How to manage OSS licenses for CI/CD
development
Takuma Ueba
Fujitsu Computer Technologies Limited
1553ka1 CC BY-SA 4.0

whoami
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
I have contributed to the following communities
 Linux kernel
 U-Boot
 Yocto Project
Developer of In-house Embedded Linux Distribution for Fujitsu
Our Distribution is built with Yocto Project
My team-member is maintainer of meta-spdxscanner（Lei Maohui）
and dnf-plugin-tui（Zheng Ruoqin）
Our Distribution is used for 80+ products
 IVI
 Server System Controller
 Storage System
 Network equipment etc..
Mainly platform community

Agenda
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
Why SPDX is needed？
Simple introduction of “meta-spdxscanner”
Case Study (CI/CD development)
Future Work (Current effort)
Finally
The names of products are the product names, trademarks or registered trademarks of the respective companies.
Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material.

Why SPDX is needed？
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
Difficult to manage OSS information
in various formats
product vendor
SPDX
OSS package information
lack of information
list
delivery
software A
software B
software C
delivery
delivery
Company A
Company B
Company C
supplier
Missing OSS License Information!?

Why SPDX is needed？
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
Extracting all license and
copyright information
Centralized format of package
information for easier management
delivery
software A
software B
software C
delivery
delivery
Company A
Company B
Company C
SPDX
OSS package information
SPDX
SPDX
Software Package Data eXchange
®
Standard format for communicating licenses, copyrights, etc. concerning software packages
SPDX is an efficient method to comply with OpenChain.

Simple introduction of “meta-spdxscanner”
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
 Patches come
from 3rd
party
Yocto Project
meta-spdxscanner
SPDX files
openembedded-core
meta-oe
meta-……
 OSS source code
・default output: SPDX files (considering OpenChain)
・currently use FOSSology as a license scanner (but considering change to scancode-toolkit.)
・support for SPDX “Modification” field
Yocto Project is embedded linux distribution build environment and De facto standard in WW.
（e.g. Automotive Grade Linux (AGL), SoC vendor BSP … built with YP)
do_fetch do_spdx do_package・・・do_unpack
Yocto Build process

Case Study (CI/CD development)
 If integration (CI) is performed, new OSS and license will be
added, so it is necessary to clarify the license to deliver.
 In CI/CD development, reducing scan time is an theme.
e.g. In Weekly Deploy environment, If it takes several hours,
it does not fit the development cycle.
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
scan time
delivery delivery
scan time
delivery delivery
scan scan
delivery delivery
time
integration integration scan
integration integrationscan
integration integration

Case Study (CI/CD development)
 “meta-spdxscanner” improved performance by reusing
previous scan results.
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
0
50
100
150
200
250
ntp busybox openssl openssh
Spendtime(seconds)
OSS
first
reuse

Future work (current effort)
 Automatically import spdx files from Yocto build process to
SW360 (OSS management tool).
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
meta-spdxscanner
License
scanner
 Scan only files with differences.
(Currently, If there are differences in the source file, the entire file is rescanned.)
Automation
Easier license-clearing！
Output only differences to spdx

Finally
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED
I'd appreciate it if you could give me feedback using
meta-spdxscanner.
github URL: https://github.com/dl9pf/meta-spdxscanner
If you want to know more about meta-spdxscanner,
please ask me.

Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED