Software Composition

Tern and the State of Cloud Native Compliance

D.composition
Rose Judge
Container and VM images contain many packages and are quite a challenge for composition analysis.
Linux root filesystems, virtual machine disk and container images routinely contain thousands of system packages, application packages and other custom software components. Each of these components may have a different provenance, may be modified or vulnerable. Such a large number of packages creates a fertile ground for bugs, security and license issues to go unnoticed. Join me to discover approaches and FOSS tools to perform static composition analysis of a root filesystem with specific techniques for container and Docker images or virtual machines to uncover all the known and unknown third-party code they are composed of. With this knowledge, we can validate if an image has been modified or tempered, if packages are subject to known vulnerabilities and what is their license: these are essential items to proactively vet and safely reuse these and build safely larger systems using these as a base.

Additional information

Type devroom

More sessions

2/7/21
Software Composition
D.composition
Welcome to the Software Composition Analysis Devroom
2/7/21
Software Composition
Thomas Steenbergen
D.composition
In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
2/7/21
Software Composition
Philippe Ombredanne
D.composition
This is a presentation of the latest features and updates in ScanCode toolkit and its companion projects.
2/7/21
Software Composition
D.composition
FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
2/7/21
Software Composition
Alan Facey
D.composition
Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
2/7/21
Software Composition
D.composition
The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
2/7/21
Software Composition
Kate Stewart
D.composition
What is a software bill of materials, and why is there all the interest about it? In this session, a quick overview of the minimum viable fields to represent an SBOM, and efforts to help with automation of them.