More Related Content Similar to Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SHOWCASE (20) More from Shane Coughlan (20) Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SHOWCASE1. AN UPDATE ON OUR
ACTIVITIES IN
AUTOMATING OSS
COMPLIANCE:
A WORKING SHOWCASE
Sebastian Schuberth
Senior Expert Open Source Services
Bosch Software Innovations GmbH
OpenChain Automotive Workshop
October 29, 2019
2. Bosch Software Innovations GmbH | INST-CSS/BSV-OS | 10/29/2019
© Bosch Software Innovations GmbH 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution as well as in the event of applications for industrial property rights.
Recap
Introduction
2
Year 2017: The Idea
Year 2018: A Working Community
Year 2019: A Working Showcase
3. Bosch Software Innovations GmbH | INST-CSS/BSV-OS | 10/29/2019
© Bosch Software Innovations GmbH 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution as well as in the event of applications for industrial property rights.
Introduction
Example enterprise process
Queued for Process
Identification
Audit
ResolveIssues
Reviews
Approvals
Registration
Notices
Verifications
Distribution
Verifications
Own Proprietary Software
3rd Party Software
FOSS
Scan or audit source code
– and – confirm origin and
license of source code
Resolve any audit
issues in line with
company FOSS
policies
Identify FOSS
components for
review
Verify source code packages for
distribution – and – verify
appropriate notices are provided
Record approved
software/version in
inventory per product
and per release
Publish source code,
notices and provide
written offer
Review & approve
compliance record
of FOSS software
components
Compile notices
for publication
Post publication
verifications
Example of Compliance Management End-to-End Process
Outgoing Software
Notices & Attributions
Written Offer
Compliance
Process
3
5. Bosch Software Innovations GmbH | INST-CSS/BSV-OS | 10/29/2019
© Bosch Software Innovations GmbH 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution as well as in the event of applications for industrial property rights.
Automating Open Source Compliance
Why an Open Source Solution?
End-to-End Open Source Management in Enterprises is crucial for compliant usage of OSS.
Avoid vendor lock-in.
Ownership of data is crucial to prevent expensive corner cases.
Free and open data (“sharing creates value”).
Long term solution independent from supplier.
Successful Open Source means defined State-of-the-Art.
5
6. CI / CD Infrastructure
Build Tools
Continuous
Integration
Artifact Repository
Source Code Repo
Outbound
software
&
Compliance
artifacts
Inbound
software
Contributions
Dependency resolver Binary analyzerContainer content resolver Source package downloader
Component &
application metadata
repository
License & Copyright Scanner
FOSS Compliance
Bundle generator
License metadata
repository
Public
compliance
artifact repos
Issue Tracker
Forensic
Code
Analysis
Service
Compliance
artifact
consistency
Integration layer (API/Data)
ScanCode
License Classifier
Integration layer (API/Data)Integration layer (API/Data)
Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data)
Integration layer (API/Data) Integration layer (API/Data)Integration layer (API/Data)
Bang
Automating Open Source Management
Tooling Landscape(License: CC0-1.0)
7. Bosch Software Innovations GmbH | INST-CSS/BSV-OS | 10/29/2019
© Bosch Software Innovations GmbH 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution as well as in the event of applications for industrial property rights.
Automating Open Source Management
The Toolchain
LicenseObligation
Fulfillment
Build
System
PolicyCheck
Metadata
Completion
BOMManagement
CollectingData
Identification
Software
Heritage
Compliance Workflow
Commercial
Data Provider
7
Local