 So, welcome everybody to our Chektalk series, another session. Today, I'm really glad to welcome here Maya Costantini and Frida Pocogni from Artificial Intelligence Center of Excellent Group. They will be talking about project talk. And for you, if you will have any questions, you can write them in the chat or you can use the Q&A section. There will be time for your questions and the answers, so don't hesitate to ask anytime. And if you want to check the links in the slides and everything, then you can go to the meeting details here in the Google Meet and there is a link to the slides. That's all from me, Maya, the artisan. Thank you. No problem. Thank you. Okay, so now we're going to present exactly what we do. So, next slide please. So, who are we? We are Project Dots and also called AI DevSecOps team. So, the project started in 2018 as a research project within the AI Center of Excellence at Red Hat, which is part of the Office of the CTO Organization. So, you can find more about us on our website, which is dot station dot ninja. And you can also follow us on YouTube. We have YouTube channel called dot station and also on Twitter. So, you have here a list of our current team members. So, what is our mission? So, our main purpose to help Python developers develop healthy Python applications and also to help people with an interest in Python in the data science and artificial intelligence fields. So, our project has multiple parts. So, you can see a few of them in the slides. So, for example, we have the EICO ECI, which is a CI that builds container images. And we have different tools like dependency monkey, Jupyter lab requirements. It's also about a Python index called PELP and also provide analysis for container images. So, you can find all the details about those project parts in the links, which are in the slides. But today we are going to introduce you in particular to our Python cloud resolver. So, the agenda of the meeting is the following. So, first we will introduce you to our resolver. And then we will tell you about the benefits of solving your dependencies in the clouds, to know your entire environment and your Python dependencies. And then we are going to talk to you about TAMOS, which is our CLI tool to use Python cloud-based resolver. And then we will conclude this presentation with a short demo on how to use TAMOS to manage vulnerabilities in your Python software stack. So, now I'm going to let Frido introduce you to how Cloud Python resolver works. Thanks, Maya. So, in the upcoming slides, you will see the underlying PC's, how the resolver works and what it can offer to you. At the end, as Maya said, we will have a short demo. So, prepare your Linux terminal with Python interpreter ready and we will go together through demo. So, the Python resolver is very similar to BIP-Depend or Poetry. So, it resolves dependencies and produces a log file for you. The difference is that it's not just a resolver, but it's a recommendation engine for Python applications and Python libraries. So, when you use it, you get information about libraries that you use and also recommendations how these libraries work, also information about communities and things like that. The resolver is implemented using gradient-free reinforcement learning methods. So, we run temporal difference learning in production. If you are interested in technical details, feel free to follow our documentation that we will log you through all the parts of the resolver and design decisions that we've made. The resolver itself runs in an OpenShift cluster and we expose an API that is available to users and we provide a client tool that is called TAMOS that can talk to this API, can talk to the cloud resolver and manage your dependencies and your project on your local machine. The tool is called TAMOS and it provides you commands to interact with TOT. If you take a look at how and what are sent to TOT, the cloud resolver accepts requirements of your application together with optional constraints on your dependencies and then information about your runtime environment such as operating system that you use, Python version and other information such as base container image that you use or eventually CUDA if you do GPU computation. This is on software layer, but the resolver itself accepts information also on hardware layer so you can provide information about CPU that you use and also GPU and in that case the resolver will do the resolution specifically for your hardware. Besides that, the resolver also accepts static source code analysis so it can behave differently based on parts of libraries that you use. The last input is called recommendation type and that states basically your intention with the application. The resolver can resolve application dependencies to the latest possible versions following version range specifications in the dependency graph, but you can ask the resolver to resolve let's say performing set of dependencies or stable sets of dependencies or secure set of dependencies. The last stated we will see in the demo. So these are the inputs and as stated the resolver gives you back a log file meaning all dependencies locked down to a specific version together with justification and that's something that tells you why these dependencies should be used and why they were recommended to you. Okay so this was more like an input resolver and output. The resolver itself is designed in a pluggable way so people can plug their knowledge into the resolver and can change how the resolver will behave in certain situations. This pluggable interface is called prescriptions and it provides a declarative interface to the cloud resolver. In fact these prescriptions are just YAML files that are automatically consumed by the resolver main deployment and these YAML files are available on the github so we host them under totstation prescriptions repository. Anyone can contribute to this repository provide their knowledge about Python dependencies or runtime environments they use and then the resolver automatically takes these prescriptions and resolves application dependencies to the best known application dependencies. So these prescriptions state how the desired dependency resolution should look like. If you are more interested in this concept feel free to check our documentation that is also linked from the prescriptions repository. Let's have a look at an example so imagine that your application uses pillow and numpy. It is known that pillow in version 8.3.0 does not work with numpy so if users install these two libraries together they get runtime error that can be seen on the slides. This can take some time to debug so people need to find how to avoid such issue and if resolver directly provides dependencies that do not suffer from this issue then developers can focus more on delivering applications. So on the slide you can see an example prescription that states in a machine readable form that if pillow in version 8.3.0 is going to be resolved together with numpy then the resolver marks that step in the resolution process is not acceptable and will try to find another resolution path so that people do not have this issue in their application dependencies. This was an example on Python layer. The resolver can act differently based on for example RPM packages that you have on your system can act differently based on Python interpreter version ABI that is available in the runtime or other libraries such as CUDA or MKL. These prescriptions provide like central price to state how the resolution process should look like and this is something that is on the cloud. When it comes to users they provide requirements as stated before and all the inputs that were mentioned in one of the previous slides so information about runtime environment in a configuration file called tot.yaml. These additional options to the resolution process provide additional inputs and if you do not provide them the resolution process can still be generic and very similar to the resolution process is done by pip or pip amp. So now I will hand it over back to Maya. As stated before we also provide security guidance for your Python applications so you can visit the docs present in the link in the presentation for more information but basically what we use for example we provide guidance based on static source code analysis so for example by generating abstract syntax trees of source code to generalize it and we also use knowledge such as the vulnerabilities present in the Python packaging authority advisory database which is database of known vulnerabilities for Python in particular and also use security scorecards generated by the open source security foundation as well as other tools which are not directly related to security but can help assess the quality of your software. So now we will do a short demo of Thanos and we will show you with a simple example how you Thanos can help you manage vulnerabilities in your Python applications. So I'm going to share my screen. So I shared the link to the tutorial and let's have a look at it. Okay can everyone see it? Yes. Okay thank you. So what we're going to do now is see how Thanos can help you see a vulnerability in a simple application that we implemented which is a simple version of Conway's game of life if you know the game. So you can have a number of you of what Thanos can do but I think Thanos help and you should see here the different comments that are available. So we have a configuration file which is called the Thanos where it states for example your operating system version and your Python version and recommended the recommendation type you would like to have. So the default recommendation type is the latest so it means the latest version of dependencies are chosen for your application stack. So what we're going to do is now ask Thanos for advice on our software stack application so I will do Thanos advice. So okay here you can see several things so far from the warnings you can see a table which is the application stack guidance which has different type of information and warnings with a message that can give you some advice. So for example on what predictable stack we have for you available and different things just to see more information about this message and you can also see recommended stack reports. So for each dependency name you have different information and warnings about for example some vulnerabilities or issues that you could have for example on these dependencies. Okay so now we're going to install the dependencies with Thanos install. So here you can see the file. Okay so you see as you can see we have different dependencies like as in click, click, pillow and pygame. So now what we can do is run the game just to see how it works so we'll do Thanos run game of life. Okay so now we can see I hope so the game interface and so the game of life I don't know if you're familiar with it but it's just selecting a few first individuals and then let them reproduce on several generations according to some rules. So here you can have an example now we'll show you later how you can detect vulnerabilities in the dependencies of this game. So you can also have an overview of what Thanos has done by typing Thanos log which will generate the logs of the resolution process. Okay so now the part where we introduce a vulnerability to see if Thanos will detect it so what we'll do is introduce a pillow in the version that has a non vulnerability which is 8.0.0 so we add this to our dependencies so you can see it has been added here and now we'll ask Thanos for advice so I will do Thanos advice and now it shows the recommendation type security because it was set on latest as a default so now that's doing the resolution. Okay so now what you can see at the bottom of the terminal is that a pillow could not be resolved because you asked for a secure software stack and the dependency version you wanted has a known vulnerability as you can see here it was found with the PIPA advisory database and so now you can't solve your application software stack so what you can do now to play the game is revert to versions that does not have any non-venerability so I think this is the latest version of pillow which is 9.0.0. Okay so now it just changed back to a correct version and now you can do Thanos run game of life and you can see that you can play the game again now it's working properly. One relation to that so you saw that the pillow was pinned to a specific version that had vulnerability if my would not pin that specific version the resolver itself would find a vulnerable free version of pillow if that would be possible based on the dependency graph of the application. Okay so I think that was it from the demo do you have any questions? Okay thank you Maya thank you Frida I don't see any questions in the chat not in the Q&A anybody can ask now the thing I would like to know is how many prescriptions do you have and in what area are the most? So the prescription repository itself has more than 62 000 prescriptions they come from different sources so you can find information that was aggregated from PIPI for example information about maintainers you can also find information that is calculated based on open source security scorecards but you can also find prescriptions that are specific to packages I think the most prescriptions can be found for package tensorflow where there are prescriptions to fix tensorflow issues or resolve tensorflow specifically for CUDA environments and things like that. Okay thank you so we have questions from Mirji Podivin what kind of gradient free logo are you using? It's temporal difference learning can you write it in the chat please? Thank you okay another question for me I'm curious how many contributors you have I think the prescription can anybody put in so do you have the number? The number of contributors to prescriptions we can check it one so we have 10 contributors but one is both I don't know if that counts yeah you can count everybody okay another question from me well what kind of research of project are we working on for artificial intelligence can you give some example? So this project was a research project and other projects I think there is a group that is trying to optimize network interface cards and power consumption of this network interface card I think Sanjay works on that then we had AI ops and still have so people that are analyzing locks of open shift clusters and another let's say research project that was in AI center of excellence was data hub so these are I would say largest ones maybe at least that I'm aware of. Interesting thank you some other questions you can also raise your hand and ask directly if you want okay sounds like it's all thank you again both of you it was very interesting representation thank everybody for joining the last thing I have for you is if you will find few minutes time to give us some feedback on this series I will give you the link in few seconds hopefully here is the form thank you again everybody enjoy the weekend and see you by the next session of the check out series. Thank you. Thank you.