The management of SBoM (software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.
OpenChain ISO/IEC 5230 is the International Standard for open source license compliance. In the OpenChain specification, there are descriptions of SBoM management and OSS license obligations, and SW360 has features to help with both of these.
SPDX is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. This is also ISO standard (ISO/IEC 5962:2021). A new feature in SW360 is the ability to register, import, and export software component information according to the SPDX format, making it easier to integrate with other tools and manage information received from other companies.
For managing OSS licenses in SW360, the information about license obligations can be imported from the OSADL (Open Source Automation Development Lab) web site. This OSADL's web site provides a machine-readble summary of the main points of the OSS license in a form that anyone can get. (Licensed by CC-BY-4.0). New features in SW360 allows you to quickly import this OSADL license obigation information into your company's SW360.
The features introduced presentation may include some that are still under development.
Speakers: Kouki Hama