►
From YouTube: Security Tooling WG Meeting (May 4th, 2021)
Description
Meeting Minutes here: https://docs.google.com/document/d/1DoB7zgtLsP-JGF77ASkHV7UMofTE2wseniexaa6Q4M8/edit?usp=sharing
Jonathan Leitschuh and Jonathan Schneider talked about what they've done with automated pull requests to fix security issues.
A
B
D
Sure
yeah
I'm
right
now.
I've
found
myself
in
as
a
co-founder
of
a
company
dealing
with
the
automated
source
code,
refactoring
style,
preserving
type
of
wear
sort
of
stuff.
So
it's
kind
of
right
up
this
alley.
It's
we
used
to
do
like
framework,
migrations
and
vulnerability,
patches,
dependency,
changes
and
so
forth.
C
C
E
A
So
all
right,
so
I
gave
this
talk
previously
at
a
conference
called
get
up
nova,
which
was
a
private,
get
up
stars
only
event,
so,
but
the
titleist
talk
is
called
creating
thousands
of
pull
requests
to
fix
the
open
social
security,
voter
religious
scale
hi.
My
name
is
jonatha,
I'm
a
software
security
engineer
at
and
security
researcher,
I'm
currently
at
gradle.
Why
do
I
do
this
sort
of
thing?
I
have
adhd.
A
A
Let's
start
we're
gonna
start
with
the
first
one,
which
is
a
jvm
ecosystem,
vulnerability,
which
is
the
use
of
http
to
download
your
dependencies
either
in
maven
palm
files
or
gradle
build
files,
but
this
yeah
the
java
ecosystem
before
2020
the
the
january
1st
2020
a
huge
number
of
projects
for
using
http
to
resolve
their
dependencies.
The
other
vulnerability
was
a
a
vulnerability
to
code
code,
generator
called
jhipster.
A
Where
there
were
one
point,
there
were
15
000
repositories
that
got
across
github
with
this
generated
code
in
it
that
was
had
this
vulnerability,
and
I
found
the
vulnerability
in
the
code.
Generator
grab
the
code
generator
fixed,
but
there
were
still
all
these
generated
projects
that
that
were
vulnerable.
A
So,
let's
start
with
the
jvm
ecosystem
used
of
hdp.
This
is
a
you
know,
classic
man
in
the
middle
attack
of
your
supply
chain
components,
the
build
two
major
build
tools.
Java
are
for
the
java
ecosystem
or
maven
gradle.
Neither
of
them
do
any
sort
of
artifact
verification
by
default.
So
basically
the
only
verification
that
you
have
that
you're
actually
resolving
the
components
you
asked
for
is
tls
right,
like
you
know,
guarantee
that
that
nobody's
monkeying
with
your
connection
between
the
server
and
you.
A
A
While
it
was
in
flight
and
then
dropping
in
this,
like
you
know,
swing
component
that
popped
up
saying,
you
didn't
serve
your
jars
with
ssl,
so
of
course
cats.
So
I
you
know
in
2019
started.
I
found
this
bit
of
code
in
my
repository,
I'm
like
where,
where
did
this
bit
of
code?
Come
from?
What
I
found
is.
I
had
actually
copied
this
code
from
one
of
my
dependencies,
their
source
code,
I'm
like
okay,
so
I
reported
to
them
and
then
I'm
like.
A
Let's
look
at
some
quick
examples
of
where
this
vulnerability
can
exist
in
gradle
files.
You
can
have
it
in
your
build
script.
Can
you
see
my
mouse
yeah?
I
can
see
it
okay,
so
you
can
have
it
in
your
build
script
block.
This
scope
is
dependencies
that
get
resolved
into
the
gradle
build,
which
is
like
the
thing
it's
the
it's.
A
These
are
like
plugins
for
gradle
to
change
gradle.
This
is
your
repositories
block
for
actually
dependencies
to
your
compiler
and
are
loaded
on
the
fastpass
for
tests.
So
this
is
not
the
build,
but
this
is
just
like
the
application
that
you're
building
that
you're
going
to
produce
either
your
like
android
application
or
your
war
or
whatever,
and
then
this
is
where
you
have
uploading
of
artifacts
right.
A
So
these
are
the
three
plain
main
places:
you'd
find
it
in
gradle
in
maven,
you
have
the
repositories
block,
and
this
is
you
know
dependencies
of
like
where
again,
the
compiler
and
loaded
on
the
class
pass
for
tests.
This
is
distribution.
Management
which
is
used
for
publishing.
Dependencies
also
has
credentials,
and
this
is
repo
plugin
repositories.
This
gets
loaded
into
ma.
These
are
dependencies
that
get
downloaded
and
run
in
maven
as
as
plug-ins.
E
A
No,
those
are
usually
in
settings
files,
but
you
usually
so
for
if
you're
reading
these
things
in
okay,
for
here,
usually
the
user,
repo
username,
reaper
password,
those
are
usually
read
in
from
environment
variables
or
properties,
and
like
that
you
I
mean
it's
not
on
it's,
not
not
to
say
that
people
don't
just
drop
code
in
there,
but
most
often
it's
fed
in
from
one
of
those
external
sources.
Okay,
so
we're
moving
vulnerable,
the
jet
brains,
the
close
foundation,
gradle
red
hat
kotlin
jeff
spring.
A
You
know
all
these
projects,
oracle,
the
national
security
agency,
linkedin
stripe.
All
of
these
projects
have
this
vulnerability
in
their
open
source
projects.
I
made
a
bit
of
bug
mounting
money
from
a
couple
of
these
companies.
A
lot
of
them
didn't
pay
me
a
thing,
and
I
you
know
it
was
a
large
large
project,
so
I
reached
out
to
sauna
type,
which
is
the
biggest
house
in
the
mavenik
system
and
said
hey.
A
This
is
a
vulnerability
I'm
finding
everywhere
what's
going
on
and
they
reported
back
after
a
month
of
looking
at
their
data
that
25
of
the
sonar
type
maven
central
downloads
were
still
using
http
as
of
april
2019.,
and
I'm
like
great,
let's
fix
this,
so
I've
pushed
forward
a
proposal
yeah.
How
can
we
fix
this?
So
I
push
forward
a
proposal
on
or
around
january
15
2020.
A
All
I
contacted
all
these
artifact
servers
and
said:
hey,
let's
fix
this
together,
let's
shut
off
the
use
of
http
like
not
a
redirect,
but
like
full,
stop
like
you
will
get
a
500
or
whatever
right
like
you,
won't
get
a
302
or
301
redirect
like
it.
Just
you
know,
doesn't
work
and
all
of
these
different
artifact
servers
that
are
the
biggest
ones
in
the
supply
chain
for
the
javascript,
all
just
full
carte
blanc
said
no
stop
like
stopping
requests
that
support
http,
and
this
actually
worked.
A
You
know
I
saw
some
like
very
confused
stack
overflow
posts
on
the
day
that
things
shut
down
but
yeah.
Yes,
broken
software
broken
software
everywhere.
So
what
about
everybody
else?
So
these
are
the
biggest
right.
These
are
the
biggest
artifact
servers
right,
maybe
central
j
center
spring
right,
but
there
are
other
people
that
are
relying
upon
artifact
servers
that
are
like
you
know.
My
company
or
jenkins
has
their
own
artifact
server.
There's
like
a
bunch
of
different
companies
that,
like
or
eclipse,
foundation
right
eclipse
foundation.
A
I
couldn't
get
to
to
drop
hdb
support.
They
still
haven't
dropped,
http
sport
they
do
a
redirect
now,
which
is
whatever
so
enter
codeql,
so
github
bought
semi,
which
is
now
codeql,
and
when
I
saw
it,
I'm
like
I
previously
been
doing
this
research
with,
like
github
fuzzy
searches,
huge
pain
in
the
keystore
like
github
search
functionality.
A
A
If
you
look
for
this
query,
you
can
just
see
pages
and
pages
and
pages
of
this
vulnerability
on
in
open
source
software
across
github,
but
this
still
left
thousands
of
projects
vulnerable.
So
we've
gotten,
like
you,
know,
shut
it
off
at
the
source,
fix
it.
You
know
or
detect
it,
but
how
do
we
actually
fix
this?
So
I
said:
okay,
like
I've.
I've
done
you
know.
I
I've
written
this
code
to
a
query.
Let's
use
it
to
like
actually
fix
all
these
vulnerabilities
right,
like
they're,
open
source,
kill
them
in
fire.
A
A
You
know
complex,
regular
expression
to
do
this,
but
once
I
had
the
regular
expression
working,
I'm
like
okay,
like
now,
let's,
let's,
let's
see
if
I
can
write
a
bot
to
do
both
pull
request
generation
and
so
the
github
security
lab,
has
a
bug,
bug
slayer
program
and
I
figured
okay.
They
had
a
program
where,
if
you
fix
so
the
first
one
was
write,
a
query
submit
a
query
and
we'll
pay
you
money
for
it
right.
They
have
a
that
was
the
all
for
one
one
for
all.
A
A
I
figured
there
were
17
000
repositories
with
a
vulnerability,
so
you
do
a
little
bit
of
math.
It's
like
you
know
a
million
dollars
worth
of
like
bug
monthly
payout,
potentially,
which
is
not
not
not
actually
didn't,
actually
happen,
but
you
know
I
figured
math
right.
So
how
did
I
build
this
thing?
I
used
the
hub
cli
python,
pi
github
and
pi
yeah
pi
github.
A
I
used
async
io
to
do
like
a
lot
of
things
synchronously
in
python
and
then
one
very
annoying
regular
expression
and
a
lot
of
bouncing
off
the
rate
limiting
api
for
github
and
yeah
generated
thousands
of
pull
requests
to
fix
this
one.
I
think
I
generated
1
596
pull
requests
for
this
particular
project
and
github
took
paid
me
to
that.
A
So
how
did
I
find
this?
I
ended
up.
I
was
looking
into
a
while
ago
the
use
of
random
string
utils,
which
is
an
apache
commons
lang,
3
library,
to
generate
random
strings
in
a
security
sense
of
context
right
so
like
in
passwords
in
activation
keys
in
reset
keys
right.
So
when
the
reset
key
is
in
this
case
right
like
that,
when
you
do
password
reset
right,
I
need
to
reset
my
account.
A
A
Utils
from
apache
commons
line,
three
uses
an
insecure
c,
insecure,
random
regenerator
on
generator
under
the
hood,
and
I
found
this
code
and
I'm
like
you
know,
I
kept
finding
the
same
code
everywhere
and
I'm
like
what
what
is
going
on
here.
I
eventually
found
out
it
was
coming
from
a
code
generator
right.
So
this
is
the
sensitive
one
right
right
generate
reset
key.
A
This
is
the
reset
key
for
resetting
somebody's
account
and
when
you
search
for
this,
this
class
right
utility
class
for
generating
random
strings,
which
is
indicative
of
this,
this
jhipster
code,
it
came
back
with
14
000
results.
Unfortunately,
github
search
limitations
there's
no
way.
There's
it
only
returns.
The
first
1000
results,
even
with
page
nation
and
there's
no
known
way
to
slice
the
data
with
additional
search
parameters
to
get
you
more
information,
so
special
thanks
to
chris
gavin
and
arthur
bars.
A
I
actually
just
talked
to
github
and
said:
hey.
I
have
this
limitation.
Can
you
get
me
a
bigger
list?
Apparently
there's
some
hard-coded
limit
of
a
thousand
results
and
they
actually
like
changed
the
code
of
github
and
like
were
able
to
run
a
query
and
like
gave
me
this
data,
and
so
that
gave
me
9
000
repositories,
a
list
of
right,
9000
repositories,
and
I
imported
these
9000
repositories
into
lgm.com.
A
To
then
run
my
query
against
and
find
all
the
vulnerable
instances.
So
how
will
we
rewrite
the
code?
So
this
is
where
we
enter
with
jonathan.
So
I
was
looking
for
a
solution.
Our
one
of
the
things
that
I've
been
playing
with
is
okay,
like
the
first
time
I
did
this,
I
used
a
regular
expression,
but
we're
actually
changing
code,
this
time
right.
This
is
actual.
A
Like
you
know,
and
and
and
even
though
it
was
generated
by
a
code
generator,
it
may
have
different
formatting
and
if
it's
different
formatting
it's
going
to
have
a
much
more
difficult
time
getting
accepted
by
the
maintainers.
So
how
do
I,
how
do
I,
and
also
like
I,
don't
want
to
write
a
regular
expression
for
this
thing?
A
So
how
do
I
do
this
in
like
a
sane
way,
and
thankfully
I've
spoken
to
jonathan,
he
worked
at
gradle
before
we
had
a
lot
of
conversations
about
this
and
I'm
like
how
do
we
do
this
together
in
a
constructive
way?
So
I'll?
Let
you
take
it
away
for
a
demo
of
rewrite
so
before
we
bring
it
back
to
me
but
yeah.
Let
me
unshare
my
screen
and
you
can
take
over
john.
D
D
There
were
about
700
engineers
and
two
of
us
trying
to
get
700
engineers
to
do
something
big,
like
the
big
like
cultural
imperative.
There
was
freedom
and
responsibility
which
meant
the
product
engineers
could
do
whatever
they
wanted.
As
a
central
team,
you
could
not
put
any
gate.
Employees
could
break
their
bills,
couldn't
anything
like
that
right,
so
they
want
to
use
something
different.
It
was
up
to
them.
D
That
means
that
there's
700
engineers
there's
you
know
1
000,
100
different
styles,
and
you
know
it's
just
like
you
know
it's
all
over
the
place.
So
we
worked
on
building
a
lot
of
reporting
tools
originally
trying
to
surface
issues
to
help
them.
You
know
understand
where
we
were
they
needed
to
make
changes,
but
you
know
we're
engineers
and
you
know
unless
it's
gonna
like
break
we're,
not
gonna
do
anything.
D
D
D
Like
john,
that
says,
I
have
a
sort
of
brief
video
here
that
shows
some
of
these
technologies
and
what
I'm
going
to
show
is
actually
a
view
of
running
rewrite
recipes
from
a
nascent
sass
that
that
that
my
company
creates,
but
all
the
rewrite
recipes
themselves
are
open.
Source
apache
license
can
be
applied
to
your
build
plugins
and
other
sorts
of
workflows
as
well.
Cool
just
gives
it
an
easy
way
to
to
demonstrate
it.
D
D
D
B
D
F
D
Back
awesome,
cool,
yeah
yeah.
So
what
if
I
wanted
to
find
a
particular
method
pattern
you
know
say,
like
I,
you
know
in
this
case
I
was
looking
for
a
particular
occurrence
of
of
that
random
string
utils,
because
the
abstract
syntax
tree
that
we're
operating
on
is
is
type
attributed,
we're
able
to
actually
accurately
identify
the
calls
like
in
this
case
like
make
dirs,
but
we
know
that
this
receiver
type
is
a
type
java.io.file
and
that's
essential
to
not
get
a.
D
D
Actually,
so
you
know,
we
have
an
abstract
syntax
tree
for
xml
for
yaml
for
properties,
but
we
can
layer
on
top
of
those
additional
models
of
what
that
xml
means
or
what
that
yaml
means
in
this
case,
here's
an
example
of
actually
looking
for
the
junit,
which
is
a
unit
testing
library
in
the
java
ecosystem,
on
the
compiled
class
path.
So,
in
other
words,
this
testing
library
is
going
to
be
shipped
with
main
code
and
ran
in
production,
which
is,
I
think,
not
intended.
D
I
think,
there's
commonly
vulnerabilities
and
unit
testing
libraries
that
you
know
that
would
make
them
sort
of
like
an
undesirable
thing
to
have
on
your
runtime
class
path.
And
here
you
see,
you
know
neo4j,
which
is
a
common
graph
database
in
the
java
ecosystem,
leaks
the
junit
onto
the
runtime
class
path
of
any
of
its
users,
and
so
it's
kind
of
whoops
right
test
dependencies
don't
belong
in
the
app.
D
D
A
Yep
yes,
coming
up.
This
is
the
the
diff
of
the
change
that
rewrite
did
as
an
example.
So
you
can
see
it's
adding
a
new
import,
adding
new
code
in
the
right
place,
changing
the
this
new
or
generating
this
new
method
and
then
changing
all
the
calls
to
that
old,
vulnerable
method
to
use
this
new
method-
and
you
know
again,
syntax,
preserving
all
that
stuff
and
the
result
of
this
was
for
the
jvm,
so
results
of
my
polarquest
generation.
A
I
haven't
checked
the
newest
numbers
these
were
from
when
I
one
was
no
no
2020,
it
was
like
no
november
or
december
of
2020.
So
for
the
jv
ecosystem
use
of
http,
I
generated
1
596
pull
requests.
As
of
november,
there
had
been
422
merged
and
147
closed.
A
lot
of
those
closed
ones
are
were
closed
because
they
were
merged,
but
like
the
maintainer
merged
self
cloak
like
merge
themselves
and
then
close
them
and
then
for
the
j
hipster
one.
It
had
been
relatively
recent.
A
So
even
it
had,
you
know
the
first
one
I
did
it
and
it
had
been.
You
know,
11
months,
the
second
one
I
time
this
up.
I
did
it
in
september
and
then
I
was
presenting
this
in
november,
and
so
there
were
3
880,
pull
requests
and
and
56
merged,
so
it
hadn't
been
very
long.
Also,
a
lot
of
the
hipster
ones
were
like
one-off
projects.
I
did
get
a
couple
of
like
you
know.
A
I
was
basically
going
for
like
wide
because
I
knew
there
was
going
to
be
some
some
legitimate
projects
in
the
noise,
but
it
was
really
hard
to
identify
the
legitimate
projects.
A
lot
of
the
j
hipster
ones
were
one-off
projects,
though,
like
the
people
just
generated
it
tested
out,
jhipster
and
stuff
like
that,
but
I
did
you
know
get
some
of
those
like.
You
know,
projects
that
were
actually
using
it
and
that
actually
cared
so
there's
some
lessons
learned
from
bulk
pull
request.
A
Generation,
lesson
learned
number
one
sign
off
on
all
generated
commits
this
will
significantly
increase
the
likelihood
that
prs
will
be
accepted,
because
most
people
have
a
cla
requirement,
and
this
you
can
also
just
sign
off
and
that
you
know
that
that
solves
a
lot
of
those
issues
have
fun
with
it
live
stream
it,
which
is
what
I
did.
Yes,
so
I
live
stream.
When
I
do
when
I
do
pull
floor,
press
generation,
I
live
stream.
It
I
invite
people
to
come
in.
A
I
you
know,
I
have
fun
with
it
like
I,
you
know
things
break
live.
You
know
my
computer
overheats
just
yeah
create
some
sort
of
save
state
because
I
my
bot
failed
and
so
knowing,
where
it
failed
and
then
being
able
to
pick
up
and
not
regenerate
pull
across
that
already
been
generated.
That's
a
really
good
thing
to
have
yup.
There
exists
a
max
writes
per
second
api
limit
on
github.
A
That's
like
very
hard
to
find
quote
if
you're,
making
a
large
number
of
post
patch
put
or
delete
requests
for
a
single
user
or
client
id
wait
at
least
one
second
between
each
request.
This
is
the
biggest
rate
limiting
the
late
rate
limiter
that
I
have
for
generating
pull
requests,
yeah
so
yeah.
I
have
I've
run
headlong
into
this
and
it's
annoying,
but
you
know
what
github
that'll
prevent
spam.
A
So
yeah,
one
of
the
things
that
I
learned
that
I
did
not
know
kernel
task
on
mask
mac
exists
as
a
software
hack
to
the
cpu
overheating
problem.
It's
kernel
test
using
500
of
your
cpu
to
prevent
it
from
catching
fire.
Yes,
I
actually
learned
this
running
obs
and
my
bulk
full
aircraft
generation
at
the
same
time
makes
a
hot
cpu
don't
fork.
1
000,
1
500
projects
against
your
personal
account.
That
was
my
account.
They
fixed
that
yeah.
A
So
for,
but,
like
my
account,
my
if
you
went
to
jlight
github.com
j
lights,
you
most
of
the
time,
I
would
get
the
angry
unicorn.
If
this
page
is
taking
too
long
to
load,
they
have.
They
have
fixed
a
lot
of
these
things
and
my
page
now
loads
much
quicker
and
I
don't
get
the
angry
unicorn
most
of
the
time,
but
I
learned
not
to
fork
things
against
my
personal
account
because
of
this
just.
A
A
Will
get
there
live
streaming
and
running
this
bot
on
the
same
machine
will
cause
cpu
overheating
yup.
I
actually
use
an
ice
pack
underneath
my
machine
in
order
to
keep
my
cpu
cool
forking.
Thousands
of
repos
with
hub
will
cause
name
collisions.
This
is
the
this
is
to
answer
your
question
so
because
you're
forking,
thousands
of
repos,
if
you
have
hub,
doesn't
like
if
you
hit
the
fork
button
in
github,
it'll
automatically
rename
it.
If
you
have
name
collisions
when
you
use
the
hub
cli
command,
it
doesn't
rename
collisions.
A
So
how
do
you
solve
that
problem
solution?
Rename
the
repository
after
creation?
That
adds
another
right.
This
requires
a
second
right
operation
for
every
repository,
so
I
didn't
do
that.
What
I
did
do
was
create
35
bulk
security
generation
projects
or
organizations
against
github.
So
I
have
35
organizations
and
I
failed
over
subsequently
to
each
organization
to
generate
the
fork
against,
and
so
yes,
this
is
the
number
of
organizations
that
I
have
assigned
to
my
account.
A
I
have
35
organizations
that
were
just
the
subsequent
failover
of
this
won't
fork,
because
there's
a
name
collision
all
right.
Try!
The
next
organization
in
line
and
so
yeah
yup
that
answers
your
question.
It's
terrible,
but
it
works.
One
of
the
things
that
I
learned
is
do
not
click
enable
all
on
dependable
alerts
or
depend
depend
about
security
updates
after
you've
done
this
to
your
account,
because
you
will
end
up
with
a
boatload
of
spam
against
your
notification.
Feed
yeah,
my
notification
fee
died.
A
A
Your
personal
account
like
create
some
some
other
account.
Do
it
through
it
from
a
like,
do
it
from
an
independent
I
I
will
probably
do
again
do
this
again
against
my
personal
account,
because
I
like
the
identification
of
like
this,
was
me
and
also
like
I
get
the
notifications
and
stuff
like
that,
but,
like
so
github
has
also
so
hear
me.
There's
there's
been
yeah,
so
this
this
project's
been
actually
run
more
than
just
those
two
times.
A
Github
actually
used
my
bot
to
fix
cve
2020
this
one
right
here
that
was
found.
It
was
a
an
array
overflow
in
a
it
was
an
r
hostname
overflow
that
had
a
cert
advisory,
and
so
they
generated
1885
pull
requests
using
a
github
bot
account
using
my
my
polar
press
generator
that
code's
not
in
this
repo,
but
they
you
know
they
have
utilized
my
bot
in
the
past
to
also
fix
security.
Vulnerabilities
like
this
as
well,
so
you
know
github's
also.
A
I
mean
I
don't
know
how
often
they're
gonna
use
it,
but
they
haven't.
You
know
taken
advantage
of
this
technology
as
well
so
and
each
project
that
I
have
that
I
do
this
thing.
I
just
throw
another
file
in
there
and
it's
you
know
it's.
The
fix
is
specific,
but
the
engine
underneath
it
is
generic
to
like
how
do
you
generate
pull
requests
and,
like
you
know
here,
add
an
add,
a
method
for
the
hook
for
all
right.
This
repo
exists.
What
change
do
you
need
to
make
to
it
so
yeah
yep?
E
E
B
C
A
So
the
actual
work
to
add
another
like
so
what
I
use
for
rules
are,
I
I've
used
lgm.com
and
they
have
a
json
output
which
they
they
hand
me.
I
write
the
query
they
say
hey.
Can
you
give
me
all
these
results
and
they'll
hand
me
this
massive
json
file
with
here
all
of
the
repositories
and
the
files
that
we
found
this
vulnerability
in
right?
So
that
gives
me
the
repo
name
and
the
file
right,
the
file
impacted
and
potentially
even
the
line,
but
I'm
I
I
didn't
deal
with
individual
lines.
A
I
just
said:
okay,
this
file
is
vulnerable,
let's
fix
wherever
it
is
in
the
file,
because
I
might
be
forking
it
in
the
future.
Slightly
past,
when
the
code
12
query
was
run
against
the
repository
and
the
repository
might
have
changed
so
the
first
step
is
just
identifying
the
files.
Now
that
I
have
the
files
from
all
of
that,
my
engine
takes
all
those
files
and
then
you
have
a
generic
method,
which
is
here's,
this
file
that
exists
change
it
and
so,
for
you
know,
I
guess
it's
from
there
jonathan.
D
A
And
then
he
threw
awesome
part
of
it
was
that,
like
I
didn't,
run
it
inside
of
this
engine.
I
actually,
he
just
said:
here's
an
end
he's
a
gcp,
endpoint
post,
the
file
to
this
endpoint
or
post.
The
contents
of
this
file
to
end
point
it'll
respond
with
changed
files,
so
I
I
just
like
shot
it
up
to
gcp
and
then
he
gave
it
back
to
me
and
it
came
in
a
fixed
state
and
I
just
wrote
it
to
the
file
system.
So
I
didn't
you
know
it
kind.
D
A
E
Yeah,
but
that
that
actually
was
more
or
less
my
question,
you
know,
there's
that
phrase
you
know
to
errors.
Human
to
automate
errors
requires
a
computer.
You
know
how
do
you
test
this
so
that,
before
you
start
generating
a
million
pull
requests,
you
have
a
fairly
good
confidence
that
the
whole
thing
is
actually
generating.
E
A
I
tested
against
one
or
two
repos
and
then
I
just
like
go
I'll.
Let
it
rip
this
spot
jack.
You
know,
but
yeah
it's
it's
I
I
so
I
run
the.
I
run
the
body
of
the
pull
request,
like
the
message
by
xavier
at
github
to
make
sure
that,
like
I'm,
not
gonna
get
flagged
for
like
abuse
right.
So
I've
got
a
lot
of
contact
inside
of
github
to
make
sure
that,
like
hey,
I'm
gonna.
Do
this
right
like
don't
like.
A
D
Show
you
actually
it's
just
easier
to
see
the
like,
there's
a
pretty
elaborate
testing
harness
for
the
actual
rewrite
recipes
themselves.
So
here's
like
a
unit
test.
Actually
that
demonstrates
a
change,
the
a
test
for
change,
method,
name
and
you
get
to
specify
the
recipe
the
before
text.
This
is
what's
kind
of
wild,
even
in
the
ide.
It's
syntax
highlights
the
little
unit
test
that
you
have
running
here
and
then
you
can.
D
D
G
A
So
I
just
had
a
conversation
with
the
github
team
about
this.
They
are,
they
just
put
a
check
in
for
github
actions.
That
means
that
if
you're
the
first
time
contributing
to,
if
you
have
action
or
to
a
repository
that
uses
github
actions,
a
maintainer
has
to
explicitly
sign
off
on
the
first.
The
first
change
because
they've
been
dealing
with
so
many
issues.
D
E
G
I
wouldn't
be
a
one-time
thing
yeah,
it
would
be
a
case
of
like
okay.
I
think
I've
got
something
that
I
want
to
to
do
this
for
submit
to
a
small
percentage.
Wait.
You
know
perhaps
several
days
for
enough
people
to
have
clicked
that
button,
that
you
can
be
confident
that
things
are
generally
passing
and
that
no
one
has
said
hey.
This
change
is
crazy
back
to
you
yeah
and
then
go
wide.
A
I
had
one
so
the
big
push,
the
one
of
the
biggest
pushbacks
that
I
got
against
the
the
http
downloaded
dependencies
maven,
one
that
I
got
was.
I
was
not
checking
to
see
if
the
server
that
I
was
changing,
the
url
to
actually
supported
https
and
people
were,
I
mean
that
was
one
of
the
biggest
things
that
I
got
pushed
back
on
and
my
response
to
most
of
them
were
that's.
I
just
fixed
the
code
right.
A
That
has
a
vulnerability,
but
you
need
to
go
and
contact
the
maintainers
that
server,
because
the
server
clearly
is
not
you
know
the
server
not
supporting
https
is.
Is
your
vulnerability,
so
talk
to
your
main,
like
this
is
consider
this
the
impetus
to
go
talk
to
the
maintainer
of
whatever
dependency
server
you're
using
to
say
this.
You
know
you
need
to
be
supporting
https.
E
A
Yeah,
I
also
support,
so
I
say
that
I
support
this
in
my
in
my.
I
have
a
very
long
long
description
of
the
pull
request
and
I
say
if
you
want
to
be,
if
you
want
to
opt
out
of
pull
both
pull
request
generation
like
this
drop,
a
dot,
github
dot,
gh
dash,
robots.txt
file
into
your
repository
and,
like
I
won't
generate,
and
so
I
don't
have
support
for
robots.txt.
A
A
D
It
yeah
you're
right
yeah,
one
one
thing
that
hasn't
been
said
about
both
pr
generation
here,
which
is
interesting,
I
think,
is
that,
unlike
when
you
do
this
sort
of
manually,
when
you
do
an
effort
like
this
manually
in
open
pr,
it's
like
it
could
be
an
exhaustive
amount
of
work
to
go
actually
open.
It
all
up
open
all
those
pr's,
and
then
you
think
how
many
people
are
gonna,
actually
action,
these
things
in
a
reasonable
period
of
time.
D
A
D
F
D
D
You
know
and
that's
like
it's
that's
that's
kind
of
the
thesis
right
is
it
like
I
mean
like
maintainability
is
destiny
and
code.
It
used
to
be
optional.
I
think
when
I
go
back
to
like
working
for
an
insurance
company
20
years
ago,
we
had
like
a
lot
of
on-prem
software
that
like
ran
on
websphere
and
could
still
look
very
legitimately,
be
running
today.
D
But
now,
when
you
develop
software,
it's
all
integrated
with
third-party
libraries
with
apis
and
so
forth,
and
if
you
don't
keep
it
current,
it
just
ceases
to
function.
So
at
this
point,
in
2021
code
at
rest
ceases
to
function
and
yeah.
It's
you
know
so
now,
you're
on
the
hook
for
that
maintenance.
You
know
whether
you
want
to
or
not.
A
A
Like
you
know,
I
realized
that
jay
hipster
was
like
one-off
projects,
a
lot
of
those,
but
I'm
looking
at
some
more
vulnerabilities
that
are
kind
of
more
widespread
in
like
components
that
are
not
tests
right
but
like
are
actually
in
core
components
of
like
the
java,
like
code
flow
and
I'd
like
to
automate
the
process
around.
Like
you,
I
I
sent
you
this
pull
request.
A
F
There
are
dangers
there
as
well,
because
there's
a
pattern
someone
can
search
for
then
the
bad
guys
can
search
for
it
as
well-
and
you
know
if
you're
talking
about
software,
that
people
have
got
deployed
somewhere,
then
they're
not
going
to
actually
update
everything
immediately
and
let's
go
okay.
Let's
look
to
see
what
these
guys
are
doing.
Oh
they
fix
these
things.
How
can
we
abuse
them
before
they
get?
You
know
all
the
fixes
roll
out.
A
So
one
of
the
things
that
I'm
thinking
about
in
that
area
is
this
is
like
real.
It's
really
awkward,
because
again,
a
circular
researcher
but
you're
finding
vulnerabilities
this
kind
of
scale.
One
of
the
things
that
I
am
leaning
towards
potentially
doing
in
the
future
is
tying
this
into
github
sponsors.
D
C
A
I'm
concerned
about
the
direction
of
github's
integration
of
codeql.
I'm
sorry,
I'm
sorry
gray,
because
gray's
is
a
manager
at
github.
So
he's
hearing
me
say
this:
I'm
concerned
about
the
direction
of
of
of
of
coach
well
being
like
conglomerated
into
github,
because
currently
the
best
way
for
me
to
do
my
open
source
security
research
is
so
in
lgtm.com.
A
You
can
import
each
project
that
you
want
to
run
queries
against
one
by
one
by
one
and
in
order
like
so
in
order
to
import
the
thousands
of
projects
that
I
do
to
find
vulnerabilities
at
scale.
I
have
written
a
bunch
of
scripts
that
use
the
api
for
the
user
interface,
which
is
on
an
internal
api
to
bulk
import
like
the
entire
apache
organization,
into
my
account,
so
that
I
can
run
queries
against
it.
Right
github
who
works
at
github
like
people
github
can
run
their
queries
against
all
projects
but
like
for
us.
A
We
kind
of
have
to
hack
it
together
and
I'm
seeing
that
lgtm.com
is,
is
not
the
direction
that
this
coql
thing
is
going
in
terms
of
the
future
of
the
product,
and
I
see
the
stuff,
like
the
code
scanning
results
that
github
offers
per
repository
where
things
are
headed,
but
that
information
and
those
code
ql
queries
and
that
all
that
stuff
is,
is
specific
to
the
repository
and
is
not
in
a
place,
because
what
lgtm
does
is
they?
They
run?
They
compile
the
code,
they
save
the
database
and
then
they
have
a.
A
They
have
a
version
of
that
database
that
they
store
on
their
servers.
And
then
you
can
run
your
query
against
thousands
of
them
the
direction
that's
moving
towards
github
the
I
have
not
yet
seen
a
story
that
replaces
that
workflow
for
security
researchers
for
doing
security,
research
as
things
migrate
from
lgtm,
which
seems
to
be
less
and
less
of
a
priority
for
future
fixes
and
security,
improvement,
improvements
and
everything's
moving
towards
towards
moving
to
github.com.
A
H
It
a
bit
if
you
want
cool,
it's
basically
a
github
brought
semolin
in
2019
and
what
we
bought
was
mainly
a
variant
analysis
tool,
which
is
what
jonathan
is
talking
about
when
he
talks
about
kind
of
hacking
together
the
query
himself:
you
do
that
when
you're
like
looking
for
variants
of
sense
of
vulnerability,
it
wasn't
really
a
static
analysis
or
like
a
classic
sas
tool.
It
wasn't
something
that
people
ran
in
their
ci
sites
did
a
little
bit,
but
but
not
so
much.
H
The
first
thing
that
github
did
with
it
is,
take
it
and
say
like
okay.
Well,
we
want
to
take
the
goodness
of
this
and
have
it
as
something
that
works
out
of
the
box
as
a
more
like
standard
static
analysis
tool.
So
a
lot
of
investment
went
into
the
code
scanning
side,
which
is
running
on
every
commit
every
core
request:
servicing
results
there
not
as
much
went
into
integrating
functionality
around
variance.
H
Into
github,
but
that's
kind
of
just
the
phasing
thing
we're
reaching.
I
mean
we're
not
reaching
the
end
of
the
static
analysis
part,
but,
like
we've
done
the
big
heavy
lifting
on
getting
a
static
analysis,
integration
into
github,
we
built
out
the
flow
for
other
static
analysis
tools
to
submit
code
scanning
as
well.
H
The
next
big
thing
on
that
teams
list
is
building
out
the
query
console
from
lgtm
and
building
that
into
github
and
using
the
databases
that
open
source
either
generates
because
it's
running
static,
analysis
anyway
or
because
they've
been
pre-run
by
github,
making
those
available
in
a
query
console
we're
putting
together
those
plans.
Now
it's
not
entirely
clear
how
it's
going
to
run.
We
know
it's
going
to
run
on
the
info
on
the
actions
infrastructure
under
the
hood
to
do
the
scans.
It's
not
certain!
H
H
C
I
totally
understand
thanks
thanks
for
for
speaking
up
about
it
cool,
so
this
has
been
very
interesting.
Thank
you,
jonathan
and
jonathan.
I
really
appreciate
it
jonathan
schneider,
if
you
feel
up
to
it,
please
feel
free
to
to
come
in
and
join
these
meetings
in
the
future.
We're
trying
to
figure
out
the
best
ways
of
helping
everybody
and
rewrite
sounds
like
an
interesting
tool.
So
yeah.
A
A
Yeah,
thank
you
gray,
and
everybody
at
github
has
like
made
this
work
possible
to
begin
with,
like
you
know
like
I,
I'm
just
taking
advantage
of
a
bunch
of
apis
and
like
pulling
a
bunch
of
things
together
but,
like
you
know
all
this
infrastructure,
you
know
I'm
standing
on
the
shoulder
of
giants
so,
like
you
know,
well
we're
just
trying
to
help
yeah
other
people
do
cool
right.
That's
our
job
yeah
and
thank
you
jonathan
for
like
just
like
hey.
I
have
this
project.
E
Like,
first
of
all,
I
am
intrigued
by
by
this.
I
think
we
it
would
be
wise
for
us
to
think
about
what
I
mean.
What
is
important
enough
and
widespread
enough
to
approach
this
way.
I
proposed
in
the
notes,
a
thing
about
aura.
We
just
don't.
I
think
we
run
out
of
time,
so
I
would
propose
picking
that
up
next
time
so
that
they
have
a
chance
to
talk
as
opposed
to
just
hey.
You
got
60
seconds,
say
everything.
E
A
A
A
So
if
somebody
has,
you
know,
basically,
if
somebody
writes
the
rule
and
like
has
either
like
a
code
that
I
run
some
code
that
I
run
or
like
an
endpoint
that
I
can
hit
with
code
like
as
soon
as
that
exists,
I
can
run
and
like
a
list
of
projects
that
are
impacted
with
those
two
two
components.
I
can
you
know,
run
this
and
do
another
live
stream
and
have
a
blast
with
it.
Right,
like
you
know,
I
mean
yeah
yeah,
although.
E
D
Sure
one
of
the
biggest
I
think
I
mean
this-
is
at
a
different
scale.
I
guess,
but
I
mean
I'm
thinking
about
things
like
if
you've
heard
of
spring
boot,
like
that
project,
one,
the
one
dot
x
line
was
alive
for
seven
years
and
then
the
then
you
know
they've
released
2x
2x
lines
going
to
live
for
two
and
a
half
three
years,
and
then
it's
going
to
be
two
years
and
it's
going
to
be.
D
You
know
one
and
a
half
years
and
like
that's
a
pretty
tough
migration,
you
know
so
you
know
a
lot
of
people
say:
oh
it'll
take
us
two
months
three
months.
You
know
we
can't
do
that
every
year
you
know
like,
and
if
you,
if
you
fail
to
do
it,
then
you
know
the
next
time.
There's
a
cv
disclosed
on
you
know
spring
boot,
1x
have
fun
you're
on
your
own
right
and
that's
those
are
the
things
I
think
that
are
that.
Are
you
know
you
gotta
you
gotta
move
forward
right.
It's
not
optional
anymore.
D
E
A
Well
kind
of
I
also
think
that
there's
a
valid
I
mean
if,
if,
if,
if
it's
enough
of
a
problem,
right
like
there
needs
to
be
financial
incentives
to
say
this,
is
you
know
this?
Is
you
can't
be
doing
this
right?
Like
you
know
the
reason
that
cobalt,
like
people
keep
updating
cobalt
is
like,
because
you
know
like
there
is
so
much
financial
incentive
behind
don't
break
anything,
but
we
want
to
run
the
latest
version
of
cobalt
right
like
that.
That's
the
financial
incentives
that
exist
right.
There
is
not.
D
A
D
Can
move
forward
when
you
make
a
change?
You
know
it
it
propagates
across
the
code
base.
You
know
that
has
consequences
to
the
organization's.
Culture
leads
to
heavy
code
review
culture
which
does
slow
things
down
a
little
bit,
but
it
comes
with
the
significant
benefit
of
you
know,
keeping
things
moving
forward.
D
I
tend
to
look
at
the
world
as,
like
one
big,
you
know
repository
of
source
code
and
I
think
my
view
of
like
being
able
to
automate
source
code
transformation
is
that
you
know
it's
like
it's
like
an
eventually
consistent
monorepo.
It's
eventually
consistent
with
with
in
this
in
the
sense
that
people
you
know
merge,
basically
to
fix,
and
the
world
I
want
to
see
is-
is
basically
one
worldwide,
eventually
consistent
monorepo.
D
That
would
unshackle
us
from
like.
You
know,
whoops.
I
made
this
api
decision
five
years
ago,
but
you
know
I'm
now
faced
with
this
sort
of
like
impossible
decision,
whether
to
maintain
it
for
another
three
years
or
you
know,
hurt
my
my
user
base
or
you
know,
that's
so
it'd
be
nice
to
innovate,
about
that
cost.