Re: [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST


Steve Kilbane
 

In yesterday's webinar, I asked a question about how ARM approached scanning when there are many dynamic dependencies; Sami gave _an_ answer, but I think I wasn't clear, and Sami was answering a different interpretation from the one I intended. I did attempt to clarify after the call on Slack, but Shane suggested posting here. Here's what I put on Slack, and I can expand if it turns out that I'm still muddying the waters…

 

"Thanks for the response Sami. I think I wasn't clear in my question during the call, but I didn't want to take up extra time, and your response was interesting anyway. :-) In an attempt to rephrase: It's one thing to say "open source must be scanned as it's brought into the org" if you're talking about the open source developers want to use, but with Node.JS, pulling in a single package that the developer wants to use might also bring in hundreds of additional, transitive dependencies that the developer doesn't really care about (React being a classic example). A minor change to the application might change those hundreds of dependencies to a different set of hundreds of dependencies. Do all of those get scanned, too? Are you blocking the developers from using the packages until the scanning is done, or is there a continual background queue of inbound open source that gets scanned asynchronously from the developers' usage?"

 

steve

 

From: uk-wg@... <uk-wg@...> On Behalf Of Shane Coughlan
Sent: 07 March 2022 10:41
To: OpenChain Main <main@...>
Cc: OpenChain UK <uk-wg@...>; OpenChain India <india-wg@...>; OpenChain Germany <germany-wg@...>
Subject: [uk-wg] OpenChain Webinar Today: Software and Network Security Special 06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST

 

[External]

 

Join us for a discussion around the software and network security topics you should keep front of mind during these unusual times. All welcome:

 

06:00 PST / 14:00 UTC / 15:00 CET / 19:30 IST / 22:00 CST / 23:00 KST + JST

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:

Join main@lists.openchainproject.org to automatically receive all group messages.