SlideShare une entreprise Scribd logo
1  sur  18
Télécharger pour lire hors ligne
Copyright © nexB Inc. License: CC-BY-SA-4.0
“State of the Tooling”
in Open Source Automation
OpenChain German work group
Philippe Ombredanne, AboutCode.org nexB Inc.
Copyright © nexB Inc. License: CC-BY-SA-4.0
Philippe Ombredanne
► Project lead and maintainer for VulnerableCode, ScanCode and AboutCode
► Creator of Package URL, co-founder of SPDX & ClearlyDefined
► FOSS veteran, long time Google Summer of Code mentor
► Co-founder and CTO of nexB Inc., makers of DejaCode
► Weird facts and claims to fame
● Signed off on the largest deletion of lines of code in the Linux kernel
(but these were only comments)
● Unrepentant code hoarder. Had 60,000+ GH forks
now down only to 20K forks
► pombredanne@nexb.com irc:pombreda
Copyright © nexB Inc. License: CC-BY-SA-4.0
Why open source compliance tooling?
▷ Because open source for open source: This is the way!
● Dogfooding
▷ Free as in beer and freedom of course
● Code of course, but do not forget the data!
▷ Key to enable right-sized automation for your open chain
▷ Best-in-class tools in several areas
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key trends (1) Time to retool?
▷ 3rd wave of Compliance tooling creation and adoption underway
● 1st wave was commercial
● 2nd wave was centered on license compliance and legal
● 3rd wave will be centered on developers and appsec
■ Eventually balanced and holistic FOSS solutions
▷ TODO: Review your existing approach and retool
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key trends (2)
▷ Security is top of mind
● SBOMs are everywhere, but for what? Few can process them
▷ And license compliance is not yet solved
● Still a lot of work left for automation
● Emerging scripting platforms to capture your pipelines
■ Orchestrate many tools
▷ Open data and data sharing will happen
● Everybody wants it, but also everyone wants to control it
● Centralized or decentralized?
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key trends (3)
▷ Software health, quality, sustainability are not yet on the radar
▷ FOSS GUI/Web apps are still badly missing
▷ Slowly the analysis of builds and binaries will displace source-only
scans
▷ Dependency tracking is not yet solved at scale
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key trends (4) Best tools are FOSS
▷ The leading tools are mostly FOSS first
● License detection
● Container analysis
● Package detection
● Dependency tracking and resolution
▷ But BEWARE
● Lots of tools are shallow and look only skin deep
■ Barely suitable for serious license or security work
● Do your homework and try the tools: they are open after all
Copyright © nexB Inc. License: CC-BY-SA-4.0
▷ Vulnerability and package databases are the new rush
● Open or commercial vulnerability databases with supposedly
"premium" content
● But BEWARE of the data quality. Size DOES NOT matter.
■ Made up packages, made up versions
■ Not worth their price: Compare and include open solutions!
▷ Every commercial tool now includes license data
● License data derived from package manifest is NOT ENOUGH
● Built-in policies are impractical: is GPL always bad??
Key trends (5) Poor data quality
Copyright © nexB Inc. License: CC-BY-SA-4.0
PURL is emerging as the glue to avoid lock-in!
● Started to support package ids in ScanCode and VulnerableCode, now everywhere
○ CycloneDX
○ SPDX including just released GitHub SPDX SBOMs features
○ Google OSV
○ Sonatype OSSIndex
○ New PurlDB, MatchCode
○ Most FOSS tools such as ORT, Fosslight, DependencyTrack, Anchore, Tern and
most of the open (and prioprietary) SCA and Infosec/Appsec tools
● Coming to the NVD in version 5.1!!
● Key vector for interop: if two tools speak PURL, integration is made easier
● Demand its adoption by your vendors and projects
Key trends (6) PURL is the essential glue
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key insights (1): Share the data!
"I would like to have automation to avoid repeat work when re-running tools"
"Let's avoid re-running scans, share them and reuse them instead"
● Everyone wants to share and reuse data from scans, and origin and license data
○ Speed up origin and license review
○ Avoid redoing the scans and the same review either inside my org or across orgs
● But "It is hard to overcome lawyers’ objections to sharing data such as license conclusions
and curations"
● And how to trust the scans and curations? And deal with different policies and
standards for conclusions and curations? (specifically about licensing)
● What is the motivation and ease for public data sharing?
Copyright © nexB Inc. License: CC-BY-SA-4.0
Key insights (2): Open the data!
● Open data (e.g., as in free and open licensed data on FOSS) are emerging
○ The too big to share argument will not hold
● Eventually open, community curated FOSS package "knowledge bases" will become
the norm and supplant proprietary, closed source alternatives
● We should share raw scanners/tools outputs first
● We should fix upstream licensing issues, upstream
● The centralized approach does not work well
○ Too big to share
○ Out of date
○ Lack of trust in centralized control
Copyright © nexB Inc. License: CC-BY-SA-4.0
License and Vulnerability are like oil and vinegar
● Even if core process is code origin determination, constituents are not the same (yet)
○ License folks care less about Vulnerabilities
○ Security folks care less about Licenses
● FOSS projects that cater to both should provide differentiated documentation for
each audience
● Some core tools are the same, but users are different
● Expect a convergence of the two aspects in the future
● Until then, advice to OSPOs:
○ Handle both domains
○ But adapt your language to each constituent/persona
Key insights (3) Licensing != Security?
Copyright © nexB Inc. License: CC-BY-SA-4.0
Multiple FOSS projects try to solve license compatibility
● FLICT, OSADL, Hermine Oniro
● Automating license conflicts/compatibility checks is a real problem at scale
● Projects may work together and eventually some conventions will emerge
● Key domains
○ Help legal understand/zoom in on key license concerns
○ What is the effect of multiple licenses?
○ How to surface license compatibility issues
● Effective/resulting license inference and compatibility is a policy issue
○ But tooling can automate the grunt work
Key insights (4) License Compatibility
Copyright © nexB Inc. License: CC-BY-SA-4.0
● Does copying a snippet of code really matter?
○ Have you looked at the big rocks first? e.g., whole libraries
○ Are you ready to pay the price in time and/or cash?
Image credits: https://www.integrativenutrition.com/
Key insights (5) Snippets and matching?
Copyright © nexB Inc. License: CC-BY-SA-4.0
● Domain has been abandoned by commercial vendors
○ Snyk has spun off FOSSID
○ Synopsys mostly abandoned Protex
● One new entrant with open source code but proprietary data: SCANOSS
● Snippets may not matter (too much)
● But AI/ML-generated code snippets anyone?
○ Will Artificial general intelligence (AGI) make snippets both more relevant and
useless at the same time when everyone can generate the same boilerplate
derived from everyone's code
● Yet code matching can speed up the analysis when done right (find big rocks first)
○ Reuse previous analysis based on matching code: WIP with MatchCode
Key insights (5) Snippets and matching?
Copyright © nexB Inc. License: CC-BY-SA-4.0
● SBOMs are everywhere
○ GitHub can even create these directly from a repo
○ But what about data quality (depth and breadth)?
○ But what about using proper machine readable identifiers (license, PURL)?
● Hi-Fi or Lo-Fi SBOMs?
● Every tool creates SBOMs but then what?
○ 2 out of 50+ folks were effectively consuming SBOMs
● Big gaps in tool-to-tool integration
● Too much over engineering, and under-specification
● Advice: Ignore the SPDX vs. CycloneDX feud and embrace both, with PURL
○ Feel free to ignore SWID
○ SBOM is just a reporting format
Key insights (6) SBOM, mehBOM?
Copyright © nexB Inc. License: CC-BY-SA-4.0
● Collaborate: License conflict/compatibility checking FOSS projects on data
and standards (FLIct/OSADl/Hermie)
● Create: A live inventory of all FOSS tools and their capabilities
● Share: Approaches to dependency detection/resolution/processing
● Define: Evolve a standard/schema for tool-to-tool technical scan data sharing
● DATA: Exchange data!
Follow up on collaboration opportunities?
Copyright © nexB Inc. License: CC-BY-SA-4.0
Credits
▷ Presentation template by SlidesCarnival licensed under CC-BY-4.0
▷ Photograph by Unsplash licensed under Unsplash License
▷ Other content licensed under CC-BY-SA-4.0
18

Contenu connexe

Similaire à “State of the Tooling” in Open Source Automation

Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseMarcel de Vries
 
Conversation on Open Source - CU Boulder - Feb 2017
Conversation on Open Source - CU Boulder - Feb 2017Conversation on Open Source - CU Boulder - Feb 2017
Conversation on Open Source - CU Boulder - Feb 2017Jason Carolan
 
On making standards organizations & open source communities work hand in hand
On making standards organizations & open source communities work hand in handOn making standards organizations & open source communities work hand in hand
On making standards organizations & open source communities work hand in handBenjamin Cabé
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...WSO2
 
Leaping the chasm from proprietary to open: A survivor's guide
Leaping the chasm from proprietary to open: A survivor's guideLeaping the chasm from proprietary to open: A survivor's guide
Leaping the chasm from proprietary to open: A survivor's guidebcantrill
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioMichael Herzog
 
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...South Tyrol Free Software Conference
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Open Source Experience
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Benefits of Opensource Products
Benefits of Opensource ProductsBenefits of Opensource Products
Benefits of Opensource ProductsAnju Merin
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software ConceptsJITENDRA LENKA
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)Shivani Rai
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HPBruno Cornec
 
open source technology
open source technologyopen source technology
open source technologyLila Ram Yadav
 

Similaire à “State of the Tooling” in Open Source Automation (20)

Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
 
Conversation on Open Source - CU Boulder - Feb 2017
Conversation on Open Source - CU Boulder - Feb 2017Conversation on Open Source - CU Boulder - Feb 2017
Conversation on Open Source - CU Boulder - Feb 2017
 
On making standards organizations & open source communities work hand in hand
On making standards organizations & open source communities work hand in handOn making standards organizations & open source communities work hand in hand
On making standards organizations & open source communities work hand in hand
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
 
Leaping the chasm from proprietary to open: A survivor's guide
Leaping the chasm from proprietary to open: A survivor's guideLeaping the chasm from proprietary to open: A survivor's guide
Leaping the chasm from proprietary to open: A survivor's guide
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
 
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...
SFScon19 - Alexios Zavras - Free Software in the industry a view from the lar...
 
FLOSS development
FLOSS developmentFLOSS development
FLOSS development
 
Open Source Licenses
Open Source LicensesOpen Source Licenses
Open Source Licenses
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Benefits of Opensource Products
Benefits of Opensource ProductsBenefits of Opensource Products
Benefits of Opensource Products
 
Social Code Scanning
Social Code ScanningSocial Code Scanning
Social Code Scanning
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software Concepts
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)
 
Opensource wildey
Opensource wildeyOpensource wildey
Opensource wildey
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HP
 
open source technology
open source technologyopen source technology
open source technology
 

Plus de Shane Coughlan

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 

Plus de Shane Coughlan (20)

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 

Dernier

What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?NYGGS Automation Suite
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In hararekasambamuno
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...Abortion Clinic
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfMehmet Akar
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acreskasambamuno
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 

Dernier (20)

What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres
^Clinic ^%[+27788225528*Abortion Pills For Sale In birch acres
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 

“State of the Tooling” in Open Source Automation

  • 1. Copyright © nexB Inc. License: CC-BY-SA-4.0 “State of the Tooling” in Open Source Automation OpenChain German work group Philippe Ombredanne, AboutCode.org nexB Inc.
  • 2. Copyright © nexB Inc. License: CC-BY-SA-4.0 Philippe Ombredanne ► Project lead and maintainer for VulnerableCode, ScanCode and AboutCode ► Creator of Package URL, co-founder of SPDX & ClearlyDefined ► FOSS veteran, long time Google Summer of Code mentor ► Co-founder and CTO of nexB Inc., makers of DejaCode ► Weird facts and claims to fame ● Signed off on the largest deletion of lines of code in the Linux kernel (but these were only comments) ● Unrepentant code hoarder. Had 60,000+ GH forks now down only to 20K forks ► pombredanne@nexb.com irc:pombreda
  • 3. Copyright © nexB Inc. License: CC-BY-SA-4.0 Why open source compliance tooling? ▷ Because open source for open source: This is the way! ● Dogfooding ▷ Free as in beer and freedom of course ● Code of course, but do not forget the data! ▷ Key to enable right-sized automation for your open chain ▷ Best-in-class tools in several areas
  • 4. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key trends (1) Time to retool? ▷ 3rd wave of Compliance tooling creation and adoption underway ● 1st wave was commercial ● 2nd wave was centered on license compliance and legal ● 3rd wave will be centered on developers and appsec ■ Eventually balanced and holistic FOSS solutions ▷ TODO: Review your existing approach and retool
  • 5. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key trends (2) ▷ Security is top of mind ● SBOMs are everywhere, but for what? Few can process them ▷ And license compliance is not yet solved ● Still a lot of work left for automation ● Emerging scripting platforms to capture your pipelines ■ Orchestrate many tools ▷ Open data and data sharing will happen ● Everybody wants it, but also everyone wants to control it ● Centralized or decentralized?
  • 6. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key trends (3) ▷ Software health, quality, sustainability are not yet on the radar ▷ FOSS GUI/Web apps are still badly missing ▷ Slowly the analysis of builds and binaries will displace source-only scans ▷ Dependency tracking is not yet solved at scale
  • 7. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key trends (4) Best tools are FOSS ▷ The leading tools are mostly FOSS first ● License detection ● Container analysis ● Package detection ● Dependency tracking and resolution ▷ But BEWARE ● Lots of tools are shallow and look only skin deep ■ Barely suitable for serious license or security work ● Do your homework and try the tools: they are open after all
  • 8. Copyright © nexB Inc. License: CC-BY-SA-4.0 ▷ Vulnerability and package databases are the new rush ● Open or commercial vulnerability databases with supposedly "premium" content ● But BEWARE of the data quality. Size DOES NOT matter. ■ Made up packages, made up versions ■ Not worth their price: Compare and include open solutions! ▷ Every commercial tool now includes license data ● License data derived from package manifest is NOT ENOUGH ● Built-in policies are impractical: is GPL always bad?? Key trends (5) Poor data quality
  • 9. Copyright © nexB Inc. License: CC-BY-SA-4.0 PURL is emerging as the glue to avoid lock-in! ● Started to support package ids in ScanCode and VulnerableCode, now everywhere ○ CycloneDX ○ SPDX including just released GitHub SPDX SBOMs features ○ Google OSV ○ Sonatype OSSIndex ○ New PurlDB, MatchCode ○ Most FOSS tools such as ORT, Fosslight, DependencyTrack, Anchore, Tern and most of the open (and prioprietary) SCA and Infosec/Appsec tools ● Coming to the NVD in version 5.1!! ● Key vector for interop: if two tools speak PURL, integration is made easier ● Demand its adoption by your vendors and projects Key trends (6) PURL is the essential glue
  • 10. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key insights (1): Share the data! "I would like to have automation to avoid repeat work when re-running tools" "Let's avoid re-running scans, share them and reuse them instead" ● Everyone wants to share and reuse data from scans, and origin and license data ○ Speed up origin and license review ○ Avoid redoing the scans and the same review either inside my org or across orgs ● But "It is hard to overcome lawyers’ objections to sharing data such as license conclusions and curations" ● And how to trust the scans and curations? And deal with different policies and standards for conclusions and curations? (specifically about licensing) ● What is the motivation and ease for public data sharing?
  • 11. Copyright © nexB Inc. License: CC-BY-SA-4.0 Key insights (2): Open the data! ● Open data (e.g., as in free and open licensed data on FOSS) are emerging ○ The too big to share argument will not hold ● Eventually open, community curated FOSS package "knowledge bases" will become the norm and supplant proprietary, closed source alternatives ● We should share raw scanners/tools outputs first ● We should fix upstream licensing issues, upstream ● The centralized approach does not work well ○ Too big to share ○ Out of date ○ Lack of trust in centralized control
  • 12. Copyright © nexB Inc. License: CC-BY-SA-4.0 License and Vulnerability are like oil and vinegar ● Even if core process is code origin determination, constituents are not the same (yet) ○ License folks care less about Vulnerabilities ○ Security folks care less about Licenses ● FOSS projects that cater to both should provide differentiated documentation for each audience ● Some core tools are the same, but users are different ● Expect a convergence of the two aspects in the future ● Until then, advice to OSPOs: ○ Handle both domains ○ But adapt your language to each constituent/persona Key insights (3) Licensing != Security?
  • 13. Copyright © nexB Inc. License: CC-BY-SA-4.0 Multiple FOSS projects try to solve license compatibility ● FLICT, OSADL, Hermine Oniro ● Automating license conflicts/compatibility checks is a real problem at scale ● Projects may work together and eventually some conventions will emerge ● Key domains ○ Help legal understand/zoom in on key license concerns ○ What is the effect of multiple licenses? ○ How to surface license compatibility issues ● Effective/resulting license inference and compatibility is a policy issue ○ But tooling can automate the grunt work Key insights (4) License Compatibility
  • 14. Copyright © nexB Inc. License: CC-BY-SA-4.0 ● Does copying a snippet of code really matter? ○ Have you looked at the big rocks first? e.g., whole libraries ○ Are you ready to pay the price in time and/or cash? Image credits: https://www.integrativenutrition.com/ Key insights (5) Snippets and matching?
  • 15. Copyright © nexB Inc. License: CC-BY-SA-4.0 ● Domain has been abandoned by commercial vendors ○ Snyk has spun off FOSSID ○ Synopsys mostly abandoned Protex ● One new entrant with open source code but proprietary data: SCANOSS ● Snippets may not matter (too much) ● But AI/ML-generated code snippets anyone? ○ Will Artificial general intelligence (AGI) make snippets both more relevant and useless at the same time when everyone can generate the same boilerplate derived from everyone's code ● Yet code matching can speed up the analysis when done right (find big rocks first) ○ Reuse previous analysis based on matching code: WIP with MatchCode Key insights (5) Snippets and matching?
  • 16. Copyright © nexB Inc. License: CC-BY-SA-4.0 ● SBOMs are everywhere ○ GitHub can even create these directly from a repo ○ But what about data quality (depth and breadth)? ○ But what about using proper machine readable identifiers (license, PURL)? ● Hi-Fi or Lo-Fi SBOMs? ● Every tool creates SBOMs but then what? ○ 2 out of 50+ folks were effectively consuming SBOMs ● Big gaps in tool-to-tool integration ● Too much over engineering, and under-specification ● Advice: Ignore the SPDX vs. CycloneDX feud and embrace both, with PURL ○ Feel free to ignore SWID ○ SBOM is just a reporting format Key insights (6) SBOM, mehBOM?
  • 17. Copyright © nexB Inc. License: CC-BY-SA-4.0 ● Collaborate: License conflict/compatibility checking FOSS projects on data and standards (FLIct/OSADl/Hermie) ● Create: A live inventory of all FOSS tools and their capabilities ● Share: Approaches to dependency detection/resolution/processing ● Define: Evolve a standard/schema for tool-to-tool technical scan data sharing ● DATA: Exchange data! Follow up on collaboration opportunities?
  • 18. Copyright © nexB Inc. License: CC-BY-SA-4.0 Credits ▷ Presentation template by SlidesCarnival licensed under CC-BY-4.0 ▷ Photograph by Unsplash licensed under Unsplash License ▷ Other content licensed under CC-BY-SA-4.0 18