The official FINOS recording of the overview presentation for the OpenChain Project has been released here:
This OpenChain Webinar digs into open source tooling with open data for open source compliance.
Full Overview From The Presenters
Ensuring software license and security compliance can be difficult. Managing open source components – especially their licensing, provenance, and vulnerability risk – is a critical part of Software Composition Analysis (SCA), which is now a prerequisite for modern organizations to comply with mandated SBOMs and other regulations.
Expensive, proprietary SCA solutions rely on proprietary data that can be outdated or just wrong. To make using open source easier for everyone, we need FOSS tools and open data for FOSS SCA. Philippe Ombredanne will explain how using 100% open source software and open data, the AboutCode stack offers a new approach for the practical management of open source software for licensing and vulnerability risks for organizations of all sizes.
Philippe will share how modular open source projects like ScanCode, VulnerableCode, and DejaCode fit together to identify components and their license, provenance, and known vulnerabilities, and aggregate this and SBOM data across products, teams, and organizations to address security, legal, and regulatory requirements for software license and security compliance in an integrated solution.
Philippe will also discuss exciting updates on new open source projects for better software supply chain integrity and security like CRAVEX, which delivers modern open source tools for developers to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world.
Get The Slides
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Check Out The Rest Of Our Webinars
This OpenChain Webinar was broadcast on 2024-05-15.
This call focused on recapping the main AI Study Group workshop from the 7th of May. It covered a lot of ground, including new contributions from participants like Fujitsu, and an overview of the latest new about the OSI Open Source AI Definition from their Executive Director.
Track This Work
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Attend Future Meetings
You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:
Socionext, a semiconductor and System on a Chip (SOC) company based in
Japan, has completed recertification of OpenChain ISO/IEC 5230:2020 as per
the 18 month cycle required by the specification. This recertification process
helps to review processes and ensure they are current.
“The adoption of OpenChain standards is one important step in managing the
supply chain,” says Shane Coughlan, OpenChain General Manager. “However,
periodic recertification is another critical building block in creating trust. As
companies evolve and markets change, the best companies adapt against clear,
unambiguous measures like OpenChain ISO/IEC 5230:2020, the International
Standard for open source license compliance.”
The OpenChain AI Study Group held its regular monthly workshop on the 7th of May. This workshop covered a lot of ground, including new contributions from participants like Fujitsu, and an overview of the latest new about the OSI Open Source AI Definition from their Executive Director.
Track This Work
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Attend Future Meetings
You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:
The OpenChain Specification Work Group held its regular monthly call on the 7th of May. You can review the full recording below.
We were working on the draft next generation security assurance specification:
https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
and
The draft next generation licensing compliance specification:
https://github.com/OpenChain-Project/License-Compliance-Specification/blob/master/3.0/en/openchain-license-compliance-3.0.md
For security we were coming to a conclusion on this issue:
[Improvement] Expand definitions section for (1) Secure Software Development to include Secure Programming Techniques and (2) Security Testing to include Static and Dynamic #36https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/36
And for licensing we were coming to a conclusion on this issue:
Verification Material For Training – next iteration #38
https://github.com/OpenChain-Project/License-Compliance-Specification/issues/38
Both issue are read to close pending any objections, and therefore there is a two-week period – before the forthcoming North America / Asia call – to review and add any notes.
We also opened one new issue for review in future calls:
[Improvement] Review Cycle Potentially Needs Adjustment #71https://github.com/OpenChain-Project/License-Compliance-Specification/issues/71
Join Our Work
Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/
On 2024-05-15 at 09:00 CEST, an OpenChain Webinar will dig into open source tooling for open source compliance.
As per the authors: “Ensuring software license and security compliance can be difficult. Managing open source components – especially their licensing, provenance, and vulnerability risk – is a critical part of Software Composition Analysis (SCA), which is now a prerequisite for modern organizations to comply with mandated SBOMs and other regulations.
Expensive, proprietary SCA solutions rely on proprietary data that can be outdated or just wrong. To make using open source easier for everyone, we need FOSS tools and open data for FOSS SCA.
Philippe Ombredanne will explain how using 100% open source software and open data, the AboutCode stack offers a new approach for the practical management of open source software for licensing and vulnerability risks for organizations of all sizes. Philippe will share how modular open source projects like ScanCode, VulnerableCode, and DejaCode fit together to identify components and their license, provenance, and known vulnerabilities, and aggregate this and SBOM data across products, teams, and organizations to address security, legal, and regulatory requirements for software license and security compliance in an integrated solution.
Philippe will also discuss exciting updates on new open source projects for better software supply chain integrity and security like CRAVEX, which delivers modern open source tools for developers to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world.”
Join the meeting here up to ten minutes before it starts:
The OpenChain Telco Work Group held its regular monthly calls on the 2nd of May. You can review the full recordings below.
Everyone is welcome to be part of the Telco Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/telco
On the 1st of May we held our regular meeting of the OpenChain Education Work Group. As part of the outreach activities of the OpenChain Project, it focuses on help to make it easier to understand and adopt OpenChain ISO/IEC 5230:2020 for license compliance and OpenChain ISO/IEC 18974:2023 for security assurance. Discussion ranges from handouts to education leaflets to training slides to case studies and guides. Editing is normally done on GitHub. All are welcome.
Be Part Of Next Steps
Join the Education Work Group mailing list to participate in the calls and async editing:
This week we have the following international meetings:
Tuesday 7th May:
– OpenChain AI Study Group – Monthly Workshop for North America and Europe @ 14:00 UTC
– OpenChain Monthly Call – North America / Europe @ 16:00 UTC
Wednesday 8th May:
– OpenChain Automation Work Group Meeting (European Morning) @ 08:00 UTC
Thursday 9th May:
– OpenChain AI Study Group Call – Asia Sync Call @ 08:00 UTC
You can check out all our international meetings and get instructions on adding our calendar to your client here:
