Eclipse SW360

Eclipse SW360

FOSDEM 2021

SW360 is a Web application for managing the software bill-of-material ("SBOM") of software projects and products. It is an Eclipse project licensed under the EPL-2.0 and thus available for everybody as Open Source Software. The application has a Web UI and REST endpoints for entering or importing the SBOM from dependency or package management systems. In addition, the import of SBOM files using the SPDX spec is supported. Based on the imported SBOM or a software project, a number of functionality is possible, ref to management of vulnerabilities, license and trade compliance or statistics about component usage. The submitted talk introduces and presents SW360.

SW360 is an open source software project licensed under the EPL-2.0 that provides both a web application and a REST API to collect, organize and make available information about software components. It establishes a central hub for software components in an organization. SW360 allows for

• tracking components used by a project/product,
• assessing security vulnerabilities,
• maintaining license obligations,
• enforcing policies, and
• maintain statistics. For example, SW360 can trigger a license scan process in the open source compliance tool FOSSology and import the resulting clearing reporting. Data is either stored in SW360’s database or on the fly imported from external sources. In future we plan to have federations of SW360 instances that share selected information. Besides its web-based UI, all functionality of SW360 is available through an API that allows an integration into existing devops tools.

Speakers: Smruti Prakash Sahoo Jaideep Palit Abdul Kapti