This proposal has been approved and the Eclipse Oscano project has been created.
Visit the project page for the latest information and development.

Eclipse Oscano

Tuesday, August 14, 2018 - 07:51 by Stefan Just
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Project
Parent Project
Proposal State
Created
Background

The scale of modern software systems is growing beyond the capability of individuals and teams to keep track of them. This is caused by new software development and deployment technologies, massive use of open source, devops automation and increasingly powerful hardware. Traditional Software Composition Analysis (SCA) products struggle to keep up with this new scale and its modern methods like continuous integration, continuous package updates and agile releasing. At the same time we have seen a trend of software driven enterprises starting to develop own technology to solve these problems. Instead of relying on vendor solutions the strategy often is to in-source the strategic integration and operation of SCA and partnering and collaboration around open sourcing the technologies. sw360, Open Source Review Toolkit (ORT), Quartermaster and ClearlyDefined are examples of such enterprise-driven projects. They provide valuable partial technologies for continuous dependency, vulnerability and license compliance analysis and automation - yet a complete solution to the problem is still missing. The mission of the Oscano project is to solve the problem of scaling SCA to modern needs with Open Source approach. It aims to integrate the new building blocks into a complete installable SCA solution and act as an industry forum to coordinate coherent further development.

Scope

The Eclipse Oscano project provides a complete software composition analysis solution, focused on compliance and security, that can be installed on cloud, local server, or workstation environment. 

To achieve this, existing OSS components will be reviewed by the project team for possible integration into the Oscano stack. Capabilities not existing as OSS will be built and integrated. Oscano project scope:

  • Creation of an installable open source software distribution providing a solution for large-scale continuous software composition analysis for use cases like open source inventory management, license compliance and vulnerability remediation automation

  • An architecture integrating existing open source SCA technologies and providing interfaces for legacy and vendor SCA systems.

  • An industry coordination forum to ensure sufficient and coherent investment into SCA technology projects and to agree about the architecture

  • Communication and promotion of the Oscano solution

Description

Eclipse Oscano project aims to develop and distribute a complete software composition analysis solution installable on cloud, local server or workstation environment. 

Main use cases of Oscano include Open Source license compliance management, open source inventory management, vulnerability remediation automation and software analysis reporting. 

The solution is designed to meet the challenge of massively increasing scale and continuous nature of build and releasing of modern software systems. It addresses the scaling problem through four principal means: 1. Continuous and fully automated operation cycle from new code commit to analysis, scan and action 2. Maximum engagement of developers in the software analysis and management use cases for direct and early troubleshooting 3. Risk-based smart analysis of compliance and vulnerability issues 4. Maximum re-use of pre-scanned open source software data.

In addition to state-of-the art core SCA functionality the solution provides following features

  • Enterprise integrations for authentication and access control for source access and SCA system operation
  • Interfaces and data conversion to support external software data sources for component meta-data, scan results, compliance and vulnerability data
  • Interface for legacy and vendor software for OSS component inventory management
  • Open Source obligation management solution for automated generation and publishing of obligated materials and managing the workflow.
Why Here?
  • We want to position Oscano as a developer oriented SCA solution. The Eclipse Foundation has been traditionally strong advocate for the developer community through its many popular tools projects. Oscano also puts focus in the developer by integrating its user experience in the existing tools of the developer in form of CLI tools, Eclipse and other IDE plugins, CI script templates and slack plugins. We also expect that Eclipse Foundation can provide Oscano project a neutral institutional setting, more credible IP due diligence, trusted governance framework and an independent distribution source for the project software.  
  • Modern software technologies lead to Big Software stacks on scale not any more workable with manual processing of batch scans. Oscano retains control with continuous scan and fast reaction to high risk issues
    • SECURITY: Automated de-facto code standard leads to secure software and promotes competitive access to vulnerability data

    • SPEED: Continuous scan with developer experience enables immediate action and delegation of fix responsibility to developers

    • COST: Industry-wide re-use of standard component scan data saves cost and time

    • COMPLIANCE: The solution to cover it also in the future

    • LEADERSHIP: Community of enterprise software leaders

Future Work

After initial function blocks (compliance and security) have been implemented, depending on the contributors votes, additional capabilities may include the following elements:

Project Scheduling

Current plan is to have a constitutional meeting with contributing parties, in September 2018 - parallel to establishing an Eclipse Working Group. Fourth quarter of 2018, work will start on two fronts: 1. Architecture planning for agreeing the selected already existing open source technologies to use and to plan development of the missing functionality. 2. Distro development starting from the Codescoop initial contribution and aiming to ship the first version (1.0) of a complete solution within 12 months. The first use case to be completed is Open Source license compliance management. The 1.0 version targets to ship it together with basic solution for vulnerability remediation automation. Later releases are planned to ship advanced features of these use cases and support for interfaces for further enterprise integration.

Project Leads
Interested Parties

Disney Company

Siemens AG

Here

ASML

Initial Contribution

The starting point of Oscano software is a cloud distribution of an initial SCA solution for continuous Open Source license compliance analysis and inventory management. It is assembled out of selected major OSS SCA technologies which exist today including Open Source Review Toolkit, SW360, ClearlyDefined API, Fossology and ScanCode. In addition to these core components there is new code to enhance, integrate, configure, build and deploy the distro on public cloud infrastructure with standard docker and kubernetes services.  This solution distribution is provided by Codescoop as the initial contribution on for the Oscano project.

Source Repository Type