well
is
cataloging
some
of
these
groups
and
how
they
might
fit
together.
And
this
kind
of
goes
back
to
what
you
know.
D
D
We
put
some
effort
into
this
last
week,
two
weeks
ago,
to
kind
of
Define
everything
we're
going
to
ignore
the
kind
of
Overview
at
the
moment,
which
is
really
just
describing
what
an
s-bomb
is
for
the
most
part
here,
but
then
we
get
to
the
the
scope
and
now
I
guess
one
other
thing.
If
anyone
wants
to
just
feel
free
to
throw
comments
or
suggestions
into
the
document,
you
don't
like
need
to
ask
or
anything
it's
it's
pretty
pretty
easy
going
here
so
anyway.
D
This
is
the
scope
we
we
hammered
on
this
a
bit
and
we
settled
on
production,
distribution
and
consumption
of
s-bomb
right.
We
and
we
specifically
called
it
ecosystem
because
we
don't
want
to
do
it
and
I
think
this,
like
ties
into
some
of
Alan's
working
groups,
that's
cesa!
Where
there's
people
doing
this,
so
we
want
to
make
sure
we
connect
the
right
people
to
the
right
places.
D
Oh
someone
just
asked
for
the
link
to
the
doc.
I
will
paste
it
again.
A
That's
branched
out
into
building
what
we
call
metrics
models
which
are
collections
of
metrics,
but
also
we
incorporate
a
number
of
open,
ssf
tooling,
into
the
tools
that
we
deploy
as
part
of
our
project,
and
so
so
I'm
I'm
here,
because
we're
kind
of
we've
kind
of
been
an
aggregator
of
of
efforts
like
this
and
I
also
see
some
some
definite
overlap
with
the
chaos
risk
working
group
that
we've
discussed
and
so
I'm
here
to
sort
of
learn
how
to
work
with
this
group
and
how
this
group
works
and
I
wanted
to.
G
D
Can
you
drop
a
link
to
what
you're
working
on
in
the
the
agenda
yeah?
That's
why
I'm
everywhere,
Sega
gender
yeah
I
sure
will
thank
you
because,
like
again,
I've
never
heard
of
chaos
before
or.
D
B
Joshua
tell
me
if
this
is
derailing
things,
but
what
I
don't
see
is
how
do
we
get
s-bombs
everywhere
and
we
can
even
narrow
down
everywhere
too?
D
Yeah
I
mean
that's
a
fair
question:
we
we've
been
yeah,
yeah
I
mean
so
kind
of
the
some
of
the
background
there
Alan
is
there's
been
a
push
by
the
group
in
the
last
couple
of
meetings
to
focus
more
to
to
put
effort
into
consumption
and
So
that
obviously
consumption
is
a
problem
for
many,
but
obviously
everywhere
denotes
creation
as
part
of
Open
Source
projects
and
so
I
think
that's
a
fair
point.
I'm
going
to
add
a
note.
B
B
Been
ignoring
the
idea
that
centralized
database
is,
is
a
nightmare
in
this
type
of
task.
I
do
think
there
is
some
value
to
say
this
is
very
much
a
public
good
that
we
would
all
benefit
from.
B
J
Yeah
this
is
Tracy,
I,
don't
want
to
be
self-serving,
but
I
think
everybody
should
be
aware
that
artillius
who's
incubating
at
the
continuous
delivery
Foundation
is
focused
on
centralizing
s-bombs
and
we
did
get
a
small
Grant
from
Ripple
to
create
an
immutable
s-bomb
blockchain
that
we're
working
on.
That
would
be
a
public
public
chain.
But
we
have
don't
have
the
funding
to
create
a
centralized
location
to
support
that
SAS
version
at
this
point-
and
we
haven't
gotten
that
far,
but
we
are
working
on
that.
B
You
had
me
until
you
mentioned
a
very
inefficient
database
the,
but
we
leaving
aside
that
because
I
have
a
hunch
that
would
take
a
lot
of
fun
time
debating.
Could
you
post
a
link
to
that?
Just
so
I
can
I
can
track
it.
J
Sure
yeah
and
it
is
a
very
inefficient
just
there's
a
lot
of
data,
which
is
why
we
decided
to
look
at
the
blockchain
solution
and
we
yeah
blockchain,
believe
it
or
not.
There's
ways
you
can
make
that
depart
more
efficient
than
a
than
a
database
and
I'd
be
happy
to
walk
through
what
the
architecture
looks
like
in
order
to
consolidate
data
like
licenses
and
information,
that's
repeated
over
and
over
and
over
and
create
that
blockchain.
E
I'd
love
to
get
ready
on
all
that
as
well
right
and
you
know
which,
which,
as
you
say,
I
would
probably
take
a
you
know-
be
a
lively
conversation
right
now,
but
maybe
that's
not
the
not
the
exact
best
time
for
it.
So
but
the
but
Tracy
I
have
to
ask
you
at
the
same
time.
This
topic
comes
up.
You
know,
I,
find
them
I.
Think
it's
fundamentally
impossible
that
there
will
be
a
centralized
database
now.
Will
the
US
federal
government
will
other
people
other
governments
you
know
create?
E
J
Let's
put
it
this
way,
the
way
we're
approaching
it
is,
let's
say,
for
example,
if
the
Linux
Foundation
had
a
high
level
domain
and
we
could
and
kubernetes
had
a
domain
under
that
your
every
release
of
kubernetes.
You
would
see
a
what
the
cves
and
the
s-bombs
were
for
for
kubernetes
and
you
could
see
the
history
of
it
over
time,
so
you
would
know
if
you
ever
had
a
vulnerability
in
the
past.
J
So
again,
it's
a
matter
of
starting
to
collect
that
information
and
we
could
we're
looking
at
doing
it
by
pulling
it
from
when
GitHub
changes.
There's
actually
quite
a
few
ways,
you
can
grab
the
information
and
storing
it
in
one
big
mess
of
like
database.
We
have
it's
it's
a
lot
of
data.
D
J
Yeah,
so
you
get
software
distributed
and
you
might
get
an
s-bond
for
each
time.
You
you,
if
they're,
giving
you
an
s-bomb,
keep
in
mind
that
a
lot
of
times
s-bombs
are
left
under
the
hood
of
the
devops
pipeline.
J
They
get
created,
but
they
don't
get
consumed
and
that's
the
conversation.
We've
been
having
sure
it's
a
check
box
and
maybe
they
did
create
an
s-bomb.
Maybe
they
didn't
I,
don't
know.
You'd
have
to
ask
the
kubernetes
team
where
to
find
their
s-bombs
right
well
and
and
I.
J
Trying
to
make
it
easy
for
people
to
see
if
they
have
an
environment-
let's
say
they're,
their
entire
environment
has
kubernetes
at
the
bottom
level.
They
may
be
using
some
other
tools
in
between
there
and
then
they
have
all
of
their
application
Level
at
their
their
their
container
s-bombs.
How
do
they
create
a
full
view
of
s-bombs
across
their
organization?
Do
they?
Are
we
expecting
them
to
go?
Collect
them?
J
Go
to
the
kubernetes
team,
find
the
s-bomb
from
there
go
to
these
other
tools
find
their
Spawn
from
there,
or
can
we
do
something
that
allows
them
to
aggregate
that
information
up
easily
to
say
to
the
US
government?
Here
is
what
we
are
using
and
here's
what
we're
dependent
upon
and
here's
a
complete
picture
of
what
the
the
dependencies
are.
This
is
what
it
looks
like
go.
J
I
say
that
considering
a
person
who's
been
in
the
build
space
forever,
that
being
able
to
aggregate
it
up
in
one
big
report
is
going
to
make
the
use
of
s-bombs
a
lot
easier
than
asking
people
to
go
out
and
collect
it
themselves
and
to
collect
it
for
every
release
when
releases
happen
all
day,
long,
we're
not
in
a
monolith
world
anymore,
we're
in
a
microservices
world.
So
things
change
on
a
very,
very
high
frequency
basis.
J
Now
kubernetes
might
not
change,
but
your
application
level
does
and
we
want
to
be
able
to
pull
all
of
that
information
up
into
one
one
full
report
that
everybody
can
see
where
the
vulnerabilities
are
and
what
the
s-bomb
looks
like
not
just
for
kubernetes
but
for
the
entire
stack.
That
of
application
runs
on.
E
Well,
it
was
Sarah
Evans
from
Dell
just
popped
in
and
reminds
me
into
the
in
the
chat
right.
So
there's
so
many
layers
of
this
right
and
I
think
at
the
highest
level.
As
I
said
earlier,
I
I
don't
think
it's
even
conceivable.
There
is
going
to
be
a
repository.
You
know
for
the
entire
universe,
for
the
entire
planet,
every
every
piece
of
everything
but
I,
think
actors
like
the
US.
E
You
know
the
US
government,
you
know
this
ecosystem
and
so
forth
will
do
things
like
Tracy
you're
talking
about
now,
which
is
probably
a
good
thing
and
I
think
for
the
working
group
perspective,
whether
it's
this
one
or
you
know
it's
sisa
or
whatnot.
Our
real
goal
is
to
figure
out
the
architecture
where
people
can
do
those
things,
and
you
know
so,
Tracy
a
d-bomb
I,
don't
know
if
you
know
about
that.
I'd
love
to
have
a
side
conversation
about
that.
E
You
know
how
we
share
all
this
and
so
forth
is
a
fascinating
topic,
but
I
think
from
working
group
perspective.
We
want
to
say
you
know
the
traces
of
the
world
will
do
these
things
yeah.
This
is
fairly
inevitable.
You
know,
is
that
good
or
bad
I
don't
know
right,
you
know
work
through
this
and
how
do
we,
you
know?
Not?
Should
you
you're
going
to?
How
does
that
work
and.
D
I
want
to
reel
this
back
in
because
I
think
this
is
a
really
interesting
conversation,
but
I.
Don't
think
this
is
the
right
place
for
it
thanks
Adam.
Thank
you,
I
appreciate
you
showing
up
and
and
Alan
that's
a
point
about
for
anyone.
Just
read
the
chat
about
s-bombs
and
Vol
data
living
near
each
other,
but
I
want
I
want
to
reel
this
back
into
the
document
here
versus
ortelius,
which
I
I
think
I
Tracy.
Do
you
have
like
Community
meetings
or
something
people
can
attend
just
on
the
website?
Oh.
J
Absolutely
yep
and
I
want
to
point
out
too
in
the
in
the
conversation
you
had
before,
I
think
that
what
you
said
was
was
spot
on
that
we
don't
do
anything
right.
I
know
it
sounds
weird,
but
I
believe
if
we
were
to
take
a
look
at
this
all
of
the
open
source
projects
that
are
currently
under
the
Linux
Foundation
that
have
been
born
since
be
prior
to
the
open
ssf.
J
There
may
be
a
good
set
of
open
source
tools,
that's
already
incubating
at
the
Linux
Foundation
that
we
should
be
looking
at
and
determining.
If
it's
you
know,
making
potentially
making
recommendations
or
helping
them
go
through
the
process
of
of
solving
some
of
these
problems,
because
I
I
haven't
looked
at
all
of
these
tools,
but
I
do
know
that
they're
out
there,
because
the
open
ssf
was
sort
of
late
to
the
party,
a
lot
of
tools
went
into
the
cncf
and
then
when
we
came
along,
we
wanted
to
do
security
stuff.
A
A
J
So
there
may
be
some
tools
out
there
that
you
know
this
group
could
already
begin
to
look
at
as
in
as
a
2023
goal
and
I
think
it's
spot
on
to
say
that
we
shouldn't
do
anything
ourselves,
but
we
should
be
bringing
in
these
tools
and
categorizing
them
in
that
landscape,
which
is
going
to
be
a
tough
task,
but
there's
going
to
be
a
whole
new
category
of
you
know,
tools
that
are
addressing
security
and
I.
Think
that's
a
great
idea.
Yeah.
D
D
Central
data
storm,
but
man
it
is
going
to
be
a
hard
sell,
I
think,
but
all
right
all
right,
I
want
to
I
want
to
jump
back
over
here.
So
we've
got
like
five
more
minutes
before
a
little
more
before
we're
out
of
time.
For
this
this
call
and
every
meeting
I
ask
people
to
look
at
the
document
between
the
meetings
and
and
they
never
do,
which
is
fine,
we're
busy,
but
I.
D
A
D
All
right,
all
right,
so
we've
got
our
approach.
I
I
think
Alan
brought
up
and
I
really
like
this-
that
the
the
s-bomb
everywhere
aspect
of
this
is
not
being
addressed
today.
I
think
we
got
a
little
derailed,
maybe
into
the
the
consumption
side,
which
is
fine
but
I,
don't
know
if
this
group
is
going
to
solve
consumption
either
I
think
I
think
there's
value
in
seeing
open
source
producing
good
s-bombs,
which
there
are
not
very
many
projects
doing
that
today.
D
E
I
F
I
A
Yeah
I
have
one
of
them
that
I'm
a
maintainer
for,
but
I
wouldn't
put
it
forth
as
a
solution
to
the
s-bomb
problem,
because
what
the
I'm
hearing
a
little
bit
of
this
lack
of
coalescence
around
A
single
standard
for
drug
generating
s-bombs,
so
I
I,
heard
earlier.
That
SPX
is
not
generally
accepted
as
the
only
standard
for
expressing
the
s-bomb
as
an
outsider.
One
of
my
Curiosities
would
be
is:
do
you
have
a
list
of
the
other
proposals
that
are
out
there.
A
F
Swid
tags
and
I
have
seen
that
mostly
on
iot
companies,
those
already
had
some
sometimes
producing
that.
A
D
And
and
Cyclone
DX,
the
the
three
that
get
named
and
sisa
calls
these
out.
Actually
it's
spdx
Cyclone,
DX
and
swid,
but
no
one
likes
swim,
so
I
would
say
spdx
and
Cyclone
DX
or
the
two
you'll
see
no.
F
D
D
D
D
We
will
talk
about
what
to
do
with
them.
I
guess
later,
and
this
is
something
so
you
know
what
this
reminds
me
of
is
I.
Had
a
friend
at
the
Apache
software
Foundation
come
to
me
some
time
ago
and
basically
said
we
want
to
make
us
moms.
How
should
we
do
it?
There's
no
guidance
telling
people
like
you
should
make
spdx
and
Cyclone
DX
and
do
a
thing
with
them
and
I
think.
Well,
that's
not
true,
because.
D
The
maven
folks
were
here
a
couple
weeks
ago,
and
they
pointed
out
like
Maven
has
a
way
they
do
it
and
npm
now
I
think
has
a
way
they
do
it
and
every
ecosystem
is
doing
it
different
and
so
I,
don't
I,
don't
know.
If
we
have
that's
going
to
be
the
challenge.
I
guess
and
that's
probably
something
for
us
to
think
about
is
every
open
source
ecosystem
is
going
to
want
to
do
it
their
own
way
and
it's
very
open
source
like
if
we
say
you
should
do
it
our
way.
D
We
know
how
that
story
ends
right
like
they
don't
we
they
give
us
a
finger
and
then
they
go.
Do
it
their
own
way,
which
is
cool,
I
mean
it's
open
source,
but
that's
probably
something
we
need
to
think
about
too.
Is
how
do
we
Define
the
goal
right?
Because
the
goal
is
an
s-bomb?
The
goal
isn't
to
tell
people
how
to
do
this.
D
What
else
we
need
more
open
source
projects
defer
to
other
groups,
connect
others
does
anyone
else?
Can
you
think
of
any
high
level
things
that
that
we
think
this
group
needs
to
focus
on
for
success.
H
I
think
this
is
Sarah
Evans
from
Dell
I.
Think
one
of
the
things
we've
been
talking
about
is
understanding
the
consumption
in
parallel
because,
as
the
adoption
and
the
consumption
of
s-bombs
evolves,
that's
going
to
be
very
helpful
information
for
us
to
understand
across
our
technology
stack
and
then
also
to
be
able
to
influence
some
of
those.
You
know,
while
we're
not
building
anything
if
we're
defining.
If
this
group
is
defining,
you
know
the
goals
of
an
s-bomb
being
able
to
have
that
evolve
over
time.
This
is
how
customers
are
using
it.
H
If
your
sbomb
doesn't
provide
or
meet
these
goals,
maybe
you
could
evolve.
You
know
we're
not
going
to
tell
you
how
to
do.
D
H
H
It
might
be
that
they
are
more
suited
to
it
and
we
just
have
awareness
and
visibility
to
how
that
evolves
in
this
group
and
the
spirit
of
not
creating
anything
new,
so
I'm
totally
flexible
to
that.
I.
Just
know
that,
whichever
group
it
ends
up,
Landing
in
we'd
want
to
maintain
visibility
that
we
we're
trying
to
contribute
that
to
understanding
in
general,
yeah.
D
Yeah,
100
percent,
okay,
all
right
we're
out
of
time,
but
this
has
been
immensely
valuable
I'm
going
to
clean
this
document
up
a
little
bit
I'm
going
to
see
about
getting
my
my
acid
gear
for
that
that
landscape
funding,
because
I
think
having
a
landscape
would
be
very
valuable
to
help
untangle
some
of
this
and
then
I
guess
if
I
would
truly
appreciate
anyone
taking
a
look
at
any
of
this
and
asking
questions
or
adding
comments
or
anything.
If
and
if
not
I
guess
are
we
do
we
have
a
meeting
in
two
weeks.
D
What's
two
weeks
in
19,
20th
I,
don't
know,
I,
think
I'm
working
we'll
see,
maybe
it'll
just
be
a
working
session.
If
no
one
shows
up
all
right
well,
thank
you.
Everyone
I
will
talk
to
you
all
soon.