Using open source is a no-brainer today, as basically every software product makes use of existing open source software. Unfortunately, managing the usage of open source software is not as easy as it sounds in the first place. Copyright law, open source licenses and their obligations, and simply the identification of which software is used transitively and which licenses and copyrights apply to this software are real obstacles and companies still struggle to set up a proper infrastructure to deal with these.
With Open Chain and the subgroup Open Compliance Reference Toolchain, there is a movement towards standardization and automation of the process that eases the management of the used open software. In this talk, I will give an insight into the methodology and show in a lice demo how open technologies like Eclipse SW360 and Eclipse SW360antenna together with other open bits and pieces support in this endeavor, reducing the necessary efforts in your organization.
The basic principle is the introduction of the necessary steps into you ci/cd pipeline providing you with current information on used software and the knowledge the company has about this. Rules are applied to check for a consistent set of open source software resp. corresponding licenses. Open issues are solved by a back office which analyses incoming components once concerning license and copyright information and provide the data to all projects using the software now and later on. Furthermore, up to date vulnerability information is fed into the ci/cd workflow, allowing a project to immediately react on freshly identified security issues.
Overall, this enables project to have a concise view on the used software and the relevant information concerning Open Source compliance as well as security issues. The whole company as such has a consistent management that monitors the flow of open source software throughout the whole value chain.