The latest OpenChain Webinar will feature Jeff Shapiro and Gary O’Neall.
At the time of the event you can join us at:
https://zoom-lfx.platform.linuxfoundation.org/meeting/98013366941?password=02a35380-0692-497d-b5a9-05e650965da4
Abstract:
We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.
In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.
We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.
Speakers:
Gary O’Neall
Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.
Jeff Shapiro
Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.
