In recent years, the Software Bill of Materials (SBOM) has emerged as an important practice to manage the risks in the software supply chain. To achieve this goal, understanding and managing the dependency is an indispensable task when applying the SBOM. In SW360 - a software component catalog application, we proposed features to manage SBOM in Software Package Data Exchange (SPDX) format last year (https://archive.fosdem.org/2022/schedule/event/howtomanageosslicenseobligationandsbomusingsw360new_features/). But because of the limitation of the old features, dependency management is still an urgent problem to be solved. The projects registered in SW360 can only create their dependency graphs by searching the components registered in SW360 dynamically. However, to apply SBOM, it's necessary to enable projects to store dependency graphs for themselves. Therefore, Adding the dependency management function for projects registered in SW360 is important for importing and managing SBOM information such as SPDX information in SW360. This function will also help in managing vulnerabilities of projects registered in SW360. To achieve this goal, TOSHIBA proposed and developed a series of features in SW360 to help users in managing the dependencies of their projects more conveniently. With these user-friendly features, users could register, view and modify the dependency graphs of their projects flexibly. Combined with the existing SBOM management function in SW360, the new features will help users to use SBOM in practice more easily. These features will also help SW360 to collaborate with other tools and explore more possibilities for managing vulnerabilities. In this presentation, I will first explain the issues related to dependency management in SW360. Then I would like to introduce and demonstrate these new features of SW360 developed by TOSHIBA. These features may include some that are still under development.
Speakers: Kouki Hama