OSPOlogy Follow-up: How to automate your FOSS policy and processes

[anajsana]

Discuss with the community topics related to the upcoming OSPOlogy meeting:

📅 November, 15th ➡️ How to automate your FOSS policy and processes

• Join Zoom Link

In this open space, people can:

• Ask questions prior to the meeting starts
• Share notes from the conversation
• Make proposals for new initiatives that can help the OSPO Ecosystem
• Add useful links and resources related to the topic
• Connect with mentors involved in OSPOs and/or Open Source Management

📝 OSPOlogy Meeting Slides ➡️ How-to-automate-your-FOSS-policy-and-processes-thomas-steenbergen.pdf

[anajsana]

Question from Q&A:

One of the challenges I see with ORT is to scan C,C++ sources which uses Yocto/Apertis for build. How to acheive good accuracy for such use cases?

[tsteenbe]

ORT currently does not support the build tools for embedded build tools such as Yocto/Apertis - these are complex tools and we currently don't have the needed know-how/bandwidth within the contributors to implement support. Our friends at the Double Open project have if I remember correctly build an Yocto + ORT scanning pipeline for the clients see also https://github.com/doubleopen-project/do-convert.
If you are interested in adding Yocto/Apertis to ORT please reach out to us on ORT Slack or to me personally.

C/C++ community does not have a package manager and common practice we see developers just copy past code from the internet without retaining the original code repository, revision/version.

Ideally you have an engineer standards within your organization in place that outline how to retain copyright,license, code repository and revision for snippet/files/projects copied into your organization code base.

ORT does support using SPDX to describe C/C++ packages (name/version/repository/revision) in your code for spec see base spdx/spdx-spec#439 and for example https://github.com/movetk/movetk/blob/2059d2dfe4fb76d8e8f638c22d177fec5282e369/third_party/GsTL/package.spdx.yml

[juliancoccia]

I can add here that SCANOSS allows detection of code copied from the internet, and allows compliance validation by checking against the existing known list of components (SBOM).

Moreover, ORT integrates natively with SCANOSS, hitting by default the public OSSKB.org API service provided by the Software Transparency Foundation.

The combination of ORT and SCANOSS (detection of declared and undeclared dependencies, respectively) gives you a full view of dependencies and a complete SBOM.

[anajsana]

Question from Q&A

Hi Thomas, One question, currently ORT supports which commercial vendor for snippet scanning ?

[tsteenbe]

Snippet scanning currently requires a commercial vendor and ORT has built-in support for FOSS ID. Porsche OSPO are working on adding BlackDuck Hub support see oss-review-toolkit/ort#4632 and I in early conversation with another commercial provider so ORT user have a choice.

There early support for SCANOSS if you prefer to use an open source tool.

[anajsana]

Question from Q&A

Does it scan containers? Also, can it take an SBOM as an input and enrich with data?

[tsteenbe]

Does it scan containers?

ORT currently does not support scanning of containers, but we had discussion about it in the past - we were thinking of adding support for Tern which is also an ACT project like ORT.

The main issue with containers is that doing proper license compliance or generate SBOMs for them is next to impossible as container by default don't retain any of the info needed to resolve a container to its complete corresponding sources. Existing tools like Trivy or Syft are a best effort approach - don't only take my word for it see also Docker containers: What are the open source licensing considerations? or recent blogpost from Chainguard 1.

In the ORT community we working on building a largely compliance ORT Docker image an dit's easy to build the container but to get the source code for everything included has been keeping us busy. There is great ongoing work in CNCF and elsewhere to make reproducible containers but we are not there yet as a community.

Does it make sense for the ORT project to add container scanning knowing it won't be on the same level as our support for package managers?

If you think the answer is yes and you would like to contribute on this topic within the ORT community feel free to reach out to us on Slack or to my personally.

Also, can it take an SBOM as an input and enrich with data?

Recommend you download 3 SBOM generation tools and run them over the same node project with a package.json you will see that each of the tool produces a different SBOM. Why is this? Neither CycloneDX nor SPDX prescribe exactly how to translate a Java, JavaScript, Golang project into an SBOM - there is no validation test set that one could use as SBOM generator.

This make SBOM consumption not each for a tool like ORT to implement. This is why although we have all the logic in place to consume SBOMs (see my above C/C++ ) answer we currently do not support it via ORT's CLI.

The ORT project does participate in the SBOM bakeoff or SPDX DocFest when possible to create further alignment betweeen SBOM generator but it's till a developing topic.

Hope by the time SPDX 3.0 is released we can revisit the topic -if you want to stay up-to-date I recommend you follow these issues oss-review-toolkit/ort#4505 and oss-review-toolkit/ort#3797

[anajsana]

Question from Q&A

What about integrating Tern for container scanning - that seems to be what OpenChain recommended.?

[tsteenbe]

ORT currently does not support scanning of containers, but we had discussion about it in the past - we were thinking of adding support for Tern which is also an ACT project like ORT - and we know the ACT maintainers well.

that seems to be what OpenChain recommended.?

OpenChain as a specification does not recommend or endorse tools although it working group may highlight open source for example purposes.

[juliancoccia]

I can add here that SCANOSS allows detection of code copied from the internet, and allows compliance validation by checking against the existing known list of components (SBOM). Moreover, ORT integrates natively with SCANOSS, hitting by default the public OSSKB.org API service provided by the Software Transparency Foundation. The combination of ORT and SCANOSS (detection of declared and undeclared dependencies, respectively) gives you a full view of dependencies and a complete SBOM.

…

On 16 Nov 2022, at 12:49, Thomas Steenbergen ***@***.***> wrote: ORT currently does not support the build tools for embedded build tools such as Yocto/Apertis - these are complex tools and we currently don't have the needed know-how/bandwidth within the contributors to implement support. Our friends at the [])(https://www.doubleopen.org/) project have if I remember correctly build an Yocto + ORT scanning pipeline for the clients. If you are interested in adding Yocto/Apertis to ORT please reach out to us on ORT Slack or to me personally. C/C++ community does not have a package manager and common practice we see developers just copy past code from the internet without retaining the original code repository, revision/version. Ideally you have an engineer standards within your organization in place that outline how to retain copyright,license, code repository and revision for snippet/files/projects copied into your organization code base. ORT does support using SPDX to describe C/C++ packages (name/version/repository/revision) in your code for spec see base spdx/spdx-spec#439 <spdx/spdx-spec#439> and for example https://github.com/movetk/movetk/blob/2059d2dfe4fb76d8e8f638c22d177fec5282e369/third_party/GsTL/package.spdx.yml — Reply to this email directly, view it on GitHub <#207 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXICFUHVRN2EB46YBACQNPDWITC4NANCNFSM6AAAAAASAG5LSQ>. You are receiving this because you are subscribed to this thread.

[juliancoccia]

Thanks, Thomas. I replied to your previous email before seeing this one :)

…

On 16 Nov 2022, at 12:38, Thomas Steenbergen ***@***.***> wrote: Snippet scanning currently requires a commercial vendor and ORT has built-in support for FOSS ID. Porsche OSPO are working on adding BlackDuck Hub support see oss-review-toolkit/ort#4632 <oss-review-toolkit/ort#4632> and I in early conversation with another commercial provider so ORT user have a choice. There early support for SCANOSS if you prefer to use an open source tool. — Reply to this email directly, view it on GitHub <#207 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXICFUAU5BNQLMSPOJRQKCDWITBSVANCNFSM6AAAAAASAG5LSQ>. You are receiving this because you are subscribed to this thread.