4. INTERNAL
We transform automotive mobility
Why open source compliance tooling?
â· Because open source for open source: This is the way!
â Dogfooding
â· Free as in beer and freedom of course
â Code of course, but do not forget the data!
â· Key to enable right-sized automation for your open chain
â· Best-in-class tools in several areas
5. INTERNAL
We transform automotive mobility
Trends â The next(x) next ⊠next wave
â· Another wave of Compliance tooling creation and adoption underway
â 1st wave was inner source necessity
â 2nd wave was commercial applications
â 3rd wave was centered on license compliance and legal
â Next wave will be centered on developers and appsec
â Eventually balanced and holistic FOSS solutions
6. INTERNAL
We transform automotive mobility
Trends
â· Security is top of mind
â SBOMs are everywhere, but for what? Few can process them
â· And license compliance is not yet solved
â Still a lot of work left for automation
â Emerging scripting platforms to capture your pipelines
â Orchestrate many tools
â· Open data and data sharing will happen
â Everybody wants it, but also everyone wants to control it
â Centralized or decentralized?
7. INTERNAL
We transform automotive mobility
Trends
â· Software health, quality, sustainability are not yet on the radar
â· FOSS GUI/Web apps are still badly missing
â· Slowly the analysis of builds and binaries will displace source-only
scans
â· Dependency tracking is not yet solved at scale
8. INTERNAL
We transform automotive mobility
Trends - Best tools are FOSS
â· The leading tools are mostly FOSS first
â License detection
â Container analysis
â Package detection
â Dependency tracking and resolution
â· But BEWARE
â Lots of tools are shallow and look only skin deep
â Barely suitable for serious license or security work
â Do your homework and try the tools: they are open after all
9. INTERNAL
We transform automotive mobility
â· Vulnerability and package databases are the new rush
â Open or commercial vulnerability databases with supposedly
"premium" content
â But BEWARE of the data quality. Size DOES NOT matter.
â Made up packages, made up versions
â Not worth their price: Compare and include open solutions!
â· Every commercial tool now includes license data
â License data derived from package manifest is NOT ENOUGH
â Built-in policies are impractical: is GPL always bad??
Trends - Poor data quality
10. INTERNAL
We transform automotive mobility
PURL is emerging as the glue to avoid lock-in!
â Started to support package ids in ScanCode and VulnerableCode, now everywhere
â CycloneDX
â SPDX including just released GitHub SPDX SBOMs features
â Google OSV
â Sonatype OSSIndex
â New PurlDB, MatchCode
â Most FOSS tools such as ORT, Fosslight, DependencyTrack, Anchore, Tern and most of
the open (and proprietary) SCA and Infosec/Appsec tools
â Coming to the NVD in version 5.1!!
â Key vector for interop: if two tools speak PURL, integration is made easier
â Demand its adoption by your vendors and projects
Trends - PURL is the essential glue
11. INTERNAL
We transform automotive mobility
As PURL become visible, thereâs a new direct similar need
â As same way we did started classifications like CVE numbers, PURL package/component id
â Companies have projects that refers several metadata
â BOMâs files goes beyond Software
â Lack of tracking the entire project in a singular identification
â Demand appeared when the first modern BOMâs appeared on the sun
â No formal proposal exists
Trends â Single Project? Unique Identifier
12. INTERNAL
We transform automotive mobility
Insights - Share the data!
"I would like to have automation to avoid repeat work when re-running tools"
"Let's avoid re-running scans, share them and reuse them instead"
â Everyone wants to share and reuse data from scans, and origin and license data
â Speed up origin and license review
â Avoid redoing the scans and the same review either inside my org or across orgs
â But "It is hard to overcome lawyersâ objections to sharing data such as license conclusions
and curations"
â And how to trust the scans and curations? And deal with different policies and standards for
conclusions and curations? (specifically about licensing)
â What is the motivation and ease for public data sharing?
13. INTERNAL
We transform automotive mobility
Insights - Open the data!
â Open data (e.g., as in free and open licensed data on FOSS) are emerging
â The too big to share argument will not hold
â Eventually open, community curated FOSS package "knowledge bases" will become the
norm and supplant proprietary, closed source alternatives
â We should share raw scanners/tools outputs first
â We should fix upstream licensing issues, upstream
â The centralized approach does not work well
â Too big to share
â Out of date
â Lack of trust in centralized control
14. INTERNAL
We transform automotive mobility
Insights â Normalize the Data !
â Data should be centralized but not with the penalty of tool complexity
â Data need to follow some standards
â Logical data should be common but agnostic
â We decentralize the data as a single source of truth
â Decentralizing the data with a single gateway to every tool
â Give liberty of any developer how to use the data
â Give liberty of the owner of the data on how data is manipulated
15. INTERNAL
We transform automotive mobility
License and Vulnerability are like oil and vinegar
â Even if core process is code origin determination, constituents are not the same (yet)
â License folks care less about Vulnerabilities
â Security folks care less about Licenses
â FOSS projects that cater to both should provide differentiated documentation for each
audience
â Some core tools are the same, but users are different
â Expect a convergence of the two aspects in the future
â Until then, advice to OSPOs:
â Handle both domains
â But adapt your language to each constituent/persona
Insights - Licensing != Security?
16. INTERNAL
We transform automotive mobility
Multiple FOSS projects try to solve license compatibility
â FLICT, OSADL, Hermine Oniro
â Automating license conflicts/compatibility checks is a real problem at scale
â Projects may work together and eventually some conventions will emerge
â Key domains
â Help legal understand/zoom in on key license concerns
â What is the effect of multiple licenses?
â How to surface license compatibility issues
â Effective/resulting license inference and compatibility is a policy issue
â But tooling can automate the grunt work
Insights - License Compatibility
17. INTERNAL
We transform automotive mobility
â Does copying a snippet of code really matter?
â Have you looked at the big rocks first? e.g., whole libraries
â Are you ready to pay the price in time and/or cash?
Image credits: https://www.integrativenutrition.com/
Insights - Snippets and matching?
18. INTERNAL
We transform automotive mobility
â Domain has been abandoned by commercial vendors
â Snyk has spun off FOSSID
â Synopsys mostly abandoned Protex
â One new entrant with open source code but proprietary data: SCANOSS
â Snippets may not matter (too much)
â But AI/ML-generated code snippets anyone?
â Artificial general intelligence (AGI) will make snippets both more relevant and useless
at the same time when everyone can generate the same boilerplate derived from
everyone's code
â Yet code matching can speed up the analysis when done right (find big rocks first)
â Reuse previous analysis based on matching code: WIP with tools like MatchCode
Insights Snippets and matching?
19. INTERNAL
We transform automotive mobility
â SBOMs are everywhere
â GitHub can even create these directly from a repo
â But what about data quality (depth and breadth)?
â But what about using proper machine readable identifiers (license, PURL)?
â Hi-Fi or Lo-Fi SBOMs?
â Every tool creates SBOMs but then what?
â 2 out of 50+ folks were effectively consuming SBOMs
â Big gaps in tool-to-tool integration
â Too much over engineering, and under-specification
â Advice: Ignore the SPDX vs. CycloneDX feud and embrace both, with PURL
â Feel free to ignore SWID
â SBOM is just a reporting format
Insights â SBOM ?
20. INTERNAL
We transform automotive mobility
â Collaborate: License conflict/compatibility checking FOSS projects on data and
standards (Flict/OSADL/Hermine)
â Create: A live inventory of all FOSS tools and their capabilities
â Share: Approaches to dependency detection/resolution/processing
â Define: Evolve a standard/schema for tool-to-tool technical scan data sharing
â DATA: Exchange and curate data!
Follow up on collaboration opportunities?
21. INTERNAL
â· Special thanks for Phillipe Ombredanne for
providing the original content and the
mastermind of this talk.
â· The content as the spirit of OpenChain
project is licensed under CC-BY-SA-4.0
â· SST (Single Source of Truth) whitepaper:
https://heliocastro.info/draft/sst.html
CREDITS / REFERENCES