Kate Stewart

Closing down the devroom.

Other people: Alexios Zavras Adolfo García Veytia

An open-for-all session to ask any questions and discuss any topic about SBOMs

Other people: Adolfo García Veytia

Introduction to the topics and the structure of the devroom.

Other people: Alexios Zavras Adolfo García Veytia

This panel discussion will examine best practices for how the energy industry can implement and benefit from open source technology by exploring how traditional or legacy industries including automotive, embedded systems, finance, and networking/telecommunications have been transformed in recent years. Panelists will relay their experience working within these industries to explain how to speed adoption of open source to drive innovation and digital transformation to support the energy transition.

Other people: Ranny Haiby Ferdinanda Ponci Gabriele Columbro

The accurate identification of software elements and their dependency relationships are critical for understand when specific software is exploitable. Different types of dependencies necessary for security use cases will be explored.

Recently identified vulnerabilities found in Log4j has made it clear that we need to be able to track how software is included and used in applications and systems. The first challenge is identifying the software element (be it an application, library, component, file, snippet) accurately when there may be multiple ways to refer to it. The next challenge is clearly articulating the dependencies between these software elements. Once a vulnerability is identified and correlated with a well identified software element, the dependency information can be used to find if any key software elements may be impacted.

This talk will go through the approaches for identifying software via external references, as well as they types of relationships that have proven useful in tools so far to map out dependencies between the elements that tools producing SPDX SBOMs have found useful to date. We will demonstrate a proof of concept utility where an SPDX document with relationship information can be used to query the OSV online vulnerability database.

Other people: Gary O'Neall

The devroom intro by devroom organization team!

Other people: Philippe Ombredanne Antoine Mottier Michael C. Jaeger

If we come to this presentation: A big thank you for all persons who have submitted their presentation and many thanks for all attending.

Other people: Philippe Ombredanne Maximilian Huber Michael C. Jaeger

What is a software bill of materials, and why is there all the interest about it? In this session, a quick overview of the minimum viable fields to represent an SBOM, and efforts to help with automation of them.

Welcome to the Software Composition Analysis Devroom

This presentation introduces the devroom on software composition - an emerging topic on understanding what softare is being made of.

Other people: Philippe Ombredanne Maximilian Huber Michael C. Jaeger

Open source license compliance has become more complex as time progresses. Using open source tools and open standards (SPDX), we should be able to make it easy to comply with the terms of the licenses specified in the code, and not require expensive proprietary technologies. This talk will outline some steps that will help to make license compliance more transparent, and with automation, make it easier to fulfill the obligations.

Using an openly developed standard (SPDX), and open source tooling it is now possible to generate accurate summary information for a project with open source tools, that can be shared with those that use the project. Software development today builds thousand of open source components that developers have shared, tools permit composition of new interfaces from code from many sources, conveying the licensing information hasn't always been a priority for developers, and as a result there's a fair amount of ambiguity out there that needs sophisticated proprietary tooling to decipher the actual licenses in effect. By leveraging automation to generate this information when a project builds, it ensures that the intentions of the authors are accurate and can easily be respected.

This talk will overview the problem scope and then propose some open source tools that can help start the automation part using open standards to improve the transparency of the information.

Other people: Thomas Gleixner

In the current development version (will become 3.1) of FOSSology (www.fossology.org), we're now able to generate DEP5 directly for packages. This gives us a useful tool for validating the manually generated DEP5 files. Would like to discuss with others interested in release, packaging, and legal issues what would be needed to improve the accuracy of the licensing information carried with the packages currently in Debian. How updates should be reported, etc. Basically looking to figure out what actually makes sense to do, and how this new capability can be used to help.