Eclipse Apoapsis consolidates the requirements from the tooling side (e.g. fast scan times, configuration as code,...) on the one hand and the requirements from the institutionalized operation side in medium to large organizations on the other hand (e.g. user access, role concept, organization specific structures, ...). Concerning concepts and wording it is based on the capability map created by the Open Chain Automation Workgroup in the context of Open Source Management (https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape/CapabilityMap). It is planned to incrementally work out the API-specification bottom-up starting from the reference implementation in the course of the project. Additionally it is intended to collect Blueprints (e.g. central pipeline, decentral SBOM generation with centralized metadata analysis, semi-automated analysis with central metadatabase, ...) and use cases (e.g. security vulnerability monitoring, identification of TOP100 used components in the organization, as a ... I want to... so that ...) that address generic problemspaces observed in the community , which can be used by interested parties to easily match their own problem space (birds of a feather) and map to a potential solution concept.
In an initial phase, the Eclipse Apoapsis project's ORT-server provides a concrete solution for a blueprint, where central Software Composition Analysis pipelines are used at scale while covering a large range of project setups (e.g. from Mobile Apps using Cocoapods to Cloud Services using Java/Maven) and configurable extent of analysis (e.g. from mere SBOM-creation to full-blast Dependency Analysis including Vulnerabilities and Copyright/License reports). To achieve this, the Eclipse Apoapsis project's ORT-server is based on the OSS Review Toolkit and makes use of its integration APIs for dependency analysis, license scanning, vulnerability databases, rule engine, and report generation. The Eclipse Apoapsis project itself concentrates on the server functionality including user and role management and the necessary APIs.
Necessary API harmonizations are indirectly worked-out in close collaboration with the original authors of the respective upstream-projects (e.g. ORT's technical steering committee).
The OpenChain Automation Workgroup developed a capability map in the context of Open Source Management (https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape/CapabilityMap). Within this Workgroup the OSS Review Toolkit provides a reference implementation for Open Source Management Automation and will be part of the first blueprint for the server setup.
It is planned to incrementally work out additional server-setups to support further blueprints in the course of the project.
The content of this open source project is received and distributed under the license(s) listed above. Some source code and binaries may be distributed under different terms. Specific license information is provided in file headers and in NOTICE files distributed with the project's binaries.