The scale of modern software systems is growing beyond the capability of individuals and teams to keep track of them. This is caused by new software development and deployment technologies, massive use of open source, devops automation and increasingly powerful hardware. Traditional Software Composition Analysis (SCA) products struggle to keep up with this new scale and its modern methods like continuous integration, continuous package updates and agile releasing. At the same time we have seen a trend of software driven enterprises starting to develop own technology to solve these problems. Instead of relying on vendor solutions the strategy often is to in-source the strategic integration and operation of SCA and partnering and collaboration around open sourcing the technologies. sw360, Open Source Review Toolkit (ORT), Quartermaster and ClearlyDefined are examples of such enterprise-driven projects. They provide valuable partial technologies for continuous dependency, vulnerability and license compliance analysis and automation - yet a complete solution to the problem is still missing. The mission of the Oscano project is to solve the problem of scaling SCA to modern needs with Open Source approach. It aims to integrate the new building blocks into a complete installable SCA solution and act as an industry forum to coordinate coherent further development.
The Eclipse Oscano project provides a complete software composition analysis solution, focused on compliance and security, that can be installed on cloud, local server, or workstation environment.
To achieve this, existing OSS components will be reviewed by the project team for possible integration into the Oscano stack. Capabilities not existing as OSS will be built and integrated. Oscano project scope:
Creation of an installable open source software distribution providing a solution for large-scale continuous software composition analysis for use cases like open source inventory management, license compliance and vulnerability remediation automation
An architecture integrating existing open source SCA technologies and providing interfaces for legacy and vendor SCA systems.
An industry coordination forum to ensure sufficient and coherent investment into SCA technology projects and to agree about the architecture
Communication and promotion of the Oscano solution
Eclipse Oscano project aims to develop and distribute a complete software composition analysis solution installable on cloud, local server or workstation environment.
Main use cases of Oscano include Open Source license compliance management, open source inventory management, vulnerability remediation automation and software analysis reporting.
The solution is designed to meet the challenge of massively increasing scale and continuous nature of build and releasing of modern software systems. It addresses the scaling problem through four principal means: 1. Continuous and fully automated operation cycle from new code commit to analysis, scan and action 2. Maximum engagement of developers in the software analysis and management use cases for direct and early troubleshooting 3. Risk-based smart analysis of compliance and vulnerability issues 4. Maximum re-use of pre-scanned open source software data.
In addition to state-of-the art core SCA functionality the solution provides following features
- Enterprise integrations for authentication and access control for source access and SCA system operation
- Interfaces and data conversion to support external software data sources for component meta-data, scan results, compliance and vulnerability data
- Interface for legacy and vendor software for OSS component inventory management
- Open Source obligation management solution for automated generation and publishing of obligated materials and managing the workflow.
- We want to position Oscano as a developer oriented SCA solution. The Eclipse Foundation has been traditionally strong advocate for the developer community through its many popular tools projects. Oscano also puts focus in the developer by integrating its user experience in the existing tools of the developer in form of CLI tools, Eclipse and other IDE plugins, CI script templates and slack plugins. We also expect that Eclipse Foundation can provide Oscano project a neutral institutional setting, more credible IP due diligence, trusted governance framework and an independent distribution source for the project software.
- Modern software technologies lead to Big Software stacks on scale not any more workable with manual processing of batch scans. Oscano retains control with continuous scan and fast reaction to high risk issues
SECURITY: Automated de-facto code standard leads to secure software and promotes competitive access to vulnerability data
SPEED: Continuous scan with developer experience enables immediate action and delegation of fix responsibility to developers
COST: Industry-wide re-use of standard component scan data saves cost and time
COMPLIANCE: The solution to cover it also in the future
LEADERSHIP: Community of enterprise software leaders
None at the moment.
Oscano is a distribution of Open Source Software which is assembled out of forthcoming and already existing pieces of software. The compilation as well as all new standalone software developed in the project will be licensed under EPL. Currently existing software is required to be licensed under an OSI conformant Open Source license and to mix with the rest of the Oscano architecture in a compatible and documented way.
Current plan is to have a constitutional meeting with contributing parties, in September 2018 - parallel to establishing an Eclipse Working Group. Fourth quarter of 2018, work will start on two fronts: 1. Architecture planning for agreeing the selected already existing open source technologies to use and to plan development of the missing functionality. 2. Distro development starting from the Codescoop initial contribution and aiming to ship the first version (1.0) of a complete solution within 12 months. The first use case to be completed is Open Source license compliance management. The 1.0 version targets to ship it together with basic solution for vulnerability remediation automation. Later releases are planned to ship advanced features of these use cases and support for interfaces for further enterprise integration.
After initial function blocks (compliance and security) have been implemented, depending on the contributors votes, additional capabilities may include the following elements: