THE LINUX FOUNDATION PROJECTS
All Posts By

dgochev

Mar 26

CRA tooling for SMEs by the OCCTET project

By Featured

The goals of the OCCTET project are:

  1. Help SMEs understand and apply the CRA: Make it simpler for SMEs(Small and Medium-sized Enterprises) to know what the rules are and how to follow them, which will improve their overall cybersecurity.
  2. Automate handling of Open Source Software (OSS) components: Develop tools that can automatically check open source parts of software for compliance.
  3. Increase visibility and impact: Make these tools widely available and promote a shared approach to data, using open source solutions themselves.

How OCCTET plans to achieve this (the Toolkit):

The project offers a step-by-step process:

  1. Input: SMEs or developers upload their project and its open source parts for analysis.
  2. Eclipse Apoapsis (Security and Compliance Automation Platform): This platform manages the scanning process and collects information from various tools, like ORT (Open-Source Review Toolkit).
  3. OSS Review Toolkit (ORT): This is the core tool that scans software, identifies dependencies, licenses, and vulnerabilities.
  4. OCCTET Tools: Additional tools within OCCTET include a Compliance Checklist, a Conformity Evaluation Tool, and a Reporting Tool.
  5. Output: Finally, a CRA Readiness Report is generated, giving an overview of compliance and suggesting next steps.

Key components and standards discussed:

  • ORT-SERVER: This seems to be a central hub for compliance, connecting to various package management systems (like Java, Node, Python), pulling data on vulnerabilities, community metadata, and different report formats (SPDX, CycloneDX). It also includes an “Evaluator rule engine” and tools like ScanCode for code analysis.
  • Standards are crucial: The presentation emphasized that good data is useless without good standards. They highlighted the use of:
    • PURL (Package-URL) for identifying software packages.
    • SPDX License expressions for licenses.
    • SBOMs (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange), using formats like CycloneDX and SPDX for SBOMs, and CSAF/CycloneDX for VEX/VDR.
  • OCCTET Curator: This is a web application with AI integration to help manage security vulnerabilities, generate reports (SBOM, VEX/VDR), and support users in managing their open source components.

CRA Self-Assessment and Timeline:

The project includes an OCCTET CRA Self-Assessment Platform (cra.occet.eu), which is a free web tool. It guides users through three questionnaires:

  1. Applicability & Role: “Does CRA apply to me?” – Helps identify if the regulations apply, based on company role (manufacturer, importer, distributor) and product type, and clarifies exclusions.
  2. Classification & Conformity Route: “What level of assurance do I need?” – Helps classify the product (Default, Important, Critical) and determine the required conformity assessment (self-assessment, third-party, or certification).
  3. Readiness & Maturity Checklist: “How prepared am I?” – Evaluates current practices against CRA security requirements, assessing maturity (Basic, Intermediate, Advanced) and providing tailored improvement recommendations. This generates a visual readiness score, highlighting areas needing attention.

Overall, the OCCTET project is a European initiative, co-funded by the EU, aiming to create comprehensive tools and resources to simplify open source compliance and cybersecurity for SMEs, especially in light of upcoming regulations like the CRA. It focuses on practical, automated solutions and clear guidance to help businesses navigate these complex requirements. During the presentation it was also mentioned that OCCTET can be even installed on local machine which definitely can make it popular and more people can decide to try it.

Mar 26

ORT Server at Bosch used in One Pipeline/Service for your Compliance – OCaaS

By Featured, News

Bosch’s OCaaS: The “All-in-One” Solution for Streamlined Open Source Compliance and Security

In today’s software development landscape, Open Source Software (OSS) is an indispensable component, integral to nearly every technological advancement. However, its widespread adoption introduces significant complexities, particularly regarding legal compliance and security. Recent data underscores this challenge: according to Synopsys’s Open Source Security and Risk Analysis Report 2025, 97% of all codebases contain OSS, with 56% presenting license conflicts, 86% harboring at least one known vulnerability, and a staggering 91% including OSS components more than 10 versions behind their latest release. These figures paint a clear picture of the inherent risks and compliance burdens facing organizations.

For companies deeply invested in software development, fundamental questions arise:

  • “What is inside my software?”
  • “Can I legally release my product?”
  • “Is my product secure over time?”

Addressing these critical concerns effectively and efficiently has become paramount. This is precisely where Bosch’s OCaaS (Open Source Compliance as a Service) emerges as a transformative solution. Presented at the “OpenChain and Friends 2026: OS Compliance and OSPO” event, OCaaS stands out by consolidating various compliance and security functionalities into a single, unified platform, significantly easing the burden on its users.

OCaaS: Consolidating Complex Processes Under One Umbrella

The true power of Bosch’s OCaaS lies in its integrated approach. Rather than relying on a disparate collection of tools for different aspects of OSS management, OCaaS brings everything together, offering an end-to-end solution that simplifies intricate processes for its clients. This “one-stop-shop” model is crucial for navigating the complexities of modern software development.

Let’s break down the comprehensive workflow offered by OCaaS:

  1. Analyzer: The initial step involves meticulously identifying all dependencies within the software, creating a clear map of every Open Source component.
  2. Scanner: Following dependency identification, the system scans the source code for potential issues, proactively pinpointing both license and security risks.
  3. Advisor: This component then leverages intelligence to identify known vulnerabilities (CVEs) associated with the discovered OSS components.
  4. Evaluator: OCaaS applies pre-defined compliance and security policies, evaluating whether the software adheres to internal standards and external regulations.
  5. Reporter: Finally, detailed and actionable reports are generated, providing a transparent overview of the software’s compliance and security status.

The extensive capabilities of this  workflow are delivered through over 20 integrated plugins, incorporating industry-leading tools like ScanCode, FOSSID, VulnerableCode. These plugins not only enable deep-dive analysis but also ensure that the output is in standardized formats, facilitating interoperability and communication across the supply chain. Once this comprehensive process is complete, OCaaS can further integrate its findings with platforms like Fossology for enhanced dependency tracking and thorough documentation management.

The Unmatched Value Proposition of OCaaS for Clients

Bosch’s OCaaS offers several distinct advantages that are particularly beneficial for organizations grappling with OSS management:

  • Unparalleled Simplification: This is the core benefit. Instead of forcing clients to procure, integrate, and manage a multitude of individual tools for different aspects of OSS compliance and security, OCaaS delivers a single, cohesive platform. This drastically reduces operational complexity, shortens learning curves, and minimizes the overall cost of ownership.
  • Comprehensive Coverage: OCaaS ensures that no stone is left unturned. From initial component discovery to final report generation and ongoing dependency tracking, it provides a full lifecycle management solution, offering peace of mind that all aspects of OSS are being addressed.
  • Enhanced Automation: By automating a significant portion of the analysis and evaluation process, OCaaS not only speeds up compliance checks but also drastically reduces the potential for human error, leading to more consistent and reliable results.
  • Clarity and Transparency: The detailed reports generated by OCaaS provide crystal-clear insights into the software’s composition, potential risks, and compliance posture. This transparency is invaluable for internal stakeholders, legal teams, and external auditors.
  • A Vision for the Future: Bosch’s commitment to OCaaS extends to continuous improvement. Planned next steps include:
    • Package Manager Independence: Further simplifying usage by making OCaaS compatible regardless of the specific package manager employed.
    • ChatBot Integration and AI Optimization: Leveraging artificial intelligence for more intuitive interactions and enhanced analytical capabilities.
    • A More Attractive Community: Fostering a vibrant community of users and contributors to drive collaborative innovation.
    • Curation UI: Developing an improved user interface for manual data curation, offering greater control and flexibility.

Conclusion

Bosch’s OCaaS represents a significant leap forward in addressing the intricate challenges of Open Source Compliance and Security. By ingeniously combining numerous specialized functionalities and powerful tools under a single, user-friendly platform, it doesn’t just answer the fundamental questions for software development teams; it transforms the entire process. OCaaS simplifies complexity, mitigates risks, and empowers organizations to fully harness the benefits of open source, ensuring their products are not only innovative but also legally compliant and secure.

 

Mar 26

How to distribute containers FOSS compliantly

By Featured

There was a discussion regarding the legal and technical challenges surrounding open-source license compliance when distributing container images. The discussion highlighted the growing importance of understanding the layered structure of containers and the responsibilities associated with their distribution.

The Anatomy of a Container Image

Container images are essentially stacked layers. A typical image starts with a base layer containing fundamental system requirements like a C library, package manager, and shell. Subsequent layers add applications and libraries, and the top layer often involves customizations, including removing or modifying components. While a container’s runtime view might show a consolidated result, all underlying components remain present within it.

The Compliance Conundrum in Containers

The core challenge from a legal compliance standpoint is that it’s often unclear what software is actually distributed within a container. Most containers heavily rely on Free and Open Source Software (FOSS), and with FOSS, come license obligations. These obligations include providing license texts, legal notices, and sometimes even the source code and build instructions. Public container repositories frequently lack this crucial compliance information, yet the responsibility for fulfilling these obligations ultimately rests with the distributor, not necessarily the repository owner.

Who is the Distributor?

A key point emphasized was the legal interpretation of “distributor.” When a recipient executes a Containerfile (a script to assemble a container image), software is downloaded directly. The entity that “controls the distribution” is considered the distributor. This means that merely distributing a Containerfile can be legally equivalent to distributing software, triggering all associated license compliance duties.

OSADL’s Approach to Compliant Base Images

To address these complexities, the presentation introduced the concept of an OSADL Base Image. This is a minimal image built upon a Linux distribution, providing essential GNU tools, shell, C-lib, package manager, and networking functionalities. Crucially, it’s designed with license compliance in mind, including:

  • Source code of all packages
  • License texts and copyright notices
  • Legal notices

OSSelot and FOSSology: Tools for Streamlined Compliance

The presentation highlighted the roles of OSSelot and FOSSology in achieving compliance:

  • OSSelot is a publicly available, trusted database providing curated compliance information for frequently used FOSS components. It significantly reduces the time needed to “clear” a software package by allowing the reuse of pre-vetted licensing and copyright data.
  • FOSSology is used in conjunction with OSSelot. The process involves:
    1. Using the OSSelot REST API to identify available OSSelot data for a container’s source packages.
    2. Uploading the OSSelot versions of packages into FOSSology, which then automatically clears the entire package.
    3. Uploading container source packages into FOSSology, running scanners, and reusing relevant OSSelot uploads to clear remaining files and copyrights.

Immediate vs. Delayed Source Code Disclosure

The OSADL Base Image offers two main approaches for source code disclosure:

  • Immediate disclosure: All source code and legal information are included directly within the image. This approach simplifies access but can significantly increase the image size.
  • Delayed disclosure: Only extracted compliance material, legal notices, and a written offer are included in the image. The full source packages with rebuild instructions are provided separately for later delivery. This method results in smaller container images but requires a separate mechanism for source code provision.

Both approaches ensure that instructions on how the base image is created and how it can be used are consistently provided.

As recommendation it was also mentioned that best practice would be FOSS compliance to be made layer by layer, meaning once you take for example OSADL Base Image then in order to make your own app you need to add few layers so its better to handle FOSS compliance after each layer instead of keep adding them until you reach the final product and handling this huge container with several layers in total in regards to FOSS compliance which would be harder and more time consuming.

 

Mar 26

Navigating the Open Road: An Enterprise Approach to FOSS Compliance and Collaboration

By Featured, News

At a recent discussion focused on open source compliance and management within large organizations, attendees were given a fascinating glimpse into how a prominent global enterprise is seamlessly integrating Free and Open Source Software (FOSS) into its core operations. The insights shared painted a clear picture of a forward-thinking approach, where FOSS is not just tolerated but actively embraced as a strategic advantage.

The overarching sentiment conveyed was that FOSS is no longer an optional add-on but a standard practice, viewed as a smart business investment. Leadership within the enterprise explicitly states that utilizing and contributing to open source not only helps reduce costs but also cultivates a thriving open-source culture and fulfills a crucial social responsibility. The commitment extends to actively contributing to open source, rather than just consuming it, and sharing internally developed code, positioning the organization as a pioneer in the field.

This commitment is codified in a clear “FOSS Manifest,” guiding both the company’s actions and its employees’ behaviors. For the organization, this means supporting and empowering employees to use, contribute to, and create FOSS projects, dedicating time for FOSS activities, and ensuring visibility within Open Source communities. Employees, in turn, are encouraged to seek out Open and Inner Source alternatives, actively participate in these communities, contribute to relevant projects, and act responsibly, ensuring respectful communication and positive engagement.

A key component of this enterprise’s strategy is establishing robust transparency throughout the software supply chain, primarily through the systematic use of FOSS Software Bill of Materials (SBOMs). The process was described as a well-orchestrated flow: software suppliers deliver their FOSS SBOMs to a dedicated Disclosure Portal. These are then reviewed and approved by product owners and technical governance teams. Once approved, this critical information is used to disclose FOSS components in various products, from applications and mobile apps to the actual vehicles, fostering trust with consumers and users. This meticulous process ensures all FOSS components are properly identified, licensed, and disclosed, effectively mitigating compliance risks.

The discussion further detailed a structured approval process for integrating FOSS, whether from internal teams or external suppliers. It begins in the planning phase, where FOSS policy rules are aligned during purchasing and contractual terms are established. The “Build” phase involves developers generating, reviewing, and refining SBOMs as the software is created, with a final check before release. The “Run” phase marks formal approval and release. For compliant releases, regular review functions are in place, with initial approval being crucial and re-approval required after significant changes or defined periods. This ensures continuous adherence to established policies.

The benefits of this comprehensive system extend to various stakeholders. Product owners gain from standardized SBOM exchange in ISO format, automation through REST APIs and Command Line Interfaces for seamless integration into Continuous Integration/Continuous Delivery pipelines, and access to a comprehensive license database for legal guidance. The system incorporates policy rules and quality checks for obligations management, boasts a user-friendly design, and can automatically generate disclosure notices.

Suppliers also find significant advantages. The Disclosure Portal digitizes the submission of SBOMs, moving away from manual template-filling. They can integrate directly with the portal’s API from their build pipelines. This transparency and policy support allow suppliers to align with their customer’s requirements much earlier in the development lifecycle. Interestingly, the Disclosure Portal and its associated tools are themselves open source, encouraging suppliers to adapt them for their own needs and even contribute back to the project, fostering a truly collaborative ecosystem.

In summary, the insights shared showcased a sophisticated and proactive approach to managing Open Source Software. It demonstrated how a major enterprise can not only leverage the numerous benefits of FOSS but also establish a framework that ensures compliance, promotes transparency, and encourages collaboration across its entire software development and supply chain, setting a compelling example for others in the industry.

 

Mar 25

Basics and background: An introduction to Open Source Compliance

By Featured, News

Imagine you’re building a car. It doesn’t make sense to invent the engine from scratch, right? All cars have engines. But maybe your car’s specific design, color, or fancy gadgets are what make it unique.

This lecture explains exactly that concept for software:

1. Don’t Build Everything Yourself!

  • The Idea: Save time and money by not re-doing things that already exist or aren’t your “secret sauce.”
  • The Pyramid Rule:
    • Bottom (The Common Stuff): Everything that’s generic and doesn’t make your product special – like the basic operating system (Windows, Linux), drivers, or fundamental libraries. This is the perfect place to use “Open Source” things or collaborate with others. Why build your own operating system if that’s not your main goal?
    • Top (The Special Stuff): The things that make your product unique and make people choose it over others – like your unique user interface design, your special features, or your secret algorithms. Keep these things proprietary, just for yourself!
  • In Short: Use ready-made “common” parts so you can focus your energy on your “special” ideas.

2. What Does “Open Source” Mean?

  • More Than Just “Free” (as in beer): It’s not enough to just see the code. For software to be “Open Source,” it needs a special Open Source License.
  • What This License Allows You To Do: It gives you the freedom to:
    • Use it however you want.
    • Study it (look at the code).
    • Modify it (change it).
    • Distribute it (give copies to others).
  • Important: The license gives you these rights, but it might have conditions too (e.g., if you change it and give it to others, you might have to mention the original creator).

3. Why Do We Need Licenses? (A Little About Copyright)

  • Software is Like a Book: Copyright law protects “works” – books, music, photos… and software! It’s understood that someone “writes” code, just like an author writes a book.
  • Who is the Author? Always a human.
  • A License is Permission: By default, the law forbids you from copying or changing someone else’s work without their permission. A license is exactly that permission! It tells you: “Okay, you can do X, Y, and Z, but you have to follow these rules.”
  • What If You Don’t Follow the Rules? If you break the license’s rules, you can lose your rights to use the software.
  • Without license the “default” state occurs, which means copyright law applies and any copying or distributing is prohibited.

To put it simply:

Use “open” things for the common parts of your software to save effort. Keep your unique ideas secret. All of this works because “Open Source” licenses give you clear rules about what you can and can’t do with the software.