Software composition and dependency management

How to manage OSS license obligations and SBoM by SW360's new features

D.dependency
Kouki Hama
<p>The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.</p>
OpenChain ISO/IEC 5230 is the International Standard for open source license compliance. In the OpenChain specification, there are descriptions of SBoM management and OSS license obligations, and SW360 has features to help with both of these. SPDX is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. This is also ISO standard (ISO/IEC 5962:2021). A new feature in SW360 is the ability to register, import, and export software component information according to the SPDX format, making it easier to integrate with other tools and manage information received from other companies. For managing OSS licenses in SW360, the information about license obligations can be imported from the OSADL (Open Source Automation Development Lab) web site. This OSDAL's web site provides a machine-readble summary of the main points of the OSS license in a form that anyone can get. (Licensed by CC-BY-4.0). New features in SW360 allows you to quickly import this OSDAL license obigation information into your company's SW360. The features introduced presentation may include some that are still under development.

Additional information

Type devroom

More sessions

2/6/22
Software composition and dependency management
D.dependency
<p>The devroom intro by devroom organization team!</p>
2/6/22
Software composition and dependency management
Philippe Ombredanne
D.dependency
<p>Package URLs are a compact way to identify software packages across multiple ecosystems. Together with the new "vers" Version Range Specifier, these two mini specs will offer a new way to create new, mostly universal dependency resolvers and installers, working across ecosystems.</p>
2/6/22
Software composition and dependency management
Ana Jimenez Santamaria
D.dependency
<p>Legal Risk Mitigation is one of the three main functions of an <a href="https://github.com/todogroup/ospodefinition.org">OSPO</a> (designated places where open source is supported, nurtured, shared, explained, and grown inside an organization). OSPOs often oversee aspects of a company’s open source license compliance process and supply chain as one of the first activities. The responsibilities include:</p> <ul> <li>Maintaining open source license compliance reviews and oversight</li> ...
2/6/22
Software composition and dependency management
Pierre Marty
D.dependency
<p>This talk aims at presenting our trials and tribulations as well as our achievements in designing a compliance software project for open source licenses.</p> <p><em>"Are all module licenses in our software project compliant with each other ?"</em> Many of our customers have asked us this question even though they already had a plethora of software solutions (not always FOSS software) dealing with this topic. This surprised us, and led us to seek out the cause of their uncertainty. We then ...
2/6/22
Software composition and dependency management
Maximilian Huber
D.dependency
<p>Granted that software composition and dependency processing are very relevant for software engineering. The presentations have pointed out how such processing is embedded into activities of an organization. We would like to gather feedback about how the current status of adoption and integration looks like.</p>
2/6/22
Software composition and dependency management
D.dependency
<p>break</p>
2/6/22
Software composition and dependency management
Marta Rybczynska
D.dependency
<p>A Linux distribution is a great playing field for testing tools for vulnerability scanning. It is even a better playing field if it includes more operating system kernels, like the Eclipse Oniro project does. Eclipse Oniro targets the Internet of Things (IOT) domain, where fixing security issues is critical.</p> <p>In this talk, Marta is going to present a return on experience of scanning for known vulerabilities (CVEs) in the Eclipse Oniro project. The presentation is going to start with an ...