SlideShare ist ein Scribd-Unternehmen logo

Using SW360 for OSS Compliance Management Process - A Toshiba Case Study for OpenChain Japan Work Group

Shane Coughlan
Shane Coughlan

Using SW360 for OSS Compliance Management Process - A Toshiba Case Study for OpenChain Japan Work Group

Software
1 von 43
Downloaden Sie, um offline zu lesen
© 2019 Toshiba Corporation Open Source Summit Japan Using SW360 for OSS Compliance Management Process Thursday July 18, 2019 16:50 - 17:30 16:00 - 16:40 Hall B (4) Kouki Hama kouki1.hama@toshiba.co.jp Software Engineering & technology center Open Source Technology Department
1© 2019 Toshiba Corporation Thursday July 18, 2019 16:50 - 17:30 Hall B (4) Open Source Leadership Experience Level Beginner https://events.linuxfoundation.jp/events/open- source-summit-japan-2019/program/schedule/
2© 2019 Toshiba Corporation SW360 is an OSS tool used for centrally managing software component information, license information, vulnerability information, and etc. This tool also allows you to associate project information with many software components. Toshiba has begun centralizing information management of open source software by SW360. This made it possible to share open source information across departmental barriers. On the other hand, feedback from users obtained various issues. Kouki will explain how Toshiba has promoted the use of open source by SW360 and will explain how to approach issues. These include issues that originate from Japan domestic requirement and issues that need to be solved beyond the boundaries of a company. Moreover, Kouki will report on what kind of open source compliance management system Toshiba aims for. Summary
3© 2019 Toshiba Corporation Who am I ? Kouki Hama (濵 功樹) • Toshiba Corporation (2016~now) • Research and Development OSS Compliance / Management Tool • SW360, Fossology, GitLab, spdx tool, … • Hobby • Playing with my cats • Mathematics (Research Nonlinear Optimization Algorithm) • Pokémon Go Hi I am Hama
4© 2019 Toshiba Corporation Today’s presentation consists of 5 points • Difficulty of Open Source Software compliance management • How to manage OSS with SW360 property ? • OSS SW360 Ecosystem • Live demonstration • Q & A
5© 2019 Toshiba Corporation Difficulty of Open Source Software compliance management
6© 2019 Toshiba Corporation • Version • License • Vulnerability • ECCN • User history • Author • etc OSS_A I use OSS_A Need to confirm a lot of OSS information before Using OSS
7© 2019 Toshiba Corporation • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A OSS_A OSS spreading like mushrooms around the world • Version • License • Vulnerability • ECCN • User History • Author • etc
8© 2019 Toshiba Corporation • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A OSS_A I check OSS_A,OSS_B,・・・ And we need to clarify a lot of OSS related information ?? • Version • License • Vulnerability • ECCN • User History • Author • etc
9© 2019 Toshiba Corporation In addition we need to prepare a lot of OSS related documents • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • User History • Author OSS_A I make document about OSS_A,OSS_B,・・・ ? ?
10© 2019 Toshiba Corporation Occasionally, Reusing other department/product’s OSS related documentation should look good My Product Other Product 💡
11© 2019 Toshiba Corporation However, reusing other product/project OSS information is challenging WHY? OSS information Databases Product AProduct B Product C
12© 2019 Toshiba Corporation Where is OSS_A Information? Answer 1. Finding property information from a lot of other products is tedious OSS_A OSS_B OSS_C OSS_D OSS_B OSS_C OSS_E OSS_F OSS_G OSS_X OSS_Y OSS_Z OSS_P OSS_A OSS_R OSS_P OSS_Q OSS_A OSS_H OSS_I OSS_J OSS_K OSS_L OSS_M OSS_A OSS_L OSS_Z
13© 2019 Toshiba Corporation Where is OSS_A License Information? Answer 2. Different products have their own respective OSS information OSS_A OSS_B OSS_C OSS_P OSS_Q OSS_A OSS_A OSS_L OSS_Z • Vulnerability • License • ECCN • Version • History • Author • Vulnerability • ECCN • Version • ECCN • License • Version
14© 2019 Toshiba Corporation Answer 3. Different products have unique OSS version information. OSS_A OSS_B OSS_C Proj 1 Proj 2 Proj N r1 r2 r3 r4 r1 r2 r3 r1 r2 r1 r2 r1 r1 Time Where is OSS_A Ver1 License Information?
15© 2019 Toshiba Corporation Software dependency is a significant factor, however can be complex. Moreover Commercial Source Code GPL License OSS My Source Code Static link Can I use OSS_A Ver1 For my Project?
16© 2019 Toshiba Corporation We need put together OSS information • OSS review requires a certain amount of time • Avoid checking the same OSS information numerous times Security Information OSS License Scanner (commercial) License Scanner Bill of Materials management (Source Code repository) ECC information License information Other Department OSS management System
17© 2019 Toshiba Corporation The best approach is Utilizing the OSS compliance tool. https://github.com/eclipse/sw360
18© 2019 Toshiba Corporation What is SW360 ? https://github.com/eclipse/sw360 A software component catalogue application – designed to work with FOSSology.
19© 2019 Toshiba Corporation Project register snapshot Component register snapshot Project, Version、 Project visibility、Project type、 Group、Project owner、etc Name、Vendor、Version、 Programming Languages、 Oprerating System、 Contributors、Download URL、 License、CPE ID、etc Linked each other OSS Information Name, Version、 Project visibility、Project type、 Group、Project owner、etc SW360 Management and Associate Project Information With OSS related Component
20© 2019 Toshiba Corporation You can also say that SW360 is the “Bill of Material” Management Tool Project XYZ Project PQR Project ABC Component (OSS) Component (Commercial Soft) Component (Inner Code) Component (OSS) Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author SW360 integrates all “Bill of Materials” in your company Manage BoM
21© 2019 Toshiba Corporation How to manage OSS with SW360 property ? Make it possible with OSS Management Process
Example Enterprise Process Queued for Process Identification Audit ResolveIssues Reviews Approvals Registration Notices Verifications Distribution Verifications Own Proprietary Software 3rd Party Software Open Source Outgoing Software Notices & Attributions Written Offer Scan or audit source code – and – Confirm origin and license of source code Resolve any audit issues in line with company Open Source policies Identify Open Source components for review Verify source code packages for distribution – and – Verify appropriate notices are provided Record approved software/versio n in inventory per product and per release Publish source code, notices and provide written offer Review and approve compliance record of Open Source software components Compile notices for publication Post publication verifications Example of Compliance Management End-to-End Process (Ref) https://www.openchainproject.org/resources
23© 2019 Toshiba Corporation Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
24© 2019 Toshiba Corporation Identification SW360 supports: Register to use OSS Search Used history of each OSS components Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification Identify Open Source components for review
25© 2019 Toshiba Corporation Audit SW360 supports: Register OSS Source code(with version) License scan (License information from Fossology) Register CPE ID (For detecting Vulnerability) Register ECC (Export Control) Information Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management Scan or audit source code – and – Confirm origin and license of source code
26© 2019 Toshiba Corporation Registration SW360 supports: Check OSS (Name, Version, Person in charge, etc.) And Projects (Name, Project Version, etc.) Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
27© 2019 Toshiba Corporation Notice SW360 supports: Create user-friendly copyright and license list Register the format of the product attachment to be displayed on the document. Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
28© 2019 Toshiba Corporation TOSHIBA OSS Management System Goal ! SW360, GitLab, FOSSology, CVE-Search .. Customers OSS Management Process OSS Community Survey internal User history Vulnerability Export Control & Customs License Develop OSS Source CodeLicense Documents Project Start
29© 2019 Toshiba Corporation Changing perspectives Why do OSS related companies such as Toshiba need to utilize the OSS management system? ?
30© 2019 Toshiba Corporation One company's improper use of the OSS resonates throughout all the supply chain. issue
31© 2019 Toshiba Corporation OSS SW360 Ecosystem
32© 2019 Toshiba Corporation • Open Chain Japan WG: https://wiki.linuxfoundation.org/openchain/openchain-japanese- working-group • OpenChain Tooling Work Group: / Sharing create values https://github.com/Open-Source-Compliance/Sharing-creates-value A lot of members will have access to discussions related to SW360 publicly.
33© 2019 Toshiba Corporation • Try to discuss how to improve sw360’s interface for non - English speakers / Japanese users. • Apply for Japanese vulnerability information • JVN = Japan Vulnerability Notes • Translate to Japanese language • Not only Japanese but also others • etc Open Chain Japan Work Group Interpret in the Japanese language while sharing information with all OSS related connections in the world. • OpenChainJapan has Tooling Sub Group OpenChainJapan
34© 2019 Toshiba Corporation In conclusion • OSS management can be daunting • Centering OSS information by SW360 is viable • SW360 assists by complying with the OpenChain Process • More people are showing interest in SW360
35© 2019 Toshiba Corporation Try SW360 I'm going to give a live demonstration on how to use SW360 Create Project information which includes component information
36CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Create Software Component [Components]-[Add Component]
37CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Register Component Release Information Register Version etc… [Components]-[Edit]-[Add Release]
38CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Register project Information Create Project Information which include Component information [Projects]-[Add Project]
39CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Create License Document [Projects]-[Linked Releases And Projects]-[Generate License Info]
40CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Confirm Vulnerabilities Check OSS Vulnerabilities [Components]-[Vulnerabilities]
41© 2019 Toshiba Corporation Q & A kouki1.hama@toshiba.co.jp
42© 2019 Toshiba Corporation Thank You

Empfohlen

たぶん45分くらいでわかる、オープンソースの世界
たぶん45分くらいでわかる、オープンソースの世界たぶん45分くらいでわかる、オープンソースの世界
たぶん45分くらいでわかる、オープンソースの世界
Yutaka Kachi
 
オープンソースライセンスの基礎と実務
オープンソースライセンスの基礎と実務オープンソースライセンスの基礎と実務
オープンソースライセンスの基礎と実務
Yutaka Kachi
 
情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略
Takuya Oikawa
 
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
Natsuki Yamanaka
 
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYOIncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
Game Tools & Middleware Forum
 
Open APIで定義しよう! 実践編
Open APIで定義しよう! 実践編Open APIで定義しよう! 実践編
Open APIで定義しよう! 実践編
iPride Co., Ltd.
 
SpringBootTest入門
SpringBootTest入門SpringBootTest入門
SpringBootTest入門
Yahoo!デベロッパーネットワーク
 
REST API のコツ
REST API のコツREST API のコツ
REST API のコツ
pospome
 

Empfohlen

たぶん45分くらいでわかる、オープンソースの世界
たぶん45分くらいでわかる、オープンソースの世界たぶん45分くらいでわかる、オープンソースの世界
たぶん45分くらいでわかる、オープンソースの世界
Yutaka Kachi
 
オープンソースライセンスの基礎と実務
オープンソースライセンスの基礎と実務オープンソースライセンスの基礎と実務
オープンソースライセンスの基礎と実務
Yutaka Kachi
 
情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略情報共有から始めるチーム開発とキャリア戦略
情報共有から始めるチーム開発とキャリア戦略
Takuya Oikawa
 
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
2015 03 26 社内勉強会_オープンソースソフトウェアライセンスについて
Natsuki Yamanaka
 
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYOIncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
IncrediBuildでビルド時間を最大90%短縮! - インクレディビルドジャパン株式会社 - GTMF 2018 TOKYO
Game Tools & Middleware Forum
 
Open APIで定義しよう! 実践編
Open APIで定義しよう! 実践編Open APIで定義しよう! 実践編
Open APIで定義しよう! 実践編
iPride Co., Ltd.
 
SpringBootTest入門
SpringBootTest入門SpringBootTest入門
SpringBootTest入門
Yahoo!デベロッパーネットワーク
 
REST API のコツ
REST API のコツREST API のコツ
REST API のコツ
pospome
 
Unityネイティブプラグインマニアクス #denatechcon
Unityネイティブプラグインマニアクス #denatechconUnityネイティブプラグインマニアクス #denatechcon
Unityネイティブプラグインマニアクス #denatechcon
DeNA
 
FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎
ken_kitahara
 
これからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきことこれからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきこと
土岐 孝平
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方
Daisaku Mochizuki
 
Spring Social でソーシャルログインを実装する
Spring Social でソーシャルログインを実装するSpring Social でソーシャルログインを実装する
Spring Social でソーシャルログインを実装する
Rakuten Group, Inc.
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
土岐 孝平
 
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
SEGADevTech
 
OSSライセンス入門
OSSライセンス入門OSSライセンス入門
OSSライセンス入門
KageShiron
 
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
KLab Inc. / Tech
 
Rest ful api設計入門
Rest ful api設計入門Rest ful api設計入門
Rest ful api設計入門
Monstar Lab Inc.
 
負荷テスト入門
負荷テスト入門負荷テスト入門
負荷テスト入門
Takeo Noda
 
静的解析Klocwork とJenkins CIの連携
静的解析Klocwork とJenkins CIの連携静的解析Klocwork とJenkins CIの連携
静的解析Klocwork とJenkins CIの連携
Masaru Horioka
 
Guide To AGPL
Guide To AGPLGuide To AGPL
Guide To AGPL
Mikiya Okuno
 
Akkaとは。アクターモデル とは。
Akkaとは。アクターモデル とは。Akkaとは。アクターモデル とは。
Akkaとは。アクターモデル とは。
Kenjiro Kubota
 
Spring fest2020 spring-security
Spring fest2020 spring-securitySpring fest2020 spring-security
Spring fest2020 spring-security
土岐 孝平
 
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組みDeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
Toshiharu Sugiyama
 
これからはじめるインフラエンジニア
これからはじめるインフラエンジニアこれからはじめるインフラエンジニア
これからはじめるインフラエンジニア
外道 父
 
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
日本マイクロソフト株式会社
 
新入社員のための大規模ゲーム開発入門 サーバサイド編
新入社員のための大規模ゲーム開発入門 サーバサイド編新入社員のための大規模ゲーム開発入門 サーバサイド編
新入社員のための大規模ゲーム開発入門 サーバサイド編
infinite_loop
 
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
NTT DATA Technology & Innovation
 
Open Source SW Business
Open Source SW Business Open Source SW Business
Open Source SW Business
SANGHEE SHIN
 
Introduction of OSS In-house Community of Sony
Introduction of OSS In-house Community of SonyIntroduction of OSS In-house Community of Sony
Introduction of OSS In-house Community of Sony
Shane Coughlan
 

Weitere ähnliche Inhalte

Was ist angesagt?

FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎
ken_kitahara
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方
Daisaku Mochizuki
 
これからはじめるインフラエンジニア
これからはじめるインフラエンジニアこれからはじめるインフラエンジニア
これからはじめるインフラエンジニア
外道 父
 
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
日本マイクロソフト株式会社
 

Was ist angesagt? (20)

Unityネイティブプラグインマニアクス #denatechcon
Unityネイティブプラグインマニアクス #denatechconUnityネイティブプラグインマニアクス #denatechcon
Unityネイティブプラグインマニアクス #denatechcon
 
FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎FridaによるAndroidアプリの動的解析とフッキングの基礎
FridaによるAndroidアプリの動的解析とフッキングの基礎
 
これからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきことこれからSpringを使う開発者が知っておくべきこと
これからSpringを使う開発者が知っておくべきこと
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方
 
Spring Social でソーシャルログインを実装する
Spring Social でソーシャルログインを実装するSpring Social でソーシャルログインを実装する
Spring Social でソーシャルログインを実装する
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
 
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
「龍が如くスタジオ」のQAエンジニアリング技術を結集した全自動バグ取りシステム
 
OSSライセンス入門
OSSライセンス入門OSSライセンス入門
OSSライセンス入門
 
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
 
Rest ful api設計入門
Rest ful api設計入門Rest ful api設計入門
Rest ful api設計入門
 
負荷テスト入門
負荷テスト入門負荷テスト入門
負荷テスト入門
 
静的解析Klocwork とJenkins CIの連携
静的解析Klocwork とJenkins CIの連携静的解析Klocwork とJenkins CIの連携
静的解析Klocwork とJenkins CIの連携
 
Guide To AGPL
Guide To AGPLGuide To AGPL
Guide To AGPL
 
Akkaとは。アクターモデル とは。
Akkaとは。アクターモデル とは。Akkaとは。アクターモデル とは。
Akkaとは。アクターモデル とは。
 
Spring fest2020 spring-security
Spring fest2020 spring-securitySpring fest2020 spring-security
Spring fest2020 spring-security
 
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組みDeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
DeNA_Techcon2017_DeNAでのチート・脆弱性診断への取り組み
 
これからはじめるインフラエンジニア
これからはじめるインフラエンジニアこれからはじめるインフラエンジニア
これからはじめるインフラエンジニア
 
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
M20_Azure SQL Database 最新アップデートをまとめてキャッチアップ [Microsoft Japan Digital Days]
 
新入社員のための大規模ゲーム開発入門 サーバサイド編
新入社員のための大規模ゲーム開発入門 サーバサイド編新入社員のための大規模ゲーム開発入門 サーバサイド編
新入社員のための大規模ゲーム開発入門 サーバサイド編
 
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
My Experiences as a Beginner of OpenJDK Contributor (JCConf Taiwan 2021)
 

Ähnlich wie Using SW360 for OSS Compliance Management Process - A Toshiba Case Study for OpenChain Japan Work Group

OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
Emulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API ProvidersEmulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations
Inclusive, Accessible Tech: Bias-Free Language in Code and ConfigurationsInclusive, Accessible Tech: Bias-Free Language in Code and Configurations
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations
Anne Gentle
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera Software
OpenStack
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Shane Coughlan
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the details
Rogue Wave Software
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 

Ähnlich wie Using SW360 for OSS Compliance Management Process - A Toshiba Case Study for OpenChain Japan Work Group (20)

Open Source SW Business
Open Source SW Business Open Source SW Business
Open Source SW Business
 
Introduction of OSS In-house Community of Sony
Introduction of OSS In-house Community of SonyIntroduction of OSS In-house Community of Sony
Introduction of OSS In-house Community of Sony
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
 
OpenChain Conformance: Arm Case Study
OpenChain Conformance: Arm Case StudyOpenChain Conformance: Arm Case Study
OpenChain Conformance: Arm Case Study
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
OpenChain Tooling Work Group Meeting #3 - Agenda Slides
OpenChain Tooling Work Group Meeting #3 - Agenda SlidesOpenChain Tooling Work Group Meeting #3 - Agenda Slides
OpenChain Tooling Work Group Meeting #3 - Agenda Slides
 
Emulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API ProvidersEmulators as an Emerging Best Practice for API Providers
Emulators as an Emerging Best Practice for API Providers
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations
Inclusive, Accessible Tech: Bias-Free Language in Code and ConfigurationsInclusive, Accessible Tech: Bias-Free Language in Code and Configurations
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera Software
 
Establishing an Open Source Program Office
Establishing an Open Source Program OfficeEstablishing an Open Source Program Office
Establishing an Open Source Program Office
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the details
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Selecting an Open Source License and Business Model for Your Project to Have ...
Selecting an Open Source License and Business Model for Your Project to Have ...Selecting an Open Source License and Business Model for Your Project to Have ...
Selecting an Open Source License and Business Model for Your Project to Have ...
 
OpenChain Tooling Work Group Meeting #4 - Agenda Slides
OpenChain Tooling Work Group Meeting #4 - Agenda SlidesOpenChain Tooling Work Group Meeting #4 - Agenda Slides
OpenChain Tooling Work Group Meeting #4 - Agenda Slides
 
Intro to Open source. Amit Bhayani
Intro to Open source. Amit BhayaniIntro to Open source. Amit Bhayani
Intro to Open source. Amit Bhayani
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Cisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable WebCisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable Web
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 

Mehr von Shane Coughlan

OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
Shane Coughlan
 

Mehr von Shane Coughlan (20)

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 

Kürzlich hochgeladen

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Kürzlich hochgeladen (20)

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

Using SW360 for OSS Compliance Management Process - A Toshiba Case Study for OpenChain Japan Work Group

  • 1. © 2019 Toshiba Corporation Open Source Summit Japan Using SW360 for OSS Compliance Management Process Thursday July 18, 2019 16:50 - 17:30 16:00 - 16:40 Hall B (4) Kouki Hama kouki1.hama@toshiba.co.jp Software Engineering & technology center Open Source Technology Department
  • 2. 1© 2019 Toshiba Corporation Thursday July 18, 2019 16:50 - 17:30 Hall B (4) Open Source Leadership Experience Level Beginner https://events.linuxfoundation.jp/events/open- source-summit-japan-2019/program/schedule/
  • 3. 2© 2019 Toshiba Corporation SW360 is an OSS tool used for centrally managing software component information, license information, vulnerability information, and etc. This tool also allows you to associate project information with many software components. Toshiba has begun centralizing information management of open source software by SW360. This made it possible to share open source information across departmental barriers. On the other hand, feedback from users obtained various issues. Kouki will explain how Toshiba has promoted the use of open source by SW360 and will explain how to approach issues. These include issues that originate from Japan domestic requirement and issues that need to be solved beyond the boundaries of a company. Moreover, Kouki will report on what kind of open source compliance management system Toshiba aims for. Summary
  • 4. 3© 2019 Toshiba Corporation Who am I ? Kouki Hama (濵 功樹) • Toshiba Corporation (2016~now) • Research and Development OSS Compliance / Management Tool • SW360, Fossology, GitLab, spdx tool, … • Hobby • Playing with my cats • Mathematics (Research Nonlinear Optimization Algorithm) • Pokémon Go Hi I am Hama
  • 5. 4© 2019 Toshiba Corporation Today’s presentation consists of 5 points • Difficulty of Open Source Software compliance management • How to manage OSS with SW360 property ? • OSS SW360 Ecosystem • Live demonstration • Q & A
  • 6. 5© 2019 Toshiba Corporation Difficulty of Open Source Software compliance management
  • 7. 6© 2019 Toshiba Corporation • Version • License • Vulnerability • ECCN • User history • Author • etc OSS_A I use OSS_A Need to confirm a lot of OSS information before Using OSS
  • 8. 7© 2019 Toshiba Corporation • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A OSS_A OSS spreading like mushrooms around the world • Version • License • Vulnerability • ECCN • User History • Author • etc
  • 9. 8© 2019 Toshiba Corporation • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A OSS_A I check OSS_A,OSS_B,・・・ And we need to clarify a lot of OSS related information ?? • Version • License • Vulnerability • ECCN • User History • Author • etc
  • 10. 9© 2019 Toshiba Corporation In addition we need to prepare a lot of OSS related documents • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • History • Author OSS_A • Vulnerability • License • ECCN • Version • User History • Author OSS_A I make document about OSS_A,OSS_B,・・・ ? ?
  • 11. 10© 2019 Toshiba Corporation Occasionally, Reusing other department/product’s OSS related documentation should look good My Product Other Product 💡
  • 12. 11© 2019 Toshiba Corporation However, reusing other product/project OSS information is challenging WHY? OSS information Databases Product AProduct B Product C
  • 13. 12© 2019 Toshiba Corporation Where is OSS_A Information? Answer 1. Finding property information from a lot of other products is tedious OSS_A OSS_B OSS_C OSS_D OSS_B OSS_C OSS_E OSS_F OSS_G OSS_X OSS_Y OSS_Z OSS_P OSS_A OSS_R OSS_P OSS_Q OSS_A OSS_H OSS_I OSS_J OSS_K OSS_L OSS_M OSS_A OSS_L OSS_Z
  • 14. 13© 2019 Toshiba Corporation Where is OSS_A License Information? Answer 2. Different products have their own respective OSS information OSS_A OSS_B OSS_C OSS_P OSS_Q OSS_A OSS_A OSS_L OSS_Z • Vulnerability • License • ECCN • Version • History • Author • Vulnerability • ECCN • Version • ECCN • License • Version
  • 15. 14© 2019 Toshiba Corporation Answer 3. Different products have unique OSS version information. OSS_A OSS_B OSS_C Proj 1 Proj 2 Proj N r1 r2 r3 r4 r1 r2 r3 r1 r2 r1 r2 r1 r1 Time Where is OSS_A Ver1 License Information?
  • 16. 15© 2019 Toshiba Corporation Software dependency is a significant factor, however can be complex. Moreover Commercial Source Code GPL License OSS My Source Code Static link Can I use OSS_A Ver1 For my Project?
  • 17. 16© 2019 Toshiba Corporation We need put together OSS information • OSS review requires a certain amount of time • Avoid checking the same OSS information numerous times Security Information OSS License Scanner (commercial) License Scanner Bill of Materials management (Source Code repository) ECC information License information Other Department OSS management System
  • 18. 17© 2019 Toshiba Corporation The best approach is Utilizing the OSS compliance tool. https://github.com/eclipse/sw360
  • 19. 18© 2019 Toshiba Corporation What is SW360 ? https://github.com/eclipse/sw360 A software component catalogue application – designed to work with FOSSology.
  • 20. 19© 2019 Toshiba Corporation Project register snapshot Component register snapshot Project, Version、 Project visibility、Project type、 Group、Project owner、etc Name、Vendor、Version、 Programming Languages、 Oprerating System、 Contributors、Download URL、 License、CPE ID、etc Linked each other OSS Information Name, Version、 Project visibility、Project type、 Group、Project owner、etc SW360 Management and Associate Project Information With OSS related Component
  • 21. 20© 2019 Toshiba Corporation You can also say that SW360 is the “Bill of Material” Management Tool Project XYZ Project PQR Project ABC Component (OSS) Component (Commercial Soft) Component (Inner Code) Component (OSS) Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author Version 3 Version 1 Version 2 • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author • License • Vulnerability • ECCN • User History • Author SW360 integrates all “Bill of Materials” in your company Manage BoM
  • 22. 21© 2019 Toshiba Corporation How to manage OSS with SW360 property ? Make it possible with OSS Management Process
  • 23. Example Enterprise Process Queued for Process Identification Audit ResolveIssues Reviews Approvals Registration Notices Verifications Distribution Verifications Own Proprietary Software 3rd Party Software Open Source Outgoing Software Notices & Attributions Written Offer Scan or audit source code – and – Confirm origin and license of source code Resolve any audit issues in line with company Open Source policies Identify Open Source components for review Verify source code packages for distribution – and – Verify appropriate notices are provided Record approved software/versio n in inventory per product and per release Publish source code, notices and provide written offer Review and approve compliance record of Open Source software components Compile notices for publication Post publication verifications Example of Compliance Management End-to-End Process (Ref) https://www.openchainproject.org/resources
  • 24. 23© 2019 Toshiba Corporation Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
  • 25. 24© 2019 Toshiba Corporation Identification SW360 supports: Register to use OSS Search Used history of each OSS components Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification Identify Open Source components for review
  • 26. 25© 2019 Toshiba Corporation Audit SW360 supports: Register OSS Source code(with version) License scan (License information from Fossology) Register CPE ID (For detecting Vulnerability) Register ECC (Export Control) Information Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management Scan or audit source code – and – Confirm origin and license of source code
  • 27. 26© 2019 Toshiba Corporation Registration SW360 supports: Check OSS (Name, Version, Person in charge, etc.) And Projects (Name, Project Version, etc.) Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
  • 28. 27© 2019 Toshiba Corporation Notice SW360 supports: Create user-friendly copyright and license list Register the format of the product attachment to be displayed on the document. Audit ResolveIssue Review Approval Registration Notice Verification Distribution Identification Verification SW360 assists OSS management
  • 29. 28© 2019 Toshiba Corporation TOSHIBA OSS Management System Goal ! SW360, GitLab, FOSSology, CVE-Search .. Customers OSS Management Process OSS Community Survey internal User history Vulnerability Export Control & Customs License Develop OSS Source CodeLicense Documents Project Start
  • 30. 29© 2019 Toshiba Corporation Changing perspectives Why do OSS related companies such as Toshiba need to utilize the OSS management system? ?
  • 31. 30© 2019 Toshiba Corporation One company's improper use of the OSS resonates throughout all the supply chain. issue
  • 32. 31© 2019 Toshiba Corporation OSS SW360 Ecosystem
  • 33. 32© 2019 Toshiba Corporation • Open Chain Japan WG: https://wiki.linuxfoundation.org/openchain/openchain-japanese- working-group • OpenChain Tooling Work Group: / Sharing create values https://github.com/Open-Source-Compliance/Sharing-creates-value A lot of members will have access to discussions related to SW360 publicly.
  • 34. 33© 2019 Toshiba Corporation • Try to discuss how to improve sw360’s interface for non - English speakers / Japanese users. • Apply for Japanese vulnerability information • JVN = Japan Vulnerability Notes • Translate to Japanese language • Not only Japanese but also others • etc Open Chain Japan Work Group Interpret in the Japanese language while sharing information with all OSS related connections in the world. • OpenChainJapan has Tooling Sub Group OpenChainJapan
  • 35. 34© 2019 Toshiba Corporation In conclusion • OSS management can be daunting • Centering OSS information by SW360 is viable • SW360 assists by complying with the OpenChain Process • More people are showing interest in SW360
  • 36. 35© 2019 Toshiba Corporation Try SW360 I'm going to give a live demonstration on how to use SW360 Create Project information which includes component information
  • 37. 36CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Create Software Component [Components]-[Add Component]
  • 38. 37CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Register Component Release Information Register Version etc… [Components]-[Edit]-[Add Release]
  • 39. 38CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Register project Information Create Project Information which include Component information [Projects]-[Add Project]
  • 40. 39CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Create License Document [Projects]-[Linked Releases And Projects]-[Generate License Info]
  • 41. 40CC-BY-SA4.0 © 2019 Toshiba Corporation / Open Chain Project Confirm Vulnerabilities Check OSS Vulnerabilities [Components]-[Vulnerabilities]
  • 42. 41© 2019 Toshiba Corporation Q & A kouki1.hama@toshiba.co.jp
  • 43. 42© 2019 Toshiba Corporation Thank You