The FOSSology Project: 10 Years Of License Scanning

Jaeger, Michael C.; Fendt, Oliver; Gobeille, Robert; Huber, Maximilian; Najjar, Johannes; Stewart, Kate; Weber, Steffen; Würl, Andreas

doi:10.5033/ifosslr.v9i1.123

Cited by 9 publications

(2 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Once the known ⊍ unknown is identified, computed SWHIDs can be used as unique keys to lookup additional information about scanned artifacts that can then be included in scanning results. Typical example of additional information returned by code scanners for open compliance are: licensing information (already available from SWH itself, detected using FOSSology [17]), software composition analysis [25] decomposition (which would need to be computed separately), software provenance [14] information (that can be tracked at the scale of SWH [28]), and known vulnerability information (available from public CVE databases, but currently lacking an open data CVE↔SWHID mapping). Once these information become available from third-party KBs, extending swh-scanner to look them up and join them with scanning results would be a simple matter of programming.…”

Section: Discussionmentioning

confidence: 99%

“…The tooling landscape 8 conducted by the Open Source Tooling Group and the OpenChain [5] curriculum 9 provide a good overview of existing tools to support automated governance of FOSS supply chains, including tools that adhere to the open compliance principle [8] (see Section 1). State-of-the-art license scanners in the field are FOSSology [17], and ScanCode (discussed in [25] together with other FOSS tools for Software Composition Analysis). Zooming out from license detection per se, several tools are used in the compliance landscape to manage the workflow of vetting open source component before production use, such as Eclipse SW360 10 as component inventory manager and the OSS Review Toolkit (ORT) 11 that provides a customizable pipeline for continuous compliance [26].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Prior Publication Identification for Open Source Code

Serafini¹,

Zacchiroli²

2022

Preprint

View full text Add to dashboard Cite

Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verification of adherence to various open source management best practices about license obligation fulfillment, vulnerability tracking, software composition analysis, and nearby concerns. We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fulfilled before product shipment. We propose an efficient approach for prior publication identification that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its efficiency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16 845 real-world public code bases of various sizes, from small to very large.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Efficient Prior Publication Identification for Open Source Code

Serafini¹,

Zacchiroli²

2022

Preprint

View full text Add to dashboard Cite

show abstract

Open Source for Open Source License Compliance

Fendt

Jaeger

2019

IFIP Advances in Information and Communication Technology

Self Cite

View full text Add to dashboard Cite

Today, many software systems are of a level of complexity that no single company can implement modern solutions alone. Thus many companies engage in the open source software (OSS) ecosystem to keep the development costs manageable. But the usage of third-party components (both OSS and commercial) also mandates the need of a license compliance process supported by suitable tools. This paper is focused on using open source tools and relevant processes for open source license compliance. OSS license compliance is a very important topic, and requires appropriate processes, culture, and tools. This work is based on extensive practical industrial experience and broad use at Siemens AG. We first describe the process and culture, then a set of tools. We complement this with related work in the community and future directions.

show abstract

Generative AI for Code Generation: Software Reuse Implications

Kapitsaki

2024

Reuse and Software Quality

View full text Add to dashboard Cite

The FOSSology Project: 10 Years Of License Scanning

Cited by 9 publications

References 0 publications

Efficient Prior Publication Identification for Open Source Code

Efficient Prior Publication Identification for Open Source Code

Open Source for Open Source License Compliance

Generative AI for Code Generation: Software Reuse Implications

Contact Info

Product

Resources

About