Ensuring Open Source compliance is a necessary step for organizations building software based products today. The usage of 3rd party components needs to be identified, metadata has to be retrieved in order to fulfill license obligations. Eclipse SW360 and SW360antenna allow to automate this process reducing the effort of project teams to ensure license compliance for the built product.
Typical activities to achieve compliance are the identification of all transitive 3rd party dependencies used, the gathering of additional metadata like involved licenses and copyrights, the execution of policy checks on the assembly of components and licenses, and the generation of reports and the "compliance bundle" used to fulfill many of the typical license obligations.
To automate this process, SW360 and SW360antenna can be integrated to a toolchain. The role of SW360antenna is the execution of workflows within the projects software build in order to execute the steps like identification, metadata gathering and document generation. 3rd party component metadata is retrieved from SW360 as backbone. Trace information on the usage of components in projects is stored in SW360 for later usage. Open Source offices can monitor the data in SW360 to trigger clearing activities, whenever new components or versions are entered into the database. This way, project teams are relieved from difficult tasks like analysis of new found licenses or extracting license and copyright information out of the codebase of an Open Source project. The work is transfered to specialists in the back office who efficiently take care of the necessary activities.
In this talk, we show how these technologies are integrated into an industry scale toolchain used within Bosch for automated OSS compliance management.