SlideShare una empresa de Scribd logo

FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, Online

Fasten Project
Fasten Project

The FASTEN project wants to support DevOps teams and help developers tracking, managing and mastering dependencies. FASTEN’s goal is to develop a toolchain that is provisioning and collecting project information, security alerts, and repositories from well-known and widely used services. It merges this information into a data stream, performs analysis, stores it, and, consequently, builds a call-graph for each analyzed project. The gathered information is made available through a REST API and Web UI and performs continuous integration to provide developers with updated and sanitized versions of their dependencies. One part of this toolchain will be an Open Source license analysis. This analysis should perform a verification and compatibility check on licenses used in Open Source projects and facilitate development from a user perspective as well as create industry-relevant information on license infringements. This functionality shall be presented in this talk. FASTEN has received funding from the European Union's Horizon 2020 research and innovation programme. It is carried out by a Consortium composed of AUEB, TUDelft, University of Milan-Bicocca, Endocode, OW2, SIG, and XWIKI.

Tecnología
1 de 24
Descargar para leer sin conexión
OSS License compliance within the FASTEN Project Michele Scarlato michele.scarlato@endocode.com OSS 2021, May 2021
Content ● Open Source Software (OSS) ○ Package Management. ○ Package Dependency Networks (PDNs) ○ OSS License compliance ○ Issues related to OSS distribution ● The FASTEN Project ○ Main goals ○ Overall Architecture ○ OSS License Detection and Compliance with Fasten
Open Source Software ● Allows code reutilization. ● Simultaneously reducing development and maintenance costs. ● Being hosted on centralized: ● repositories: ○ e.g., GitHub, BitBucket, … ● and forges: ○ e.g., Maven, PyPi, … OSS development and utilization, driven by its collaborative nature, gives life to a software ecosystem worldwide populated.
Package Management Systems ● Package Management Systems are widely used for version consistency provisioning during package installation or removal. ○ Deciding which version is chosen for each library.
Package Management Systems
Package Dependency Networks (PDNs) ● PDNs are composed by packages and their dependencies. ● Package versions and dependencies increase network size and complexity. ○ Generating complex graphs
OSS License Compliance ● How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring incompatible licenses? ● Accurately selecting open source components imply considering licensing issues, narrowing down your search by examining whether the project’s license is compatible with your business model, mission, or other software that you are using (Spinellis Diomidis, 2019 ) ● A recent study[1] on license documentation found that fewer than 5% of approximately 5,000 popular free and open source packages contained complete and unambiguous license documentation (Ombredanne Philippe, 2020)
Issues related to OSS distribution Package maintainers are often providing their source code for free. ● Impact on code modification, e.g., deprecating and adding features, cannot be easily assessed. ● Small and large corporations use many OSS packages, and they do not pay maintainers. What would motivate them to maintain their code updated? ● How can they spot instances of code distributed without permission? ● A few incidents (e.g., Left-pad, Equifax) have shown how removing one library from an ecosystem or not caring about vulnerabilities on a specific package version could bring down a considerable network size or generate a huge money loss.
The FASTEN Project ● Fine-Grained Analysis of SofTware Ecosystems as Networks ○ Goal: support DevOps teams and help developers tracking, managing and mastering dependencies. ● Part of the EU H2020-ICT-2018-2020 Program ● A Consortium composed of:
Main goals ● Create an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level ○ Increasing software ecosystems robustness by making package management more intelligent ● Provide fully precise ○ usage analysis: ■ Does this vulnerability affect my code? ■ Am I linking to GPL code? ○ impact analysis: ■ How many clients will I break if I change this? ■ Can I safely update?
The FASTEN Knowledge Base architecture
The FASTEN Knowledge Base Dataflow
OSS License Detection and Compliance within Fasten 1. “Repository cloned” License detector 2. Start license detection Knowledge Base 3. Detected licenses LCV 5. Verify compliance 4. “Licenses detected” 6. Retrieve inbound licenses 8. Compliance information 7. Compliance verifier
OSS License Detection ● This phase builds the project to figure out those licenses that effectively end up in the package, collecting them. ● As output, this phase will augment Fasten Knowledge Base with the detected licenses. ● One of the aims is the detection of dependencies licenses, which are called Inbound licenses. ● Another is identifying the license under which the scanned project is released, which is called Outbound license.
● After retrieving inbound licenses and the outbound, the validation phase consists of running an algorithm that performs a compatibility check, comparing each inbound license against the outbound license. ● These compatibility rules are stored in a Compatibility Matrix. ● The output of this phase is a compatibility assessment that will augment the Fasten Knowledge Base. OSS License Validation
OSS License Compatibility Graph
OSS License Compliance Verifier (LCV) input/output examples ● Docker execution of Flask implementation ● API Endpoints collection page
OSS License Compliance Verifier (LCV) input/output examples ● CompatibilitySPDXFlag API endpoint ● CompatibilitySPDXFlag output
OSS License Compliance Verifier (LCV) input/output examples ● CompatibilitySPDX API endpoint ● CompatibilitySPDX output
OSS License Compliance Verifier integration with Maven architecture
LCV in CI/CD with GitHub actions
LCV in CI/CD with Jenkins
LCV in CI/CD with Jenkins/GitHub and Postman API tests - using Newman
[1] P. Ombredanne and D. Clark, “What is the state of open source license clarity?” ClearlyDefined, Apr. 26, 2019. [Online]. Available: https://github.com/clearlydefined/license-score/blob/master/ClearlyDefined%20-%20ClearlyLicensed% 20clarity%20report-2019.pdf [2] Ombredanne, Philippe. "Free and open source software license compliance: tools for software composition analysis." IEEE Annals of the History of Computing 53.10 (2020): 105-109. [3] Spinellis, Diomidis. "How to select open source components." Computer 52.12 (2019): 103-106. Link to a video of the GitHub actions execution. Link at the video presentation References

Recomendados

FASTEN: Intelligent Software Package Management
FASTEN: Intelligent Software Package ManagementFASTEN: Intelligent Software Package Management
FASTEN: Intelligent Software Package ManagementAmir M. Mir
 
Dealing with large code bases. cd ams meetup
Dealing with large code bases. cd ams meetupDealing with large code bases. cd ams meetup
Dealing with large code bases. cd ams meetupViktor Sadovnikov
 
Applying the Unix Philosophy to Django projects: a report from the real world
Applying the Unix Philosophy to Django projects: a report from the real worldApplying the Unix Philosophy to Django projects: a report from the real world
Applying the Unix Philosophy to Django projects: a report from the real worldFederico Capoano
 
NetJSON @ Battlemesh v9
NetJSON @ Battlemesh v9NetJSON @ Battlemesh v9
NetJSON @ Battlemesh v9Federico Capoano
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
São Paulo MuleSoft Meetup - Messaging patterns
São Paulo MuleSoft Meetup - Messaging patternsSão Paulo MuleSoft Meetup - Messaging patterns
São Paulo MuleSoft Meetup - Messaging patternsGuilherme Pereira Silva
 
An introduction to the CARGO package manager
An introduction to the CARGO package managerAn introduction to the CARGO package manager
An introduction to the CARGO package managerPharo
 
Reactive micro services using RSocket
Reactive micro services using RSocketReactive micro services using RSocket
Reactive micro services using RSockettothepointIT
 

Recomendados

FASTEN: Intelligent Software Package Management
FASTEN: Intelligent Software Package ManagementFASTEN: Intelligent Software Package Management
FASTEN: Intelligent Software Package ManagementAmir M. Mir
 
Dealing with large code bases. cd ams meetup
Dealing with large code bases. cd ams meetupDealing with large code bases. cd ams meetup
Dealing with large code bases. cd ams meetupViktor Sadovnikov
 
Applying the Unix Philosophy to Django projects: a report from the real world
Applying the Unix Philosophy to Django projects: a report from the real worldApplying the Unix Philosophy to Django projects: a report from the real world
Applying the Unix Philosophy to Django projects: a report from the real worldFederico Capoano
 
NetJSON @ Battlemesh v9
NetJSON @ Battlemesh v9NetJSON @ Battlemesh v9
NetJSON @ Battlemesh v9Federico Capoano
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
São Paulo MuleSoft Meetup - Messaging patterns
São Paulo MuleSoft Meetup - Messaging patternsSão Paulo MuleSoft Meetup - Messaging patterns
São Paulo MuleSoft Meetup - Messaging patternsGuilherme Pereira Silva
 
An introduction to the CARGO package manager
An introduction to the CARGO package managerAn introduction to the CARGO package manager
An introduction to the CARGO package managerPharo
 
Reactive micro services using RSocket
Reactive micro services using RSocketReactive micro services using RSocket
Reactive micro services using RSockettothepointIT
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
The Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open SourceThe Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open SourceDevOps.com
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationXPDays
 
DevOps Service | Mindtree
DevOps Service | MindtreeDevOps Service | Mindtree
DevOps Service | MindtreeAnikeyRoy
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017domenico di mola
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Balaji Resume
Balaji ResumeBalaji Resume
Balaji ResumeBalaji Ommudali
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigmJonathan Challener
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020OW2
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
Cloud to Edge
Cloud to EdgeCloud to Edge
Cloud to EdgeWesley Reisz
 
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...Simplilearn
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Mender.io
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weaveworks
 
FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFasten Project
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22Fasten Project
 

Más contenido relacionado

Similar a FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, Online

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
The Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open SourceThe Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open SourceDevOps.com
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationXPDays
 
DevOps Service | Mindtree
DevOps Service | MindtreeDevOps Service | Mindtree
DevOps Service | MindtreeAnikeyRoy
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigmJonathan Challener
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020OW2
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...Simplilearn
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Mender.io
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weaveworks
 

Similar a FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, Online (20)

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
The Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open SourceThe Evolving Role of Build Engineering in Managing Open Source
The Evolving Role of Build Engineering in Managing Open Source
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
DevOps Service | Mindtree
DevOps Service | MindtreeDevOps Service | Mindtree
DevOps Service | Mindtree
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Balaji Resume
Balaji ResumeBalaji Resume
Balaji Resume
 
The path to an hybrid open source paradigm
The path to an hybrid open source paradigmThe path to an hybrid open source paradigm
The path to an hybrid open source paradigm
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
 
Cloud to Edge
Cloud to EdgeCloud to Edge
Cloud to Edge
 
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 

Más de Fasten Project

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFasten Project
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22Fasten Project
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021Fasten Project
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 Fasten Project
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...Fasten Project
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Fasten Project
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Fasten Project
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Fasten Project
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Fasten Project
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020Fasten Project
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...Fasten Project
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...Fasten Project
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...Fasten Project
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Fasten Project
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. Fasten Project
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten Project
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Project
 

Más de Fasten Project (18)

FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management IntelligentFASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
FASTEN presentation at FOSDEM 2022 : Making Dependency Management Intelligent
 
FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22FASTEN presentation at OW2con'22
FASTEN presentation at OW2con'22
 
FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021FASTEN presentation at OW2con 2021
FASTEN presentation at OW2con 2021
 
FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021 FASTEN Introduction, at EclipseCon 2021
FASTEN Introduction, at EclipseCon 2021
 
FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...FASTEN user experience from a software vendor perspective : The future of ext...
FASTEN user experience from a software vendor perspective : The future of ext...
 
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
Eclipse sw360 Web Application for managing software Bill-Of-Material, FASTEN ...
 
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
Demonstration of FASTEN Dependency Management tools on top of Maven, FASTEN v...
 
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
Highlight on FASTEN's Software Composition Analysis Market Background, Virtua...
 
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
Software Ecosystems as Networks - Advances on the FASTEN project, Paolo Boldi...
 
FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020FASTEN presentation at SFScon, November 2020
FASTEN presentation at SFScon, November 2020
 
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
FASTEN: Scaling static analyses to ecosystem, presented at FOSDEM 2020 in Bru...
 
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
FOSDEM 2020 Presentation - There's no sustainability problem in FOSS, Except ...
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
FOSDEM 2020 Presentation : Precise, cross-project code navigation at GitHub s...
 
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
Presentation of the FASTEN project, Conference SFScon, Bolzano, Italy
 
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019. FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
FASTEN H2020 project presentation at Paris Open Source Summit, December 2019.
 
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 

Último

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, Online

  • 1. OSS License compliance within the FASTEN Project Michele Scarlato michele.scarlato@endocode.com OSS 2021, May 2021
  • 2. Content ● Open Source Software (OSS) ○ Package Management. ○ Package Dependency Networks (PDNs) ○ OSS License compliance ○ Issues related to OSS distribution ● The FASTEN Project ○ Main goals ○ Overall Architecture ○ OSS License Detection and Compliance with Fasten
  • 3. Open Source Software ● Allows code reutilization. ● Simultaneously reducing development and maintenance costs. ● Being hosted on centralized: ● repositories: ○ e.g., GitHub, BitBucket, … ● and forges: ○ e.g., Maven, PyPi, … OSS development and utilization, driven by its collaborative nature, gives life to a software ecosystem worldwide populated.
  • 4. Package Management Systems ● Package Management Systems are widely used for version consistency provisioning during package installation or removal. ○ Deciding which version is chosen for each library.
  • 6. Package Dependency Networks (PDNs) ● PDNs are composed by packages and their dependencies. ● Package versions and dependencies increase network size and complexity. ○ Generating complex graphs
  • 7. OSS License Compliance ● How do I know that I am not violating anyone’s copyrights or that I am not linking against code featuring incompatible licenses? ● Accurately selecting open source components imply considering licensing issues, narrowing down your search by examining whether the project’s license is compatible with your business model, mission, or other software that you are using (Spinellis Diomidis, 2019 ) ● A recent study[1] on license documentation found that fewer than 5% of approximately 5,000 popular free and open source packages contained complete and unambiguous license documentation (Ombredanne Philippe, 2020)
  • 8. Issues related to OSS distribution Package maintainers are often providing their source code for free. ● Impact on code modification, e.g., deprecating and adding features, cannot be easily assessed. ● Small and large corporations use many OSS packages, and they do not pay maintainers. What would motivate them to maintain their code updated? ● How can they spot instances of code distributed without permission? ● A few incidents (e.g., Left-pad, Equifax) have shown how removing one library from an ecosystem or not caring about vulnerabilities on a specific package version could bring down a considerable network size or generate a huge money loss.
  • 9. The FASTEN Project ● Fine-Grained Analysis of SofTware Ecosystems as Networks ○ Goal: support DevOps teams and help developers tracking, managing and mastering dependencies. ● Part of the EU H2020-ICT-2018-2020 Program ● A Consortium composed of:
  • 10. Main goals ● Create an ecosystem-wide Fine-Grained Call Graph (FGCG), at the function level ○ Increasing software ecosystems robustness by making package management more intelligent ● Provide fully precise ○ usage analysis: ■ Does this vulnerability affect my code? ■ Am I linking to GPL code? ○ impact analysis: ■ How many clients will I break if I change this? ■ Can I safely update?
  • 11. The FASTEN Knowledge Base architecture
  • 12. The FASTEN Knowledge Base Dataflow
  • 13. OSS License Detection and Compliance within Fasten 1. “Repository cloned” License detector 2. Start license detection Knowledge Base 3. Detected licenses LCV 5. Verify compliance 4. “Licenses detected” 6. Retrieve inbound licenses 8. Compliance information 7. Compliance verifier
  • 14. OSS License Detection ● This phase builds the project to figure out those licenses that effectively end up in the package, collecting them. ● As output, this phase will augment Fasten Knowledge Base with the detected licenses. ● One of the aims is the detection of dependencies licenses, which are called Inbound licenses. ● Another is identifying the license under which the scanned project is released, which is called Outbound license.
  • 15. ● After retrieving inbound licenses and the outbound, the validation phase consists of running an algorithm that performs a compatibility check, comparing each inbound license against the outbound license. ● These compatibility rules are stored in a Compatibility Matrix. ● The output of this phase is a compatibility assessment that will augment the Fasten Knowledge Base. OSS License Validation
  • 17. OSS License Compliance Verifier (LCV) input/output examples ● Docker execution of Flask implementation ● API Endpoints collection page
  • 18. OSS License Compliance Verifier (LCV) input/output examples ● CompatibilitySPDXFlag API endpoint ● CompatibilitySPDXFlag output
  • 19. OSS License Compliance Verifier (LCV) input/output examples ● CompatibilitySPDX API endpoint ● CompatibilitySPDX output
  • 20. OSS License Compliance Verifier integration with Maven architecture
  • 21. LCV in CI/CD with GitHub actions
  • 22. LCV in CI/CD with Jenkins
  • 23. LCV in CI/CD with Jenkins/GitHub and Postman API tests - using Newman
  • 24. [1] P. Ombredanne and D. Clark, “What is the state of open source license clarity?” ClearlyDefined, Apr. 26, 2019. [Online]. Available: https://github.com/clearlydefined/license-score/blob/master/ClearlyDefined%20-%20ClearlyLicensed% 20clarity%20report-2019.pdf [2] Ombredanne, Philippe. "Free and open source software license compliance: tools for software composition analysis." IEEE Annals of the History of Computing 53.10 (2020): 105-109. [3] Spinellis, Diomidis. "How to select open source components." Computer 52.12 (2019): 103-106. Link to a video of the GitHub actions execution. Link at the video presentation References