Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
Open Source has arrived in day-to-day software development of all kinds of organizations. However, to use Open Source software in legally compliant and save way, various precautions have to be taken and obligations have to be fulfilled. E.g. many open source licenses require to ship the license text with a software or list the copyright holders. Doing that in a manual way is tedious and error prone. Hence, tools like Eclipse SW360 are created.
Today's software development is on a high pace with almost fully automated build pipelines and continuous deployment scenarios. To properly provide software development projects with compliance related artifacts it is required to provide those artifacts in an automated way.
The Eclipse SW360antenna project provides tooling to generate compliance related artifacts (disclosure document, source code bundle, written offer etc) directly within a build process. It relies on data that is provided by different sources such as an SW360 instance.
Eclipse SW360antenna is a tool to automate your open source license compliance processes as much as possible. In the end that is
- collecting all compliance relevant data,
- process that data and warn if there might be any license compliance related issues, and
- generating a set of compliance artifacts (source code bundle, disclosure document, report)
for your project.
To reflect those three different types of tasks SW360antenna is built around a workflow engine, which allows to orchestrate a set of analyzers to gather required information, processors to arrange, adjust and evaluate that data, and a set of generators to produce a set of compliance related artifacts. Since licensing issues can deeply affect the success of your project it is required to be notified about any issues as early as possible in the development process. It is therefore useful to generate that information directly within your build. SW360antenna can directly be integrated into the build process. This is realized with several so called frontends to build systems, which allow to invoke the tool and provide it with necessary configuration.
The SW360antenna project is set up in a way that allows to easily create a custom configuration with a preconfigured set of shipped and custom analyzers, processors and generators to fit the needs of your internal compliance processes. E.g. You might use a commercial tool to analyze your dependencies and do not rely on the results of the maven dependency plugin. In that case you can provide a custom analyzer implementation, provide a custom configuration and bundle that as the tool, which can be used by your development teams to scan their projects.
Creating a project like SW360antenna to supplement Eclipse SW360 is the natural next step. SW360 is capable of collecting component information and making it available at a central place. The natural next step is to provide tooling to actually use that information in a build and by that further automate the compliance processes in organizations.
The initial contribution will be the publicly releasable part of an internal tool (TINA Tool) that is already in productive use for quite a while at Bosch Software Innovations GmbH. It consists of roughly 20 KLOC and is a Maven multi-module project.
The initial contribution is sole property of the Bosch Software Innovations GmbH. It has all rights to publish and distribute the code. The existing code is already prechecked and should not contain any dependencies that conflict with the Eclipse rules.
- provide initial contribution
- legal check of initial contribution
- setup public build infrastructure
- setup project page
- first milestone release
- further feature implementation
- Provide Gradle frontend
- Enhance SW360 connector
- Improve documentation and supporting material
- Present project at conferences (EC France, BITKOM, ...)
- Setup mailing list
- Communicate availability in already established network around Open Source Compliance Tooling