The Eclipse Apoapsis project provides a process and a reference implementation for large-scale software composition analysis (SCA). The ORT Server reference implementation is based on the OSS Review Toolkit (ORT).
Process Blueprints
Eclipse Apoapsis consolidates the requirements from the tooling side, like fast scan times or configuration as code, and the requirements from the institutionalized operations side in medium to large organizations, like access control or organization specific structures.
The terminology is based on the capability map created by the Open Chain Automation Workgroup in the context of Open Source Management. It is planned to incrementally work out the API-specification bottom-up, starting from the reference implementation. Additionally, it is intended to collect blueprints (e.g. central pipeline, decentral SBOM generation with centralized metadata analysis, semi-automated analysis with central metadatabase) and use cases (e.g. security vulnerability monitoring, identification of TOP100 used components in the organization) that address the generic problemspaces observed in the community. These can be used by interested parties to easily match their own problem space (birds of a feather) and map them to a potential solution concept.
It is planned to incrementally work out additional server-setups to support further blueprints in the course of the project.
Reference Implementation
The Eclipse Apoapsis project's ORT Server provides a concrete solution for a blueprint, where a central SCA pipeline is used to cover a large range of project setups. Being based on ORT, the ORT Server provides:
- Recursive dependency analysis for more than 20 package managers
- Integration of several vulnerability databases
- Integration of several license, copyright, and snippet scanners
- Customizable compliance rules
- Lots of report formats, including SPDX and CycloneDX SBOMs
- Flexible configuration
This ORT core functionality is extended with:
- Scalable architecture with Kubernetes integration
- REST API to trigger scans and manage data
- Keycloak integration for authentication and role management
- Central database to enable data analysis across projects
The ORT Server developers are also contributors to ORT and both projects work in close collaboration.
The content of this open source project is received and distributed under the license(s) listed above. Some source code and binaries may be distributed under different terms. Specific license information is provided in file headers and in NOTICE files distributed with the project's binaries.
Member companies supporting this project over the last three months.