►
From YouTube: Security Tooling Working Group (June 20, 2023)
Description
Notes:https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c
Our mission is to Identify, Evaluate, Improve, Develop & Ease Deployment of universally-accessible, developer focused tooling to help the open source community secure their code. This space allows members to collaborate together on these goals.
A
C
A
Although
it's
still
better
than
teams,
there's
a
Monday
mornings,
I
have
a
teams
meeting
for
the
Vex
group
and
like
it's
like
God,
damn
it
every
time
something
ridiculous
is
broken.
Thank
you.
B
Well,
your
idea's
got
a
corporate
WebEx
account
and
that's
what
they
want
you
to
use,
but.
B
B
Well,
I
mean
I
experienced
the
during
covet
the
zoom
bomb.
Oh
that's
right.
B
A
A
A
F
G
Max
is
fine
yeah
combution,
but
it's
like
notoriously
difficult
for
English
speakers
to
actually
pronounce
this.
A
Combustion
doesn't
seem
too
bad.
I
know,
I
worked
with
a
guy
from
Hungary
at
one
point
and
I
was
like
how
do
I
pronounce
your
last
name.
He's
like
just
just
don't
like
know
me
exactly
he's
like
I
guarantee,
you
can't
do
it
so
we're
not
even
gonna
try.
So
it's
like
man
like
never
felt
like
a
bigger
as
an
American.
C
G
I
actually
have
an
uncle
who
lives
in
New.
York
he's
been
living
there,
since
the
80s
and
I
never
asked
him
how
he
actually
teaches
people
to
how
to
pronounce
his
last
name.
He.
A
I
remember:
I
had
a
co-worker
I
worked
with
when
I
was
at
Red
Hat
his
he
was
from
Brazil,
so
it's
Portuguese,
obviously,
and
his
name
was
Ramon,
which
is
pronounced
Haman
in
Portuguese
and
he
moved
to
San.
Francisco
and
I
went
out
for
lunch
with
him
and
some
of
his
co-workers
and
they
were
calling
him
Ramon
and
I'm
like
what
the
hell
he's
like
I
gave
up
like
I'm
Ramon
now,
yeah.
C
I
once
meant
a
French
Canadian
when
I
was
in
San
Francisco.
That
I
hired
me
to
go
work
in
in
LA
with
him
as
at
his
company,
and
it
was
really
funny
because
everybody
called
him
Chris,
but
he
was
very
clearly
French,
Canadian
and
so
I
said
Kristoff,
and
he
says
yes,
but
nobody
calls
me
that
right
here
and
I
said:
okay.
Is
it
okay?
If
I
call
you
Kristoff,
he
said
sure
that'd
be
great,
I
got
to
the
site
and
they
said
Chris
will
be
here
soon
like
who's
Chris,
nice.
C
I'm
in
Canada,
so
French
French
names,
depending
on
your
background,
you
know
or
normal
by
the
way
I'm
being
from
the
Linux
Foundation.
C
I'm
I'm
on
Vancouver
Island
in
Victoria,
so
yeah.
C
Come
on
Vancouver
Island
I'm
on
the
island
of
the
southern
tip
of
the
the
island
off
the
coast,
but
yes,
I've.
A
C
It's
around
freezing
yeah.
We
still
have
flowers
all
year
round,
oh
wow.
We
we
had
snow
for
for
four
days
this
year,
which
was
we
were
not
happy
with
it's
it's.
It's
like
it's
like
Seattle,
are
very,
very
similar
to
Seattle
a
little
bit
less
rain.
A
A
So
I'll
start
and
thank
you
for
coming.
We've
got
a
pretty
packed
agenda
today,
so
I'm
very
excited
and
we'll
we'll
just
get
moving
right
away.
We'll
start
with,
we
have
two
guests
who
are
here
to
discuss
how
they're
using
s-bombs
like
in
the
open
source
universe,
and
the
first
is
Sila.
So
facila
I
will
let
you
take
it
away
and
and
tell
us
all
about
what
you're
doing
with
s-bombs.
H
Yes,
so
my
name
is
fasila,
so
I
currently
work
in
the
open
source
project
called
istu,
so
SQL
has
been
currently
joining
the
CNC
of
cloud
native
Computing
foundation,
and
then
we
had
certain
works
on
going
on
the
supply
chain,
security
area.
So
Georgians,
who
is
on
this
meeting?
He
is
my
colleague
in
Ericsson,
so
she
knew
about
our
journey
about
it,
istio
and
his
bomb.
A
H
Okay,
so
it's
Q
is
a
service
mesh
solution,
so
basically
we
provide
a
security
traffic
management,
related
operations,
majorly
for
the
kubernetes
platforms
and,
of
course,
not
just
kubernetes.
H
There
are
other
things
as
well,
but
yeah
we
majorly
use
it
with
kubernetes,
so
yeah
supply,
chain
security,
anyways
an
interesting
topic
for
almost
all
the
cloud
native
projects
there
are,
and
in
cncf
itself
there
is
a
lot
of
push
across
the
projects
mentioning
like
okay,
you
should
do
whatever
possible
to
enhance
your
supply
chain
security
posture,
so
we
were
also
thinking
what
and
all
we
can
do
for
this.
So
kubernetes
by
itself
adopted
some
of
these
F-bomb
functionalities.
H
The
kubernetes
came
up
with
a
bomb
utility
within
the
kubernetes
Sig
release
community,
so
they
had
written
there
on
the
love
materials
utility
were
the
golang
projects,
can
just
use
it
and
generate
your
bill
of
materials,
so
that
is
when
we
also
because
istio
is
also
Major
League
project.
Currently,
so
it
became
easy
for
us
to
use
this
particular
utility
and
generate
our
bill
of
materials,
and
we
were
anyways
in
touch
with
the
kubernetes
community.
For
many
of
our
other
release.
Related
operations,
so
that's
how
it
started.
H
Initially,
we
thought
of
using
the
xpd
spdx
had
another
utility
to
generate
bill
of
materials.
That's
what
the
plan
was
and
then
exactly.
At
the
same
time,
we
came
to
know
that
kubernetes
has
this
bomb
utility
which
looks
easier
to
use
and
we
were
easily
getting
support
from
them.
H
So
we
decided
to
go
ahead
with
this
particular
bomb
utility.
So
at
this
time
I
was
also
new
to
istio.
I
had
also
presently
relocated
to
Germany
joining
Ericsson.
So
since
it
was
a
new
experience
for
me,
the
first
thing
I
had
to
do
was
to
write
an
RFC
document
to
the
HTO
community
and
present
okay.
This
is
something
which
you
would
like
to
have
in
your
project.
H
H
But
since
I
was
new
and
I
had
some
of
my
previous
colleagues
or
friends
who
are
working
in
different
supply
chain,
security
related
domains
in
the
open
source
area,
I
was
in
constant
touch
with
them
and
that's
how
I
came
to
know
about
the
utilities
about
bomb
and
others
bomb
related
works.
So
I
proposed
this
as
an
RFC.
Maybe
I
can
share
my
screen
and
then
sure.
H
Okay,
so
we
started
with
this
document:
it's
not
a
big
thing,
but
yeah.
This
is
how
in
istio,
usually
in
any
new
feature,
request
comes
in,
so
we
probably
write
a
small
document
describing
the
background
requirements
and
then
how
it
can
be
done
and
what
are
the
options
in
which
this
can
be
achieved
yeah.
So
this
is
how
it
started
with.
H
So
we
initially
started
with
this
spdxs
bomb
generator
tool
which
was
readily
available
at
that
time,
and
then
we
enhanced
it
saying:
okay,
there
is
something
called
a
bomb
utility
in
K8
Community
as
well,
and
similarly
we
had
this
Cyclone
DX
tools
as
well.
Most
of
them
are
doing
similar
things
and
yeah.
It
was
just
a
matter
of
writing
a
very
small
script
to
get
it
done
for
istio,
because
the
whole
project
was
golang
and
we
we
generate
two
separate
s-bombs
one
for
the
release
artifacts
and
one
for
the
source
code
yeah.
H
H
We
had
hit
some
minor
issues
here
and
there,
but
we
got
immediate
feedback
from
the
kubernetes
community
and
then
they
were
open
to
fix
the
issues
for
us
yeah,
so
it
just
got
I
mean
it
was
just
one
pile
and
like
60
to
70
lines
of
code,
and
it
was
done,
and
if
you
see
the
istio
release
page,
you
can
see
that
with
each
release
we
publish
the
source
and
release
is
PDX
files
for
every
release.
H
Yeah,
that's
pretty
much
about
that
and,
of
course,
when
we
started
publishing
the
s-bomb
in
spdx
format,
we
were
contacted
by
the
Cyclone
DX
box
as
well
asking
like
yeah.
We
should
publish
both
the
formats
yeah.
We
have
not
yet
done
it
as
of
now.
Kubernetes
is
also
publishing
only
spdx
format.
I
think
that
we
have
just
done
it
this
way,
but
of
course
we
are
open
to
do
any
other
formats,
whatever
it's
needed,
so
we
have.
H
Then
this
is
the
first
step
and
then
I,
don't
know
whether
you
know
at
all,
for
who
is
the
kubernetes
release
manager
and
he
has
been
doing
a
lot
of
work
around
all
these
supply
chain.
Security,
related
tasks
and
he's
from
chain
God
like
a
company
called
chain
guard,
so
they
have
to
come
up
with
a
checklist
for
the
salsa
complaints
like
level
one
level
two
like
that,
and
if
you
go
through
it,
we
can
see
like
where
your
project
stands.
As
of
now,
whether
you're
a
level
one
complaint
level.
H
Two
like
that.
So
we
when
we
did
that
analysis,
we
understood
that
as
bomb
comes
only
at
the
level
two,
we
had
some
other
tasks
to
finish
for
level,
one
basically
the
Builder
test
station.
So
we
are
currently
now
trying
to
check
how
to
do
something
like
in
Toto
at
a
station
or
anything
else
that
is
possible
to
first
comply
to
the
level.
One
checklist.
F
Your
your
spdx
files
are:
are
you
signing
those?
If
so,
what
keys
are
you
using.
H
So
it's
it's
all
the
artifacts
here
we
have
cosine
related
timing
methodologies.
I,
don't
have
the
exact
details
about
it,
but
yeah
the
release
manager
does
that
okay.
F
I
figured
you
were,
but
I
wanted
to
make
sure
trying
to
make
sure
people
are
actually
signing
their
their
s-bombs.
A
H
H
A
E
H
E
How
stable
is
it?
How
quick
does
it
break
because
I
got
the
question
the
other
day
from
a
colleague
asking?
So
if
we're
going
to
we're
going
to
have
an
effort
like
the
one
we're
discussing
here,
kind
of
being
kind
to
projects
and
implementing
these
things,
that
how
hard
is
it
to
implement
because
we're
adding
maintenance
burdens
on
projects
so
I'm
wondering
how
how
well
that
worked
for
you.
H
Okay,
so
for
for
us,
I
have
never
had
any
case
where
somebody
reported
that
okay,
the
bomb
utility
now
is
broken.
Please
fix
it
so
that
we
can
release
that
never
happened,
maybe
because
kubernetes
releases
stable
versions
of
Boom
only
after
they
are
internally
trying
it
out,
because
they
are
also
using
the
same
code
to
generate
their
spdx
files
right.
So
maybe
things
are
stable
and
working
fine
before
they
ship
a
new
version,
and
then
we
also
take
a
little
bit
of
time
before
upgrading
our
bomb
utility
version,
something.
H
H
D
Thanks
for
presenting
this,
this
has
been
really
helpful
context
for
me
and
I'm
really
pleased
to
see
that
istio
is
doing
this
so
successfully.
My
question
is:
have
you
heard
from
any
of
the
consumers
of
your
bombs
with?
Do
you
have
people
that
your
or
companies
or
Downstream
projects
that
you're
aware
of
that
are
using
your
bombs
in
in
any
context,
on
their
experience
of.
H
The
video
on
the
Upstream
we
do
get,
you
know
issues
now
and
then
saying
they
would
like
to
have
the
files
generated
in
specific
context,
and
we
do
get
the
enhancement
request
for
different
amount
of
operations
like,
for
example.
Here
the
docker
images
are
all
published
as
part
of
the
relief,
and
then
we
use
those
published
Docker
images
to
generate
the
spdx.
There
were
people
who
were
asking
like
they
want
a
mechanism
to
generate
the
experience
file
for
Docker
images,
which
are
in
the
local
repository.
H
So
similar
requests
do
come
so
I
think
there
are
people
who
are
using
it,
but
internally
for
Ericsson
I
think
we
have.
We
are
I
did
present
this
and
then
we
are
exploring
and
have
to
yeah
leverage
on
this
Downstream,
but
they
do
see
a
benefit
in
using
this,
because
it
has
a
lot
of
things
automated,
which
currently,
we
are
doing
with
a
lot
of
manual
effort
using
manual
scanning,
and
a
lot
of
you
know,
repeated
effort
goes
away
with
this
automated
way
of
generating
files.
They
do
agree
that.
A
H
To
go
yeah,
that's
it,
so
we
have
already
done
it.
We
did
it
like
in
HTO
1.14
release.
So
once
done
afterwards,
we
never
had
to
do
anything
additional,
except
for
upgrading
the
utility
version
to
the
latest
version
so
that
it,
but
otherwise
the
generation
part
is
the
same
code.
I
have
not
even
touched
that
for
the
last
four
releases.
So
if
you
see
that
it's
1.18
release
now
that's
awesome.
Yeah.
A
H
It's
like
the
mom
utility
is
pretty
much
easy
to
use,
but
the
only
thing
is
it
can
be
used
only
for
Golan
code,
because
kubernetes
is
golang
and
then
they
have
no
plans
to
support
any
other
languages.
So
with
istio
we
have
one
module
which
is
in
C
plus
plus,
for
which
we
are
not
yet
generating
the
spdx
files
and
for
C
plus
we
have
not
seen
any
good
bomb
utility
so
far.
So
yes
for
many
languages,
the
support
is
not
there,
so
that
that
is
one
shortcoming.
D
I
have
another
question:
you
mentioned
that
you're
working
on
salsa
compliance
I
was
curious
if
you
have
run
the
security
scorecard
on
your
project
and
if
so,
what
that
experience
is
like
I
know,
that's
a
little
bit
different
of
a
question
from
s-bomb,
but
I've
really
enjoyed
hearing
your
perspective
and
it's
another
working
group
I'm
in
so,
and
one
of
the
things
that
group
is
talking
about
is
how
to
see
if
the
projects
have
produced
an
s-bomb.
So
there
may
be
a
connection
at
some
point
down
the
road.
Okay.
H
We
were
not
aware
of
the
Securities
go
covered
utility.
What
we
did
is
we
were
manually
going
through
a
checklist
and
checking
One
By
One
The
checklist
had
questions
like
whether
your
project
has
the
PRS
approved
by
two
people
or
just
one
person,
whether
you
generate
build
at
a
station
whether
the
dependencies
are
clearly
defined.
Like
that
a
lot
of
questions,
and
then
we
were
just
sticking
the
boxes
and
seeing
where
we
are,
we
never
ran
any
tools
so.
E
H
Comes
out
yeah
it
does
there
we
would
yeah.
So
if
you
see
this
I
just
to
create
this
particular
issue
and
istio
to
track
this,
and
then
we
just
had
this
one
checklist
which
is
like
this,
and
then
we
were
trying
to
take
one
by
one
and
then
see
where
we
are
so
if
there
is
a
tool
which
we
can
run,
that
would
definitely
help
us,
but
I
know
that
chain
guard
the
company
culturing.
H
A
I'm
going
to
move
this
along,
but
I
guess
the
one
thing
I
would
add
is
this:
is
the
old
salsa
checklist
and
there's
a
new
version
now
so
not
to
kind
of
ruin?
Your
party.
A
Everything
Changes
the
only
constant
right,
okay,
all
right,
all
right
so
I'll
keep
us
moving,
then.
Thank
you
so
much
Priscilla.
That
was
this
was
awesome
like
well
well
done
and
and
well
done
on
the
work,
like
that's
a
huge
deal
that
istio
is
generating
s.
Phones,
that's
really
really
cool!
Thank.
H
A
G
Thanks
yeah,
just
quick
intro
about
myself,
I'm
Max
I
work
at
sneak
in
the
open
source
group.
G
So,
if
you
know
sneak
and
and
our
product
line
a
lot
about
is
actually
scanning
your
open
source
projects
or
your
your
software
projects,
which
are
built
on
open
source
components
for
vulnerabilities,
and
we
have
actually
had
an
internal
representation
of
an
s-bomb
at
sneak
for
a
really
long
time,
similar
to
to
how
Anka's
doing
it
with
a
sift
I
think,
there's
also
proprietary,
serialization
format
that
can
be
translated
to
to
Cyclone,
DX
or
spdx,
and
we
are
not
really
making
that
internal
representation
so
public.
G
Even
though
there's
a
public
response
repository
with
the
schema
and
everything
and
so
far,
what
we
have
done
mostly
was
to
let
our
customers
generate
s-bombs
off
of
this
internal
representation,
which
is
fittingly
called
a
depth
graph.
So
no
no
real
magic.
There
and
I
have
been
mostly
working
on
the
translation
of
this
internal
representation.
So
how
our
software
works
is
that
we
Anna
we.
We
do
a
composition.
G
Analysis
of
a
software
project
turn
that
into
the
step
graph
and
then
translate
that
into
Cyclone,
DX
and
spdx,
and
this
is
so
basically
what
we're
doing
we're
offering
s-bomb
generation.
G
We
are
currently
also
working
on
s-bomb
ingestion,
so
trying
to
understand
what
are
the
different
components
that
you
have
in
an
s-bomb
that
you
bring
to
sneak,
and
then
we
can
analyze
that
for
vulnerabilities
there,
there's
also
other
competitors
who
already
offer
this
and
and
also
something
we
have
actually
open
source
just
recently
is
a
tool
that
takes
an
s-bomb
and
can
enrich
that
with
additional
information.
G
So
right
now,
a
lot
of
customers
are
actually
asking
for
copyright
information
license
information
that
kind
of
stuff
and
with
that
tool
you
can
actually
get
this
information
from
from
public
libraries
and
I
can
only
tell
you
guys
from
the
the
point
of
view
of
an
and
I
see
working
with
the
available
tools
that
we
are
using.
G
G
G
So
there
is
also
tooling
available
for
spdx,
but
it's
I
I
feel
that
it's
not
as
good
as
well
maintained
as
the
Cyclone
DX
stuff,
so
kudos
to
the
the
maintainers
of
all
the
Cyclone
DX
tools,
but
then
also
what
I
found
was
that
the
specification
of
spdx
is
actually
hard
to
understand,
sometimes
or
to
to
give
some
good
guidance
on
how
you
should
be
actually
constructing
uis
bombs
in
in
that
schema.
G
So
so
an
example
would
be,
for
example,
to
to
describe
the
relationships
which
you
between
your
components.
They
seem
to
be
like
different
ways
of
actually
saying
package
a
depends
on
package
B.
You
can
also
say
package.
B
is
a
dependency
of
package
a
so
that's
like
just
a
simple
example,
but
it
goes
to
show
that
actually
you
as
as
somebody
who
implements
this
you
are
faced
with
the
questions
like
okay,
do
I
actually
choose
option,
A
do
I,
do
I,
choose
option,
b
and
I
think
with
Cyclone
DX.
G
You
don't
really
have
that
much
guesswork
and
I
mentioned
this
enrichment
util
that
we
have
open
sourced
the
again.
We
are
facing
some
some
challenges
there
with
spdx,
where
we
get
some
data
from
ecosystems.
If
you
know
that
you're,
probably
also
familiar
with
depths.dev,
that's
been
making
the
rounds
lately
we
we're
integrating
with
that.
But
ecosystems
is
very
similar.
G
You
just
give
it
package
coordinates,
and
it's
giving
you
back
a
lot
of
Rich
metadata
about
that
package
and
I
have
been
working
on
the
extension
of
our
tool
to
actually
consume
that
data.
Put
that
into
spdx
and
a
lot
of
the
fields
I
I
find
that
I
cannot
really
find
the
right
definition
in
the
xpdx
specification.
G
If
that
makes
sense,
so
I
actually
then
have
to
reach
out
to
to
people
who
have
been
minting.
The
specification
ask
like
how:
how
is
this
supposed
to
be
used
am
I
actually
doing
the
right
thing
am
I
doing
the
wrong
thing
so
so,
on
the
one
hand,
I
feel
that
there
is
a
little
bit
of
a
lack
of
enablement
where
you
it's
not
necessarily
clear
from
the
the
content
that
you
have
available
to
you
as
an
engineer
like
what
what
choices
do
you
actually
make
when
you
implement
your
code?
G
That's
one
thing
and
another
thing
Escape
my
mind
now:
yeah
I'm,
maybe
gonna,
stop
right
here,
so
I
have
I
I'm,
basically
freestyling
this
as
you,
you
guys
can
tell
like
I've,
been
asked
to
I've
been
asked
to
join
this
call
this
morning
and
didn't
have
much
time
to
prepare,
but
is
this
actually
relevant
context
for
you
guys,
yeah
I
find.
A
This
fascinating
and
shame
on
Dan
for
not
giving
you
more
warning
he's
known
about
this
for
like
what
four
weeks
almost
I
think
no.
G
He
did
ask
me
last
week,
but
I
was
out
sick
last
week
and
then
I
jumped-
or
it
was
the
week
before
I
think
and
then
so
I
jumped
on
this
call,
but
yeah.
No,
it's
actually
not
not
on
tan.
It's
more
on
me!
So
I
take
all
the
blame
here.
F
Yeah
sure,
no
problem
so
great
to
hear.
What's
going
on
at
sneak,
Max
I've
actually
used
Snick
quite
a
bit
and
I
think
it's
a
great
tool.
You
mentioned
the
idea
of
scanning
s-bombs
to
determine
what
kind
of
vulnerabilities
are
are
in
there.
F
G
If,
if
it's
about
like
a
consuming
a
Vex
file
for
example,
or
maybe
ignoring
certain
issues,
then
yes,
that's
actually
built
into
sneak
already,
and
we
are
planning
to
actually
offer
an
API
where
you
can
upload
your
s-bomb,
including
some
directives
of
like
the
the
issues
that
you
don't
really
want
to
care
about,
but
that's
all
in
the
making
currently
so
I'm
I
I
can't
disclose
too
many
details
about
that.
But
yes,
it's
actually
at
the
at
the
heart
of
our
product.
G
Is
that
you
also
you
don't
want
to
produce
too
much
noise,
because
we
appreciate
that
this
is
mostly
going
to
be
interesting
for
csos
or
it
folks
who
actually
want
to
understand.
What's
in
the
software
they
are
using
and
maybe
then
also
monitor
for
it.
So
I
see
that
we're
we're
doing
something
similar
in
the
vein
of
squawk
or
dependency
track.
If
you
are
familiar
with
those
tools,
so
you
actually
upload
your
s-bomb
and
you
keep
monitoring
like.
G
Is
there
new
vulnerability
that
is
being
disclosed
and
yeah,
so
so
ignoring
some
of
them
and
saying
like?
Well,
that's
not
actually
exploitable
in
our
case
that
that's
actually
something
we
have
as
a
yeah
base
requirement
to
this
feature.
Yeah.
F
Because
of
what
some
of
what
we're
doing
at
Intel
is
is,
for
example,
we
have
an
internal
curated
version
of
openssl,
where
we
support
the
the
versions
released
over
the
last
two
years
and
and
we've
backported
all
of
the
fixes
into
those.
So
we're
trying
to
make
sure
that
you
know
for
us
we'd
love
to
have
solutions
that
don't
ding
us.
You
know
for
shipping,
older
versions
that
would
seem
to
have
vulnerabilities
because
of
their
version
number,
but.
G
A
B
So
in
terms
like
lyrics
There's,
multiple
work
streams
that
s-bomb
complexity
is
going
up,
formulation
is,
is
one
of
the
things
I
took
under
my
belt,
but
I
also
participated
in
the
machine
learning
work
group
as
well
as
the
attestation
work
group.
Lots
of
new
complexity
is
coming
in.
So
fundamentally,
you
know.
I
work
for
IBM
and
I've
been
I've
been
I've
been
trying
to.
B
You
know
figure
out
how
we
create
s-bombs
for
many
years
now
and
to
satisfy
the
different
requirements
coming
at
us
from
from
very
you
know,
from
from
the
ground,
up
from
creating
very
controlled,
build
systems
to
get
salsa
level,
three
type
attestations,
you
know,
reproducible
build
type
stuff
into
an
s-bomb
I've
got
I've,
got
machine
learning,
AI,
stuff
I
need
to
I
want
to
associate
with
an
s-bomb
and
and
I
keep
telling
I
kept
telling
the
second
index
Community
from
the
industry
work
group
I've
got
tons
of
data
from
lots
of
different
perspectives.
B
I
need
a
framework
in
terms
of
s-bomb
and
a
logical
place
to
put
the
game,
put
put
the
data
a
context
if
you
will
and
and
so
this
formulation
work
came
up,
I
found
out
about
it.
Last
fall
and
I
I
end
up
volunteering
use
cases
and
and,
and
they
said
hey,
why
don't
you
take
a
stab
at
writing
a
proposal
for
the
schema
which
I
did
and
and
and
and
so
Cyclone
DX
1.5?
This
I
just
did
a
two
hour.
B
B
So
again,
I
I
have
a
I.
Have
you
know?
Tons
of
data
and
I
have
salsa
data.
Attestations
I've
got
evidence,
I've
got
you
know,
information
from
GitHub
I've
got
I,
got
tons
of
things
and
many
things
we
do.
We
build
with
techton,
so
I
I
needed
a
way
to
capture
the
build
pipeline.
The
CI
CD
pipeline,
if
you
will
and
of
course,
I've
been
a
follower
of
of
Fresca
since
the
beginning,
so
I'm
a
big
tectonic
fans.
B
This
was
part
of
k-native
build
and
it's
It's
ability
to
perhaps
get
you
know,
create
that
to
stations
and
actually
capture
them,
but
also
capture
the
the
runtime
stack
below
it.
So
how
do
I
capture
tecton
tecton
triggers
pipelines,
tasks
kubernetes,
maybe
cut
a
container
runtimes
kubernetes
below
it
all
configurations
down
to
Hardware,
because
we
have
customers,
Federal
customers
that
need
s-bombs
that
have
the
entire
runtime
stack
include
inclusive.
So
you
know
we
have
a
lot
of
complexity.
So
typically
a
CI
CD
pipeline
concept
is
common.
B
Travis
Jenkins
have
these
com
con
Concepts
tecton
is
kind
of
taken
to
the
next
degree.
So
let
me
try
to
try
show
a
ticket,
so
you
basically
have
triggers.
You
have
events
that
trigger
the
pipeline,
so
you
can
grab
the
source
code.
You
can
grab
the
people
and
events
and
things
that
actually
trigger
the
build
in
an
automated
fashion.
You
have
a
series
of
tasks
that
are
conditionally
executed
that
bring
it.
There
typically
are
run
as
containers.
B
You
have
workspaces
that
are
shared
and
each
of
them
passes,
passes
outputs
and
inputs
to
to
Downstream
tasks.
And,
of
course,
no.
It's
not
pictured
here.
They're
evidence
lockers
and
things
that
produce
not
not
just
logs
but
actually
perhaps
salsa
attestations
from
Sig
store
in
total
records
attestation
records
Etc.
But
you
know
we
need
a
way
to
capture
all
these
things
and
I
mentioned
the
you
know
the
complexity
can
be
quite
large.
So
how
do
I
do
this?
In
s-bomb,
when
I
Collapse
have
the
pipelines
are
very
complex?
B
I'll
just
give
an
example:
one
of
our
products
in
IBM
has
three
layers
of
builds
to
create
one
product
with
a
total
of
400,
build
steps,
400
tasks
and
a
lot
of.
In
addition,
they
run
parallel
pipelines
at
different
points
to
check
to
run
AI
fuzzing.
To
do
you
know,
scanning
sniffing
and
a
whole
bunch
of
things,
and
if
I
wanted
to
show
everything
that
I
did
my
due
diligence
to
build
that
one
product
out
of
2200
products
that
we
actively
produce.
How
do
I
give
that
to
a
Federal
customer?
B
How
do
I
do
that
within
a
context
of
cycle
index,
so
so
here's
what
I'll
show
you
pictures
with
the
thousand
words.
So
so,
basically
there's
a
there's.
This
I
didn't
want
to
do
that.
Let's
see
the
bar
is
coming
up,
I
think
so.
So
here's
the
schema
on
a
nutshell,
so
I
thought
you'd
show
you
the
scheme.
B
So
you,
basically
within
the
formula
you
can
define
components,
tools,
services
that
took
part
are
participated
in
the
CI
CD
process
to
either
to
build
scan
anything
that
touched
your
build
or
was
part
of
a
task
and
bringing
the
components
and
describe
them
and
if
you're
familiar
with
second
load
YX.
These
are
these
are
parallel,
but
these
are.
These
are
separate
from
the
components
and
services
that
are
part
of
the
actual
subject
of
the
build.
These
are
actually
the
things
the
the
the
components
of
resources
that
participated
in
creating
the
subject
component.
B
So
in
terms
of
workflows
again,
you'll
see
a
lot
of
you
know,
techcon
or
Jenkins.
Familiar
semantics,
so
workflows
are
actually
tasks
themselves.
So
it's
kind
of
an
inheritance
model
workflows
are
comprised
of
a
series
of
tasks
and
there's
tasks.
B
Dependencies
there's
a
graph
that
maintains
the
graph
between
dependencies
and
there's
a
set
of
workspaces
that
are
found
that
are
shared
workspaces
between
the
tasks
and,
of
course,
that
there's
a
there's
a
trigger
and
the
trigger
has
there's
events
and
things
that
that
cause
the
trigger
to
activate
to
cause
the
build
to
happen,
and
you
basically
have
time
stamping
for
every
workflow
and
for
each
each
task
you
can
see
again.
Workspace
is
exciting,
you
can
see
yeah,
you
can
describe
the
volumes
and
you
can
describe
how
they
were
mounted
and
and
all
sorts
of
things.
B
If
you
want
to
do
those
things
in
terms
of
task
dependency
or
tasks
themselves,
we
could
look
into
those
you'll
see
a
lot
of
duplication,
but
you
have
different
task
types.
You
can
describe
using
tagging
mechanisms
what
your
task
was
doing,
so
you
can
do
searches
through
your
on
your
workflow,
basically
to
determine
which
tasks
we're
doing
certain
activities
like
did
you
do
a
scan?
Did
you
do
this?
B
Where
did
you
do
that
you
can
actually
dive
into
the
s-bomb
and
do
type
of
XPath
type
queries
or
Json
jQuery
mechanisms
into
the
into
the
final
ask
bomb
to
figure
out
where
those
tasks
lived
and
what
things
they
touched
and
what
they
did
in
terms
of
you
also
have
things
like
Steps,
so
you
have
your
trigger
definition.
What
triggered
the
task,
so
every
task
gets
triggered.
B
There's
conditions
to
trigger
the
task
since
there's
conditional
logic
in
the
pipelines
so
yeah
you
can
actually
describe
the
events
and
the
conditions
that
existed
this
much
like
a
policy
enforcement
point.
If
you're
familiar
with
General
security
policy
enforcement,
you
can
describe
those
things
here,
Etc,
so
just
try
I
mean
I'm
somewhat
trying
to
blow
you
away,
but
basically
this
is
what
you
need
for
salsa
level,
three
plus
compliance,
and
this
is
the
framework
that
we
we
designed
to
hang
the
data
so
to
make
it
real.
B
Let
me
let
me
make
it
real
so
and
so
I'm
I
haven't
done
a
work.
A
lot
of
work
with
this
since
mid-may,
but
I'm
I
promise
to
write
a
guide
on
how
to
do
this.
In
Cyclone
DX,
so
I
took
a
basic
techtime,
build
of
a
of
a
of
an
application
which
is
a
it's
a
Java
spring
boot
application,
and
it's
comprised
of
a
pipeline
that
builds
the
application
in
terms
of
there's
an
event.
A
developer
does
a
push
to
a
repo.
B
Perhaps
perhaps,
if
this
is
a
release
or
developed,
just
normal
developer
push
to
him
and
you
basically
can
kick
off
a
pipeline
that
fetches
the
repo
and
GitHub
provides
a
web
Hub
to
do
set.
Do
that
and
you
can
actually
build.
You
know
fetch
the
repo
you
can
actually
do
a
maven
build
on
it.
You
can
use
builda
to
build
the
application
into
a
container
image.
You
can
actually
the
next.
This
application
actually
does
use
Cube
cuddle
to
actually
deploy
it
to
a
running
kubernetes
instance.
B
So
it
does
a
live
update
of
the
application
as
it's
built.
This
is
true,
Cloud
native.
This
is
true,
Cloud
native
continuous
delivery
right.
So
how
do
we
do
that?
How
do
we
represent
these
things
in
in
like
a
cyclone,
DX
workflow?
So
in
general,
conceptually
you'll
see
you'll,
see
the
concept
of
yellow
formula,
your
components
and
services.
You
have
a
workflow
or
in
this
case
we're
describing
one
contiguous
workflow.
It's
made
up
of
a
bunch
of
tasks
and
you
can
list
the
tasks.
You
know
a
b
c
d
here
and
Instagram.
B
So
let
me
show
you
how
we
do
it
so
here's
the
subject
to
build
this,
the
Spring
Book
application-
so
is
the
metadata.
That's
the
component,
we're
building.
We
describe
that
in
terms
of
formalization
data.
We
have
to
describe
describe
the
tecton
resources.
So
you
know,
we've
talked
about
istioce
everything.
Kubernetes
has
basically
resource
definitions.
How
you
declare
them?
You
have
pipeline,
run
task,
runtime
and
Trigger
runtime
components.
B
You
have
to
describe
all
these
things,
you're
moving
parts
that
take
place
in
the
in
the
in
the
pipeline,
and
you
know
basically
how
you
map
these
things
to
the
to
the
schema.
So
in
terms
of
formula.
So,
for
example,
you
have
components
so
in
terms
of
kubernetes
tecton.
You
basically
have
these
tasks.
For
example,
you
have
well,
you
have
a
pipeline
itself,
which
does
the
Clone
build
push,
deploy
Pipeline
and
you
have
an
event
listener.
So
this
is
the
event
that
GitHub
provides
that
we
as
our
web
hook.
B
Basically
that
triggered
the
pipeline,
we
have
a
trigger
template.
Here's
a
trigger
that
receives
the
event,
decides
whether
to
kick
off
the
thing
kick
off
the
CI
pipeline.
We
have
it.
We
have
a
very
sub
volume
claim
so
we're.
Basically,
our
workspaces
are
backed
by
PVCs
or
actual
volumes,
and
we
have
things
like
the
tasks.
We
have
a
get
clone
task.
We
have
a
maven
task.
B
We
have
a
build
a
task,
so
we
can
Define
these
components
in
the
context
of
the
formula
in
terms
of
runtime
components,
you
can
see
an
example
of
the
actual
stack
so
kubernetes
itself.
You
can
actually
have
an
entry
in
the
component
saying
it
was
built
on
kubernetes
and
you
can
describe
the
component,
the
kubernetes
component,
where
you
grabbed
it
from
the
district.
So
in
this
case,
there's
many
places
that
you
can
install
kubernetes
from
so
I
picked
this
one
from
from
Google.
So,
basically,
you
know
pulls
pulls
the
code
down.
B
He
also
in
terms
of
tecton.
You
need
to
pull
down
two
parts
of
tuckton
to
build
it.
You
need
the
pipeline
stuff
itself,
which
is
inclusive
tasks
as
well
as
the
trigger.
So
you
have
to
Define
tecton
your
tecton
component.
You
define
your
tecton
triggers
as
well
and
where
you
got
it
from
you,
got
it
from
I
got
the
containers
from
Google
Google
storage
from
techton
releases
and
I.
B
Have
my
my
my
techcon
tasks
themselves
that
I
can
describe
so
I
can
Define
all
these
things
in
terms
of
a
workflow
and
here's
the
trigger,
for
example,
I
can
describe
the
trigger
itself,
and
these
include
input
parameters,
output
parameters.
They
include
attestations
on
and
evidence
you
can
describe
any
type
of
inputs
to
to
a
black
box
task
and
in
the
outputs,
and
you
can
actually
point
to
them
either.
If
they're
in
your
s-bomb,
you
can
point
to
them
externally
or
you
can
actually
Point
them
as
a
bomb
link.
B
So
if
you
have
another
bond
that
describes
the
pump
component,
you
don't
have
to
inline
it.
You
can
actually
say
here's
the
bomb
for
kubernetes,
here's
the
bomb
for
whatever
and
just
point
to
it.
So
so
so
I
don't
know
how
deep
I
should
go
for
the
audience
here,
but
I'm
just
trying
to
say
that
the
goal
here
was
to
try
and
show
you
that
s
that
bombs.
B
You
know
many
people,
you
know
in
the
open
source
or
the
stage
of
like,
let's
just
get
a
bomb
created,
but
in
terms
of
you
know
where
we're
headed
with
government
and
with
even
the
recent
ransomware
that
things
happened
over
the
last
weekend.
That
I
I
saw
lots
of
talk,
shows
on
the
federal
government
and
financial
institutions,
because
a
lot
of
our
products
are
built
on
open
source,
kubernetes,
tecton
istio.
We
use,
we
use
the
mesh
stuff.
We
use
kubeflow
for
building
our
AI
models,
Etc,
it's
all
open
source
that
you
know
we're
gonna.
B
You
know
the
people
who
use
it
either
they're
going
to
Fork
it
and
create
themselves
or
the
open
source
projects
themselves
have
to
step
up
start.
Creating
this
type
of
data
and
I'm
just
happy
that
generationally,
as
spdx
3.0
with
a
security
profile,
has
some
Footprints
for
this
with
built
b-bomb
and
that
you
know,
regardless,
if
you're
doing
Hardware,
building
Hardware
or
AI
models,
or
you
know,
SAS
bombs
or
you
know
any
type
of
manufacturing
bomb.
B
They
can
capture
your
entire
salsa
3,
compliant
workflow
in
Cyclone
index
105
very
soon,
because
now
I
can
go
back
to
my
internal
customers
and
say
you
have
all
this
data.
I
can
tell
you
exactly
where
to
put
it
in
the
context
of
your
build
and
all
the
tasks,
so
each
each
task
that
produces
evidence
can
actually
you
know
annotate
that
I
produce
the
attestation
and
I
can
point
to
Sig
store
and
and
the
transparency
logs
and
things
like
that
from
Zig
store,
Etc.
B
So
I'll
stop
and
it's
a
fire
hose
and
there's
a
lot
here,
but
I
just
wanted
to
raise
awareness
to
be
informative
and
again
we're
a
lot
of
the
the
guide.
Hopefully
I'll
will
come
out,
hopefully
by
end
of
July.
This
is
one
of
the
examples
I'm
working
on,
but
it
goes
you
can
actually
represent
a
simple
make
file
a
manual
make
file
build
where
your
event
is
just
a
person,
and
you
know,
kicking
off
a
make
file
and
and
those
type
of
things,
and
it
can
do
complex
data
models.
B
You
can
actually
record
the
workflow
for
how
you
trained
your
model
data.
What
prompts
you
use-
and
you
know
the
same
framework-
could
be
just
describe
all
the
all
those
things
and
as
we
go
forward,
the
machine
learning
with
chat,
GPT
and
and
the
Uproar
around
generative.
You
know
Transformer
models
and,
and
things
like
that
and
Foundation
models
that
are
coming
out
in
Mass.
There
will
be
more
and
more
data
and
we
need
to.
We
need
a
logical
framework
to
to
hang
the
data
or
in
and
be
inclusive
in
in
the
overall
process.
B
A
B
Yeah
so
yeah,
so
you
know
Tech
time
changes.
My
great
hope
and
that's
why
I'm
interested
in
my
onset
is
you
know,
I,
followed
Tetons
as
well
as
in
Canada,
and
when
technology
I
saw
Nebraska
I
was
like
I
was
Oliver
I
attended
every
work
group
that
I
could
when
I
meetings
from
the
small
team
of
developers,
but
you
know
in
a
Fresca,
you
know,
maintains
you
know,
but
I
was
hopeful
that
techcon
and
and
the
chains
were
consult,
would
their
goal
is
to
produce
sauce
acidation
attestations.
B
So
it's
all
inclusive
that
this
this
design,
first
and
foremost,
is
my
top
level.
Use
case
was
to
include
Fresca.
B
But
there's
but
there's
different
viewpoints.
So
let
me
give
you
an
example.
So
that's
Fresco
is
the
techton
Viewpoint.
So
that's
your
workflow
runtime.
So
it
has
a
view.
It
has
this
attization.
It
only
has
a
certain
view.
It
knows
what
comes
into
the
pipeline
and
what
perhaps,
what
was
produced
by
task
in
the
pipeline,
but
it
doesn't
know
what
goes
before,
and
this
is
the
same
problem.
Salsa
with
you
know,
salsa
Source
stuff.
So
so,
in
terms
of
you
know,
IBM,
you
know
our
tecton.
Our
Fresca
runs
on
something
called
tool.
B
Chains
and
Tool
chains
runs
on
different
hardware
and
software
environments.
It
runs
on
Z
OS
and
it
runs
on
different
Power
environments.
It
can
and
it
runs
on
bare
metal
and
it
also
use
instead
of
using
ephemeral,
Keys
like
like
Spire
keys,
that
Fresca
uses
it
uses
Hardware
keys
or
KMS
keys.
If
you
use
a
cloud
provider,
so
you
have,
you
need
to
be
able
to
capture
things
that
are
outside
the
scope
of
tecton
and
you
can
do
those
things
as
well
in
terms
of
a
general
workflow.
C
A
B
But
you
know
you
know
it's,
but
you
know
I'm.
At
the
same
point,
I
mean
if
you're
aware
I
mean
I
created
an
s-bomb
utility
which
I
support,
validating
spdx
and
Cyclone,
both
as
well
as
doing
I
added
some
diff
capabilities
and
some
other
things.
Vulnerability,
capabilities
and
I
do
a
lot
more
other
things
and
I
wasn't
creating
an
s-bomb.
So
I,
a
couple
months
ago,
I
decided
to
grab
I.
Think
our
Snick
friend
was
mentioning
the
one
I
grabbed
for
golang.
It
was
a.
B
It
was
a
plug-in
I
created
a
GitHub
action,
I'm,
generating
some
very
basic.
You
know:
Cyclone
gxs
bombs
for
my
own
utility,
but
they're
I
mean
they're
still
very
rudimentary.
You
know
it
it
in
terms
of
tooling,
it's
all
about
making
sure
the
tools
operate
together.
You
know
the
all
the
tools
operate
in
in
tandem,
so
you
can't
just
create
a
one
utility
rule
them
all
for
all
languages.
You
know,
even
in
the
old
days
and
going
forward,
you'll
have
different
types
of
bombs,
build
bombs
and
M
bombs.
B
Whatever
types
of
bombs,
you
might
have
that
the
tools
all
have
to
understand
how
they
work.
In
a
tool
chain
together
against
the
same
data
set,
and
the
most
important
thing
like
I
said,
is
this
framework?
If
I
have
data,
that's
coming
in
from
different
views
from
different
tools,
I
need
to
know
where
to
put
my
data
in
context
right
and
that's
why
this
formulation
and
build
bomb
stuff
is
really
important.