In this lecture I was able to understand what the Open Source Tooling Group’s mission is – to simplify and standardize how companies manage open source software compliance throughout their development and supply chains. The core challenge which was addressed is the difficulty in truly knowing if various compliance and security tools are working correctly, integrating smoothly, and consistently producing reliable data like Software Bill of Materials (SBOMs). Traditional “plugfests” or superficial comparisons often don’t provide the deep insights needed.
At the heart of recommended tooling solution in this lecture is the Open Review Toolkit (ORT). This isn’t just a single-purpose tool; it’s designed as a comprehensive “virtual conveyor belt” for open source compliance. ORT can automatically analyze a software project’s dependencies, download its source code, scan it for license and copyright information (often using tools like ScanCode), consult vulnerability databases (like VulnerableCode) for security risks, evaluate all these findings against an organization’s specific policies, and then generate detailed reports, including SBOMs in industry-standard formats like SPDX and CycloneDX. It acts as an orchestrator, integrating various specialized open-source tools into a cohesive workflow.
A major advantage and a key differentiator highlighted by the OpenChain project is ORT’s robust and readily available testing infrastructure.
Currently ORT-Server have OCCTET Test Instance. This instance allows companies to easily create and run full, end-to-end simulations of their entire software supply chain. The most effective way to test is by taking an identical “dummy repository”—which are publicly available online, designed to be more complex than a simple “Hello World” and contain realistic dependencies—and running it through various compliance tools. By processing the same dummy repository through ORT’s full pipeline, users can then compare the results generated by different tools, verify ORT’s accuracy, and confirm that their entire compliance workflow is functioning as expected. This allows for clear benchmarking, showcasing, and collaborative testing of compliance processes.
You can also manage the output of ORT and show results in a tools like Grafana which can be very helpful for the management so they can easily identify when some red flag is shown on their platform.
