Eclipse SW360 is a software catalogue system to ease the management of software components (no matter whether FOSS, commercial or internal software) in organizations. In detail the system covers three areas:
- Provide Information
- Provide information about software licenses and their consequences
- Enable software component management as a community effort in the sense of identifying useful ones against less useful components
- Identify experts for open source components in an organization (e.g. committers or contributors in a project) to ease the coordination with open source projects
- Provide component related information residing in / generated by other tools, for informed selection
- Component identification
- Share knowledge
- Exchanging (usage and adoption) information about software components
- Share knowledge about software, such as sharing integration experience or for example, experience with certification of a software component in a regulatory certification effort.
- Support processes
- Managing software components for facilitating a component clearing process
- Trigger component clearing workflows involving external systems (e.g. initiating FOSSology scans as described here https://github.com/sw360/sw360portal/wiki/User-Workflows:-sw360-and-FOSSology)
- Managing Security Vulnerabilities in open source components used in projects
- Track vulnerability handling for projects
- Managing of approved licenses and their legal implications
- Up to date software asset management
- Managed build processes
The system makes use of standards, such as Software Package Data Exchange (SPDX), Common Platform Enumeration (CPE) and Common Vulnerability and Exposure (CVE) to ensure consistent identification of licenses, components and vulnerabilities.
Out of scope
1. License scan: not in scope, because SW360 interacts with and delegates to specialzed tools and exchanges data: SW360 has FOSSology integrated which is a license scanner server software
2. Source code scan: not in scope, because SW360 interacts with and delegates to specialzed tools and exchanges data: SW360 has code to import project from specialiazed tools.
3. Code repository: while SW360 uses couchdb to store and efficently manage large amount of software packages and other files and archives, it is not meant to serve as concurrent versioning control system such as a git server.