Software composition and dependency management

Developing an open source license compliance project : our trials, tribulations and achievements

D.dependency
Pierre Marty
<p>This talk aims at presenting our trials and tribulations as well as our achievements in designing a compliance software project for open source licenses.</p> <p><em>"Are all module licenses in our software project compliant with each other ?"</em> Many of our customers have asked us this question even though they already had a plethora of software solutions (not always FOSS software) dealing with this topic. This surprised us, and led us to seek out the cause of their uncertainty. We then discovered that many solutions only look for potential risks and provide reports both too detailed, from the legal POV, for practical use by an engineer, and too technical for practical use by a lawyer.</p> <p>As engineers are bound to do, we thought there might be a technical solution to this and launched a project. As engineers launching a project are bound to do, we encountered a few hitches and made some discoveries along the way.</p> <p>Today, here we are to show off the problems we encountered and how we overpassed them, but also to mention that we are open to your contributions (on technical matter or just for suggestions).</p>
The features of the project are mainly conditioned by our clients: - the ability to process a variety of unstructured inputs (zip archives containing code, github or gitlab, dependency manager package lists, and various hypertext links to libraries) ; - the requirement of preserving corporate code confidentiality whether in SaaS or on-premise ; - outputting a very structured and human-readable report listing actual non-compliances and potential ways to solve these non-compliances ; - designing the strategy for integrating our open source software compliance project with CI/CD processes ; - and for the non-client-conditioned feature : our product owner decreed that there could be no false negatives in non-compliance detection. After a first PoC based on pre-existing code analysis tools (oss review toolkit, licensee, scancode...), we understood that some roadblocks would remain if no improvements were made. It is not about reinventing the wheel, but moving from wood to rubber. So we made a new PoC including Machine Learning and the results are much more promising. We will release it very soon under AGPL v3 license.

Additional information

Type devroom

More sessions

2/6/22
Software composition and dependency management
D.dependency
<p>The devroom intro by devroom organization team!</p>
2/6/22
Software composition and dependency management
Philippe Ombredanne
D.dependency
<p>Package URLs are a compact way to identify software packages across multiple ecosystems. Together with the new "vers" Version Range Specifier, these two mini specs will offer a new way to create new, mostly universal dependency resolvers and installers, working across ecosystems.</p>
2/6/22
Software composition and dependency management
Ana Jimenez Santamaria
D.dependency
<p>Legal Risk Mitigation is one of the three main functions of an <a href="https://github.com/todogroup/ospodefinition.org">OSPO</a> (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:</p> <ul> <li>Maintaining open source license compliance reviews and oversight</li> ...
2/6/22
Software composition and dependency management
Kouki Hama
D.dependency
<p>The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.</p>
2/6/22
Software composition and dependency management
Maximilian Huber
D.dependency
<p>Granted that software composition and dependency processing are very relevant for software engineering. The presentations have pointed out how such processing is embedded into activities of an organization. We would like to gather feedback about how the current status of adoption and integration looks like.</p>
2/6/22
Software composition and dependency management
D.dependency
<p>break</p>
2/6/22
Software composition and dependency management
Marta Rybczynska
D.dependency
<p>A Linux distribution is a great playing field for testing tools for vulnerability scanning. It is even a better playing field if it includes more operating system kernels, like the Eclipse Oniro project does. Eclipse Oniro targets the Internet of Things (IOT) domain, where fixing security issues is critical.</p> <p>In this talk, Marta is going to present a return on experience of scanning for known vulerabilities (CVEs) in the Eclipse Oniro project. The presentation is going to start with an ...