In most cases, software today is not built from scratch, but rather assembled from various prepackaged third-party software components. As a result, organizations face the following challenges:
- Verifying various aspects of compliance when using third-party software components: license compliance, ECC checks, IP assessments, etc.
- Sharing knowledge about software components and their qualities. For example, which software components should be recommended, which should be phased out based on which criteria?
- Providing a broad overview of the components used: An organization and its supply chain management must have information about which assets are integrated into which products or solutions.
These three main use cases target different roles in an organization: quality managers, software developers, legal counsels, software architects, R&D managers etc. However, all these use cases share a common need for a central hub that manages insights into software components.
SW360 is an open source software project licensed under the EPL-1.0 that provides both a Web application and a repository to collect, organize and make available information about software components. It establishes a central hub for software components in an organization. SW360 allows for
- tracking components used by a project/product,
- assessing security vulnerabilities,
- maintaining license obligations,
- enforcing policies, and
- generating legal documents.
- Integration with other tools and data sources (e.g. license scanner, static code analysis, build infrastructure, etc.)
For example, SW360 can trigger a clearing process in the open source compliance tool FOSSology and import the resulting clearing reporting.
Data is either stored in SW360’s database or on the fly imported from external sources. In future it is planned to have federations of SW360 instances that share selected information. Besides its Web-based UI, all functionality of SW360 is available through an API that allows an integration into existing DevOps tools.
Eclipse SW360 is a software catalogue system to ease the management of software components (no matter whether FOSS, commercial or internal software) in organizations. In detail the system covers three areas:
- Provide information about software licenses and their consequences
- Enable software component management as a community effort in the sense of identifying useful ones against less useful components
- Identify experts for open source components in an organization (e.g. committers or contributors in a project) to ease the coordination with open source projects
- Provide component related information residing in / generated by other tools, for informed selection
- Component identification
- Exchanging (usage and adoption) information about software components
- Share knowledge about software, such as sharing integration experience or for example, experience with certification of a software component in a regulatory certification effort.
- Managing software components for facilitating a component clearing process
- Trigger component clearing workflows involving external systems (e.g. initiating FOSSology scans as described here https://github.com/sw360/sw360portal/wiki/User-Workflows:-sw360-and-FOSSology)
- Managing Security Vulnerabilities in open source components used in projects
- Track vulnerability handling for projects
- Managing of approved licenses and their legal implications
- Up to date software asset management
- Managed build processes
The system makes use of standards, such as Software Package Data Exchange (SPDX), Common Platform Enumeration (CPE) and Common Vulnerability and Exposure (CVE) to ensure consistent identification of licenses, components and vulnerabilities.
Out of scope
1. License scan: not in scope, because SW360 interacts with and delegates to specialzed tools and exchanges data: SW360 has FOSSology integrated which is a license scanner server software
2. Source code scan: not in scope, because SW360 interacts with and delegates to specialzed tools and exchanges data: SW360 has code to import project from specialiazed tools.
3. Code repository: while SW360 uses couchdb to store and efficently manage large amount of software packages and other files and archives, it is not meant to serve as concurrent versioning control system such as a git server.
Eclipse SW360 is a software catalogue application designed to provide a central place for sharing information about software components used by an organization. It is designed to neatly integrate into existing infrastructures related to the management of software artifacts and projects by providing separate backend services for distinct tasks and a set of portlets to access these services. A complete deployment unit exists (vagrant box or docker container) that contains a complete configuration of all services and portlets.
Currently SW360 comprises the following main use case areas:
- Component: Handling of information and processes related to components, e.g. name, vendor
- License: Handling of information regarding licenses, e.g. obligations, license texts etc.
- Project: handling of project information providing a context for the use of components.
- Vulnerability: Collecting Security Vulnerability Management Information and matching them with components stored in the component service.
as well as connectors to interact with external systems such as FOSSology or commercial code scan tools, e.g. to import data or trigger source code scan jobs.
Features at a glance
- Maintain component meta data such as involved licenses, name, project URL, involved contributors in organization, type of software, etc
- Attach all kinds of information including clearing reports, SPDX documents etc to components
- Store and retrieve license data and relate licenses with standardized obligations to ease comprehensibility of licenses for project (and guide projects responsible how to implement license obligations)
- Maintain project metadata and project BOM to put component’s use into context
- Notification if vulnerabilities exist for components
- Trigger clearing jobs for components in FOSSology
- Our vision is that SW360 will be the central hub in an organization to consolidate and share all meta information available about software components to help architects and developers to quickly make informed decisions about software components.
- Meta information of software components comprises legal information (license and copyright), software quality, project characteristics and health, security and project roles such as developers, supports and users.
- Fully integration in state of the art build / delivery infrastructure to realize continuous delivery of high quality software with all required artefacts (BOM, licenses, copyright information, etc)
- Build federations of SW360 instances to share selected information.
Eclipse Foundation provides a legal framework for commercial open source usage. This is one aspect why e.g. Bosch and Siemens consider contributing to open source projects at the Eclipse Foundation. Integral part of commercial use of open source is a proper management of legal information about OSS components.
SW360 can help in that respect and therefore eases the commercial development of open source software for organizations. The legal framework of the Eclipse Foundation and tools like SW360 appear to be a logical fit. Furthermore we expect to improve community building and involving further contributing parties.
Currently, the SW360 frontend is built with portlets that need to be deployed into a portlet container. We deploy the portlets to Liferay Portal Server as portlet container that is LGPL licensed in its community edition. SW360 works with the community edition of Liferay. There is no feature nor any possible / optional dependency on the commercial edition of Liferay. In fact, no developer / contributor of SW360 has used / installed the commercial edition of Liferay for SW360.
However, the involved contributions need Liferay Portal Server as prerequisite to be deployed to. Liferay does not require modification in order to run as prerequisite for the SW360 solution, the Liferay packages are used as original downloads by the user.
We have one transitive dependency to finbugs.annotations which is LGPL licensed. Prior to the initial contribution we will replace this dependency.
Our project schedule has three horizons:
In short-term (end of Q3/2016)
- Wish to prepare the initial contribution to Eclipse Foundation, which comprises adjustments to use Liferay as prerequisite
- Remove transitive dependency to findbugs.annotations
- Improve deployment with Docker
- Improve data model with feedback from already productive usage
- Maintain vulnerability information about involved components
- More overview listings for understand what is involved in a product BOM.
In mid-term (end of Q4/2016)
- Generators for disclosure documents / notice files and source code bundles
- More features for data curation such as component info merge
- CPE ID suggestion support for new components entries
In long-term (2017)
- Integrate functionality to automatically identify components in order to retrieve information for them (binary hashing and other mechanisms called as service)
- Interfaces to state of the art software development/deployment infrastructure
- Interfaces to other tools providing information about components
- Dynamic workflow component
- Federation of SW360 deployments connecting organizations or to implement organizational structures
- Public SW360 instance as SaaS solution
see project scheduling