This is an “outcome” webinar from the OpenChain and Friends event in Stuttgart, Germany, in April 2025. Our focus was on recent advances in the open source and open data AboutCode stack for licensing and security compliance. Our speaker was a good friend of the OpenChain Project, and the founder of AboutCode, Philippe Ombredanne.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
The Cyber Resiliency Act (CRA) is coming and this European regulation will impact software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components and strengthen cybersecurity efforts.
The AboutCode stack of 100% open source tools and open data is engineered to automate compliance, with a practical approach. Tools like ScanCode and DejaCode paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. Newer projects like Massive FOSS Scan, CRAVEX, and AI-Generated Code Search deliver new performance improvements and advanced capabilities to improve the automation of compliance processes.
In this presentation, AboutCode lead maintainer Philippe Ombredanne shared the latest updates on how to use the AboutCode stack for better, faster, and more efficient license and security compliance automation.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
When walking into a shop, there’s a lot of choice for electronic devices like WiFi routers, IP cameras, and more. Many devices are identical, or nearly so, as they come from the same manufacturer or use the same chip and code from the chipset manufacturer.
CVEs, however, often focus on individual devices rather than classes of similar devices, leaving many vulnerable ones unreported. For example, CVE-2006-2560 and CVE-2006-2561 describe the same vulnerability on devices from different vendors—likely from the same ODM. Many more devices with the same vulnerabilities are overlooked, possibly giving a false sense that only the listed devices are at risk.
Information about device hardware, such as the ODM or chipset used, isn’t easily accessible, as companies rarely disclose this. Fortunately, a wealth of data has been crowd-sourced globally via various wikis. However, this information is hard to reuse outside those specific platforms.
This is where DeviceCode comes in: it unlocks and cleans data from various wikis (as not all users input data correctly or consistently) and integrates it with other sources. This makes it possible to query by chipset, manufacturer, ODM, and even installed software. It helps answer questions like, “Which other devices are similar to a known vulnerable device?” enabling security researchers to identify additional vulnerable devices.
Watch The Webinar
About Our Speaker
Armijn Hemel, MSc, is the owner of Tjaldur Software Governance Solutions, a consultancy specializing in open-source license compliance engineering and provenance research.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
We had an insightful session with Dawn Foster on sustaining OSS projects and communities over the long-term. The CHAOSS project has been creating a series of MIT-licensed Practitioner Guides focused on improving the sustainability of our software and communities. The guides are designed to make it easier for people to draw meaningful and actionable insights using community metrics, even when those people do not necessarily have a deep background in data analysis or much experience working within OSS communities.
This talk identified several categories of metrics from the Practitioner Guide Series, including responsiveness, contributor sustainability, organizational participation, and security. It covered not just how to interpret the metrics, but also on providing ideas for improving in areas identified using the metrics. The audience walks away with a better understanding of how to use metrics to proactively improve the long-term sustainability of their OSS projects and communities.
Watch The Recording
About Our Speaker
Dawn leads the data science initiative for the CHAOSS project where she is also a Governing Board member / maintainer. Dawn is an OpenUK board member and co-chair of the CNCF Contributor Strategy Technical Advisory Group.
Dawn has 20+ years of experience working in open source positions at companies like VMware, Intel and Puppet with expertise in managing people, open source strategy, building new communities, and managing existing communities with a particular emphasis on developer and open source communities. She has held a wide range of roles over the years, including UNIX system administrator, researcher, consultant, strategist, director / manager, and more.
Dawn holds a PhD from the University of Greenwich, an MBA from Ashland University, and a BS in Computer Science from Kent State University. Dawn blogs about online communities as the author of the Fast Wonder Blog, and she’s blogged for The New Stack, Linux.com, GigaOM’s WebWorkerDaily, and in various other places.
She has done over a hundred talks at industry events, including many Linux Foundation events, KubeCon, OSCON, SXSW, FOSDEM and more. In her spare time she enjoys reading science fiction, running, and traveling.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Recent computer science graduate Charlotte Gayton shared her journey of implementing the OpenChain standard during her Year in Industry (ISO/IEC 5230) and her dissertation project (ISO/IEC 18974). She discussed the challenges she faced and the solutions she developed to achieve compliance. The session will provide a unique perspective on navigating OpenChain from the viewpoint of someone early in their career. Her work lead to the detailed case study recently published regarding OpenChain ISO/IEC 5230 adoption by endjin.
Watch the Recording:
View the Slides:
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This OpenChain Webinar digs into open source tooling with open data for open source compliance.
Full Overview From The Presenters
Ensuring software license and security compliance can be difficult. Managing open source components – especially their licensing, provenance, and vulnerability risk – is a critical part of Software Composition Analysis (SCA), which is now a prerequisite for modern organizations to comply with mandated SBOMs and other regulations.
Expensive, proprietary SCA solutions rely on proprietary data that can be outdated or just wrong. To make using open source easier for everyone, we need FOSS tools and open data for FOSS SCA. Philippe Ombredanne will explain how using 100% open source software and open data, the AboutCode stack offers a new approach for the practical management of open source software for licensing and vulnerability risks for organizations of all sizes.
Philippe will share how modular open source projects like ScanCode, VulnerableCode, and DejaCode fit together to identify components and their license, provenance, and known vulnerabilities, and aggregate this and SBOM data across products, teams, and organizations to address security, legal, and regulatory requirements for software license and security compliance in an integrated solution.
Philippe will also discuss exciting updates on new open source projects for better software supply chain integrity and security like CRAVEX, which delivers modern open source tools for developers to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world.
Get The Slides
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This webinar is a special briefing lead by Ciarán O’Riordan, Senior Policy Advisor at OpenForum Europe (OFE), on European policy matters that impact open source, business processes and risk management. OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy.
More Details
“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products. Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.” https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
Our Speaker is Ciarán O’Riordan, Senior Policy Advisor at OpenForum Europe. His background is as a free software / open source software policy and communications expert.
OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy. https://openforumeurope.org/
More in the OFE Series
We held three special briefings from OFE for the OpenChain community from May to June 2024.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This webinar by Hilary Carter, SVP Research at The Linux Foundation, unpacked LF Management & Best Practices, the digital home where communities of “best practice” converge. Here, you’ll be able to find the standards, reference material, courses, live events and webinars, research, project communities, and the automation tools to help you start your project or organization’s open source journey, and to keep it on track!
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This webinar discusses a Universal CVSS Calculator released by {metæffekt} GmbH. The open-source online tool is intended to support the assessment of vulnerabilities with their various CVSS scores from multiple authorities. It was created due to the lack of CVSS calculators which could ingest multiple vectors with different CVSS versions and compare the scores consistently.
Read The Slides
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
For the second year in row, we welcome Philippe Ombredanne to recap the FOSDEM event for us. This is a great way to catch-up on one of the best events in the world discussing open source development, management and (most importantly for us) legal, licensing and automation.