Kouki Hama

In recent years, the Software Bill of Materials (SBOM) has emerged as an important practice to manage the risks in the software supply chain. To achieve this goal, understanding and managing the dependency is an indispensable task when applying the SBOM. In SW360 - a software component catalog application, we proposed features to manage SBOM in Software Package Data Exchange (SPDX) format last year (https://archive.fosdem.org/2022/schedule/event/howtomanageosslicenseobligationandsbomusingsw360new_features/). But because of the limitation of the old features, dependency management is still an urgent problem to be solved. The projects registered in SW360 can only create their dependency graphs by searching the components registered in SW360 dynamically. However, to apply SBOM, it's necessary to enable projects to store dependency graphs for themselves. Therefore, Adding the dependency management function for projects registered in SW360 is important for importing and managing SBOM information such as SPDX information in SW360. This function will also help in managing vulnerabilities of projects registered in SW360. To achieve this goal, TOSHIBA proposed and developed a series of features in SW360 to help users in managing the dependencies of their projects more conveniently. With these user-friendly features, users could register, view and modify the dependency graphs of their projects flexibly. Combined with the existing SBOM management function in SW360, the new features will help users to use SBOM in practice more easily. These features will also help SW360 to collaborate with other tools and explore more possibilities for managing vulnerabilities. In this presentation, I will first explain the issues related to dependency management in SW360. Then I would like to introduce and demonstrate these new features of SW360 developed by TOSHIBA. These features may include some that are still under development.

The management of SBoM　(software bill of material) is very important for companies to comply with the OpenChain specification.The latest features of SW360 support the management of license obligations and the management of SBOMs in SPDX format. In this presentation, I will introduce and demonstrate the features of SW360.

OpenChain ISO/IEC 5230 is the International Standard for open source license compliance. In the OpenChain specification, there are descriptions of SBoM management and OSS license obligations, and SW360 has features to help with both of these.

SPDX is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references.　This is also ISO standard (ISO/IEC 5962:2021). A new feature in SW360 is the ability to register, import, and export software component information according to the SPDX format, making it easier to integrate with other tools and manage information received from other companies.

For managing OSS licenses in SW360, the information about license obligations can be imported from the OSADL (Open Source Automation Development Lab) web site. This OSADL's web site provides a machine-readble summary of the main points of the OSS license in a form that anyone can get. (Licensed by CC-BY-4.0). New features in SW360 allows you to quickly import this OSADL license obigation information into your company's SW360.

The features introduced presentation may include some that are still under development.