The Cyber Resiliency Act (CRA) is coming and this European regulation will impact software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components and strengthen cybersecurity efforts.
The AboutCode stack of 100% open source tools and open data is engineered to automate compliance, with a practical approach. Tools like ScanCode and DejaCode paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. Newer projects like Massive FOSS Scan, CRAVEX, and AI-Generated Code Search deliver new performance improvements and advanced capabilities to improve the automation of compliance processes.
In this presentation, AboutCode lead maintainer Philippe Ombredanne shared the latest updates on how to use the AboutCode stack for better, faster, and more efficient license and security compliance automation.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Our SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?”
Our new SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
👉 Coming later today: OpenChain SBOM Study Group Monthly Call
🕗 2025-01-22 @ 08:00 UTC / 09:00 CET / 16:00 CST / 17:00 KST + JST
Our SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?”
Software Security Technology (SST) is the latest official OpenChain Project partner. Their engagement with the OpenChain partner program underscores the growing maturity of the Chinese market, and its increasing adoption of ISO/IEC 5230 for open source license compliance, and ISO/IEC 18974 for open source security assurance.
“We believe the world is empowered by software and will be further innovated by hardcore technologies like AI/LLM, Autonomous driving, embodied robot, blockchain, etc; which are not only software-centric but also open source driven,” says Kelfen Yang, Co-founder, Sales VP of SST. “Compliance was never a liability in-terms of technology development, on the contrary, an accelerator; which maximize the overall efficiency and trust relationship. This is also the reason we seek for partnership with OpenChain, together we are hoping to help tech companies globally to build trustworthy, high quality and secure software system through our product, service and experience.”
“We are delighted to welcome Software Security Technology to the OpenChain partner program,” says Shane Coughlan, OpenChain General Manager. “The importance of choice in seeking solutions like commercial tooling is a vital part of helping to make open source compliance and security easier, quicker and more efficient for companies in the supply chain. Throughout 2025, we hope to see our official partners support the development of more automation that addresses legal and regulatory requirements.”
About Software Security Technology
Software Security Technology specializes in the areas of software quality and security testing, providing customers with a one-stop solution to software ecosystem quality and security issues tailored to their specific scenarios. Our core team is composed of experts from leading domestic and international AST companies. Through three years of diligent effort, we have independently developed security testing tools, including SCA, SAST, and FUZZ, and have crafted industry-specific solutions that seamlessly integrate with various business scenarios. Our solutions have gained recognition from leading customers in fields such as automobiles, semiconductors, and communications. With offices in Chengdu, Wuhan, Shanghai, Beijing, and Shenzhen, our company is able to provide timely and professional pre-sales and after-sales services to our clients.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Korea Financial Telecommunications & Clearings Institute (KFTC), has announced an OpenChain ISO/IEC 5230 Conformant program. KFTC is a leading financial institution that provides essential infrastructure and services for the Korean financial industry.
To meet the requirements of the OpenChain ISO/IEC 5230:2020 standard, KFTC has implemented a comprehensive open source program within the organization. This includes establishing an Open Source Program Office (OSPO), enacting guidelines for open source utilization, and developing an in-house open source management platform. The platform automatically identifies open source components and licenses used in the software development lifecycle, providing guidance to employees.
“In today’s rapidly evolving IT landscape, characterized by AI, big data, and cloud computing technologies, leveraging open source software is not just beneficial—it’s essential,” said Lee Songwon, CIO of KFTC. “Based on our capabilities in open source utilization and management, KFTC will continue to foster a robust open source ecosystem through collaboration with other financial and public sector organizations across Korea.”
About KFTC (Korea Financial Telecommunications & Clearings Institute):
Korea Financial Telecommunications and Clearings Institute (KFTC), jointly founded by the Bank of Korea and commercial banks in 1986, has been a leading institution in developing and operating Korea’s national payment and settlement infrastructure. Over the years, KFTC has introduced various advanced payment systems, including the CD/ATM network and the Real-time Fund Transfer network. In the digital era, KFTC launched the Payment Gateway for e-commerce, Point of Sales (POS) networks for payment card transactions, and mobile payment networks. As the country transitioned to Open Finance, KFTC played a pivotal role in developing Korea’s Open Banking platform, enabling seamless and secure data sharing between financial institutions and fintech companies.
Learn more at https://eng.kftc.or.kr
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
CRA is coming. And this European regulation will impact software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components and strengthen cybersecurity efforts.
The AboutCode stack of 100% open source tools and open data is engineered to automate compliance, with a practical approach. Tools like ScanCode and DejaCode paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. Newer projects like Massive FOSS Scan, CRAVEX, and AI-Generated Code Search deliver new performance improvements and advanced capabilities to improve the automation of compliance processes.
In this presentation, AboutCode lead maintainer Philippe Ombredanne will share the latest updates on how to use the AboutCode stack for better, faster, and more efficient license and security compliance automation.
The end of the comment period for proposed updates to ISO/IEC 5230 and ISO/IEC 18974 (2024-06-19 ~ Ending 2024-12-19) [1]
What happens next in the three-month Freeze Period [2]
What to expect from the Steering Committee meeting to review the Specification Drafts on 2025-02-03 adjacent to the Q1 2025 Governing Board Meeting in Brussels
What is happening with the separate ISO/IEC 5230 periodic review at ISO as it reaches five years of age, and what to expect next
What happens next with the OpenChain Explainer Series – Documents (Release) and Videos (Beta) [3]
The status of the Capability Model and what to expect next [4]
A proposal to consider where we can go with online training for ISO/IEC 5230 (LFC 193 and LFC 194 refresh with LF Training?) and ISO/IEC 18974 (New LFC courses with LF Training?)
A note on the timing of the call, and sustainability:
This call takes place between 01:30 and 02:30 in Japan to allow North American and European participants to collaborate. However, this makes it difficult for the General Manager to attend. There is a request to action one of two things:
Move the meeting to a North America / Asia schedule, complementary with the other OpenChain Monthly Specification and Education Call (Europe / Asia) on 3rd Wednesdays or
A community volunteer to run the meeting on a regular basis
Issue to be discussed further.
Coming Next:
We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.
We held the first monthly workshop for the OpenChain AI Work Group in 2025. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
The end of the comment period for proposed updates to ISO/IEC 5230 and ISO/IEC 18974 (2024-06-19 ~ Ending 2024-12-19) [1]
What happens next in the three-month Freeze Period [2]
What to expect from the Steering Committee meeting to review the Specification Drafts on 2025-02-03 adjacent to the Q1 2025 Governing Board Meeting in Brussels
What is happening with the separate ISO/IEC 5230 periodic review at ISO as it reaches five years of age, and what to expect next
What happens next with the OpenChain Explainer Series – Documents (Release) and Videos (Beta) [3]
The status of the Capability Model and what to expect next [4]
A proposal to consider where we can go with online training for ISO/IEC 5230 (LFC 193 and LFC 194 refresh with LF Training?) and ISO/IEC 18974 (New LFC courses with LF Training?)
A note on the timing of the call, and sustainability:
This call takes place between 01:30 and 02:30 in Japan to allow North American and European participants to collaborate. However, this makes it difficult for the General Manager to attend. There is a request to action one of two things:
Move the meeting to a North America / Asia schedule, complementary with the other OpenChain Monthly Specification and Education Call (Europe / Asia) on 3rd Wednesdays or
A community volunteer to run the meeting on a regular basis
Issue to be discussed further.
Coming Next:
We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.
AVL List GmbH has announced an ISO/IEC 5230 conformant program.
About AVL
AVL is a world-leading technology company specialising in development, simulation and testing in the automotive industry and other sectors such as rail, marine and energy. Through extensive research, AVL delivers concepts, technology solutions, methodologies and development tools for sustainable, safe and advanced mobility and beyond.
AVL supports international partners and customers in sustainable and digital transformation, with a focus on electrification, software, AI and automation. AVL also supports companies in energy-intensive sectors on their way to green and efficient energy generation and supply.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
