Open Source Compliance Tool Chain

Meeting May 6th 2019: Open Chain

siemens.tld/keywordRestricted © Siemens AG 2019

2019Unrestricted Oliver Fendt

Resources4

Specific Elements3

Big Picture2

General description1

OSS Compliance Tool Chain

2019Unrestricted Oliver Fendt

Resources4

Specific Elements3

Big Picture2

General description1

OSS Compliance Tool Chain

2019Unrestricted Oliver Fendt

The tools need to be “orchestrable” as needed as well as adaptable as neededd

The compliance workflow / process needs to be part of the development / CI/CD processc

We have a huge network of suppliers / their deliverables must be license compliantb

Compliance is required by lawa

OSS Compliance Tool Chain why the OSS way

Budget constraints for license compliance work are given at all companiese

The only approach which copes with all constraints is an OSS based compliance toolchain

Installed legacyf

2019Unrestricted Oliver Fendt

The Project “Sharing Creates Value”

“Combining the existing tools to an integrated OSS Compliance Tool Chain”c

Sharing OSS compliance artifactsb

“This repo realizes the idea that Open Source Software (OSS) compliance activities will be less expensive by applying OSS principles”a

https://github.com/Open-Source-Compliance/Sharing-creates-value

2019Unrestricted Oliver Fendt

Big Picture – Integrated Compliance Toolchain

CI / CD Infrastructure

License & Copyright Scanner

ComponentAnalysis Service

Compliance artifact

consistency

Componentinventory(Metadata

Repository)

Dependencyresolver

Source package

downloader

Container contentresolver

License ObligationsDatabase

Policy checker

(Compliance Checker)

Obligation fulfillment

Build Tools

Continous IntegrationArtifact Repository

Source Code Repo

outboundsoftware

&compliance

artifacts

FOSS Compliance

Bundle generator

Binary analyser

Inbound software

Public compliance

artifactrepos

contributions

Integration layer (API/Data) Integration layer (API/Data)

Integration layer (API/Data)

Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data)

Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data)

License: CC-BY-SA-4.0

2019Unrestricted Oliver Fendt

Big Picture – Integrated Compliance ToolchainInstance

CI / CD Infrastructure

ComponentAnalysis Service

Compliance artifact

consistency

Container contentresolver

Build Tools

Continous IntegrationArtifact Repository

Source Code Repo

outboundsoftware

&compliance

artifacts

Binary analyser

Inbound software

Public compliance

artifactrepos

contributions

Integration layer (API/Data) Integration layer (API/Data)

Integration layer (API/Data)

Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data)

Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data) Integration layer (API/Data)

License: CC-BY-SA-4.0

2019Unrestricted Oliver Fendt

Conclusion and Plans

Define the interfaces to implement the use casesc

b

Define and describe most relevant use casesa

Let‘s build an OSS compliance tool chain together, this is no differentiating business element – it is simply required by law

Define a suited data model for implementing the use cases

Implement use cases d