SlideShare a Scribd company logo

Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN Virtual Workshop, April 8, 2021

Fasten Project
Fasten Project

The Eclipse SW360 project provides a server application for the management of used software components in an organization. The catalogue can then be used to create Software Bill-of-Materials (SBOM) for products and projects. SBOM management is essential for a number of important aspects when delivering products: for understanding if vulnerabilities are relevant, for reviewing the licensing situation, for covering trade compliance and last but not least for the generation of compliance documentation. SW360 itself focusses only on SBOM management and the support of the approval processes, it does not scan for licenses nor for dependencies. For these tasks, integration with other OSS tools, for example, FOSSology for license scanning is provided. To automate the SBOM management, SW360 provides a REST API which allows CI infrastructure to call SW360 directly for checks, downloads or uploads. SW360 is a project hosted by the Eclipse Foundation licensed under the EPL-2.0; thus it is available for everyone as Open Source software.

1 of 12
Download to read offline
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 SW360 Introduction Eclipse SW360 – Managing Software Bill-of-Material
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 2 Handling of Software Components IT today talks about components Involving different systems Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 3 Problem: not 1-to-1 but many-to-many Mapping effort for all component managing systems Will multiply for new systems Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 4 Solution: Phonebook for Components Central database for names for software components Connect systems to talk to each other Like person directory for IT systems in company already Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 5 Product A Product A Product B Product B Project 1 Project 1 SW360 is a 3rd party software component catalogue Assigns 3rd party components to products or projects Basic Case Goals and Benefits • Reuse information about components • Coordinate product documentation process • Support software clearing A A B B C C H H C C H H I I J J E E A A B B C C D D E E F F G G H H I I J J … …
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 6 Main Use Case 1: Component Inventory Database ∙It is about Components in use: for all others, Internet can do better ∙OSS Licensing: collect analysed licensing information (and reuse analyses) ∙Not OSS only: internal components, commercial, freeware Collect Information about Components
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 7 Main Use Case 2: Software Bill of Material (SBOM) ∙Scanning for Licenses: other tools can do this better ∙Collecting Vulnerabilities: Sourcing vulnerabilities: already done by tools as well ∙Analyse Dependencies: ∙Good tools available to analyse packages, dependencies, third party software etc. SW360: Only Bill of Material, not Antenna O.R.T. Your own scripts FOSSology CVE search More analysis tools sw360 REST API
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 8 • About 40.000 releases • About 8000 products and projects • About 8k users at least one time logged in, about 200 users every day Deployment • 32GB of RAM, 2TB file system • IT security conformant hosting according to IT security classification: ● DMZs, certificate based login ● What would be a data security classification in your organisation? Example for SW360 Running Productive SW360 Today
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 9 • Vagrant-based setup at https://github.com/sw360/sw360vagrant • Docker-based under testing at https://github.com/sw360/sw360chores • Deployment info at: https://github.com/eclipse/sw360/wiki Documentation • Markdown based • REST API Docs • Documents linked on every footer of the page Deployment How to Run?
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 10 ○ September 2015: Initial release under github.com/sw360/sw360portal ○ November 2018: SW360 3.3: first release under Eclipse project space ○ 6.0: New FOSSology integration (REST instead of SSH) ○ 7.0: Relicensing to EPL-2.0 ○ 9.0: Changelog for records, custom fields ○ 11.0: Java 11, Liferay 7.3 ○ 12.1: improved obligations ○ 13.1: SW360 client Release History (selection) SW360 History
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 11 • SPDX import for Bill-of-Material (very basic, but working) • FOSSology scans can be triggered via SW360 REST API • SW360 in Japanese and Vietnamese! • We mentioned the change log: very important for a collaborative group • A lot of new REST endpoints including search, attachment handling • Documents linked on every footer of the page • Improving custom fields and external ids • sw360 Client Library in Java • Work-in-progress: integration with Open Source Review Toolkit New features since our last presentation ere New Since Last Year
SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 12 Thank you for your attention! CC-BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/ Internet https://www.eclipse.org/sw360/ Github https://github.com/eclipse/sw360 https://github.com/sw360/sw360slides Further Links https://www.spdx.org https://www.fossology.org Title picture released by Kai Stachowiak under CC0-1.0 at https://publicdomainpictures.net/en/view-image.php? image=312825&picture=networking

More Related Content

Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN Virtual Workshop, April 8, 2021

  • 1. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 SW360 Introduction Eclipse SW360 – Managing Software Bill-of-Material
  • 2. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 2 Handling of Software Components IT today talks about components Involving different systems Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
  • 3. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 3 Problem: not 1-to-1 but many-to-many Mapping effort for all component managing systems Will multiply for new systems Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
  • 4. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 4 Solution: Phonebook for Components Central database for names for software components Connect systems to talk to each other Like person directory for IT systems in company already Code Quality Checker Source Code Scanner Artefact Repository License Scanner Project BOM Management
  • 5. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 5 Product A Product A Product B Product B Project 1 Project 1 SW360 is a 3rd party software component catalogue Assigns 3rd party components to products or projects Basic Case Goals and Benefits • Reuse information about components • Coordinate product documentation process • Support software clearing A A B B C C H H C C H H I I J J E E A A B B C C D D E E F F G G H H I I J J … …
  • 6. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 6 Main Use Case 1: Component Inventory Database ∙It is about Components in use: for all others, Internet can do better ∙OSS Licensing: collect analysed licensing information (and reuse analyses) ∙Not OSS only: internal components, commercial, freeware Collect Information about Components
  • 7. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 7 Main Use Case 2: Software Bill of Material (SBOM) ∙Scanning for Licenses: other tools can do this better ∙Collecting Vulnerabilities: Sourcing vulnerabilities: already done by tools as well ∙Analyse Dependencies: ∙Good tools available to analyse packages, dependencies, third party software etc. SW360: Only Bill of Material, not Antenna O.R.T. Your own scripts FOSSology CVE search More analysis tools sw360 REST API
  • 8. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 8 • About 40.000 releases • About 8000 products and projects • About 8k users at least one time logged in, about 200 users every day Deployment • 32GB of RAM, 2TB file system • IT security conformant hosting according to IT security classification: ● DMZs, certificate based login ● What would be a data security classification in your organisation? Example for SW360 Running Productive SW360 Today
  • 9. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 9 • Vagrant-based setup at https://github.com/sw360/sw360vagrant • Docker-based under testing at https://github.com/sw360/sw360chores • Deployment info at: https://github.com/eclipse/sw360/wiki Documentation • Markdown based • REST API Docs • Documents linked on every footer of the page Deployment How to Run?
  • 10. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 10 ○ September 2015: Initial release under github.com/sw360/sw360portal ○ November 2018: SW360 3.3: first release under Eclipse project space ○ 6.0: New FOSSology integration (REST instead of SSH) ○ 7.0: Relicensing to EPL-2.0 ○ 9.0: Changelog for records, custom fields ○ 11.0: Java 11, Liferay 7.3 ○ 12.1: improved obligations ○ 13.1: SW360 client Release History (selection) SW360 History
  • 11. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 11 • SPDX import for Bill-of-Material (very basic, but working) • FOSSology scans can be triggered via SW360 REST API • SW360 in Japanese and Vietnamese! • We mentioned the change log: very important for a collaborative group • A lot of new REST endpoints including search, attachment handling • Documents linked on every footer of the page • Improving custom fields and external ids • sw360 Client Library in Java • Work-in-progress: integration with Open Source Review Toolkit New features since our last presentation ere New Since Last Year
  • 12. SW360 Project CC-BY-SA 4.0 FASTEN Project Workshop 2021 12 Thank you for your attention! CC-BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/ Internet https://www.eclipse.org/sw360/ Github https://github.com/eclipse/sw360 https://github.com/sw360/sw360slides Further Links https://www.spdx.org https://www.fossology.org Title picture released by Kai Stachowiak under CC0-1.0 at https://publicdomainpictures.net/en/view-image.php? image=312825&picture=networking