Software Composition
Eclipse SW360
Web application for managing software Bill-Of-Material
February 7, 2021
4:20 PM – 4:35 PM Add to calendar
4:20 PM – 4:35 PM Add to calendar
D.composition
SW360 is a Web application for managing the software bill-of-material ("SBOM") of software projects and products. It is an Eclipse project licensed under the EPL-2.0 and thus available for everybody as Open Source Software. The application has a Web UI and REST endpoints for entering or importing the SBOM from dependency or package management systems. In addition, the import of SBOM files using the SPDX spec is supported. Based on the imported SBOM or a software project, a number of functionality is possible, ref to management of vulnerabilities, license and trade compliance or statistics about component usage. The submitted talk introduces and presents SW360.
SW360 is an open source software project licensed under the EPL-2.0 that provides both a web application and a REST API to collect, organize and make available information about software components. It establishes a central hub for software components in an organization. SW360 allows for
tracking components used by a project/product,
assessing security vulnerabilities,
maintaining license obligations,
enforcing policies, and
maintain statistics.
For example, SW360 can trigger a license scan process in the open source compliance tool FOSSology and import the resulting clearing reporting. Data is either stored in SW360’s database or on the fly imported from external sources. In future we plan to have federations of SW360 instances that share selected information. Besides its web-based UI, all functionality of SW360 is available through an API that allows an integration into existing devops tools.
Additional information
| Type | devroom |
|---|
More sessions
| 2/7/21 |
Welcome to the Software Composition Analysis Devroom
|
| 2/7/21 |
In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
|
| 2/7/21 |
This is a presentation of the latest features and updates in ScanCode toolkit and its companion projects.
|
| 2/7/21 |
FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
|
| 2/7/21 |
Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
|
| 2/7/21 |
Container and VM images contain many packages and are quite a challenge for composition analysis.
|
| 2/7/21 |
The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
|
