SlideShare a Scribd company logo

How to Manage OSS Licenses in CI/CD Development

Download as PPTX, PDF
Shane Coughlan, profile picture
Shane Coughlan

The document discusses the management of open source software (OSS) licenses in CI/CD development, highlighting the importance of the SPDX format for efficient compliance and information management. It introduces the 'meta-spdxscanner' as a tool to streamline license scanning and improve integration processes by reusing previous scan results. Future developments focus on automating SPDX file imports and optimizing scanning efficiency in the Yocto build process.

Software
Related topics:
Supply Chain Insights
1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
How to manage OSS licenses for CI/CD development Takuma Ueba Fujitsu Computer Technologies Limited 1553ka1 CC BY-SA 4.0
whoami Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I have contributed to the following communities  Linux kernel  U-Boot  Yocto Project Developer of In-house Embedded Linux Distribution for Fujitsu Our Distribution is built with Yocto Project My team-member is maintainer of meta-spdxscanner(Lei Maohui) and dnf-plugin-tui(Zheng Ruoqin) Our Distribution is used for 80+ products  IVI  Server System Controller  Storage System  Network equipment etc.. Mainly platform community
Agenda Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Why SPDX is needed? Simple introduction of “meta-spdxscanner” Case Study (CI/CD development) Future Work (Current effort) Finally The names of products are the product names, trademarks or registered trademarks of the respective companies. Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material.
Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Difficult to manage OSS information in various formats product vendor SPDX OSS package information lack of information list delivery software A software B software C delivery delivery Company A Company B Company C supplier Missing OSS License Information!?
Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Extracting all license and copyright information Centralized format of package information for easier management delivery software A software B software C delivery delivery Company A Company B Company C SPDX OSS package information SPDX SPDX Software Package Data eXchange ® Standard format for communicating licenses, copyrights, etc. concerning software packages SPDX is an efficient method to comply with OpenChain.
Simple introduction of “meta-spdxscanner” Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED  Patches come from 3rd party Yocto Project meta-spdxscanner SPDX files openembedded-core meta-oe meta-……  OSS source code ・default output: SPDX files (considering OpenChain) ・currently use FOSSology as a license scanner (but considering change to scancode-toolkit.) ・support for SPDX “Modification” field Yocto Project is embedded linux distribution build environment and De facto standard in WW. (e.g. Automotive Grade Linux (AGL), SoC vendor BSP … built with YP) do_fetch do_spdx do_package・・・do_unpack Yocto Build process
Case Study (CI/CD development)  If integration (CI) is performed, new OSS and license will be added, so it is necessary to clarify the license to deliver.  In CI/CD development, reducing scan time is an theme. e.g. In Weekly Deploy environment, If it takes several hours, it does not fit the development cycle. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED scan time delivery delivery scan time delivery delivery scan scan delivery delivery time integration integration scan integration integrationscan integration integration
Case Study (CI/CD development)  “meta-spdxscanner” improved performance by reusing previous scan results. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED 0 50 100 150 200 250 ntp busybox openssl openssh Spendtime(seconds) OSS first reuse
Future work (current effort)  Automatically import spdx files from Yocto build process to SW360 (OSS management tool). Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED meta-spdxscanner License scanner  Scan only files with differences. (Currently, If there are differences in the source file, the entire file is rescanned.) Automation Easier license-clearing! Output only differences to spdx
Finally Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I'd appreciate it if you could give me feedback using meta-spdxscanner. github URL: https://github.com/dl9pf/meta-spdxscanner If you want to know more about meta-spdxscanner, please ask me.
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED

More Related Content

PPTX
OpenChain Telco - 2022-02-03
Shane Coughlan
 
PDF
Automotive Processes and Open Source
Shane Coughlan
 
PPT
Ten Elements of Open Source Governance
Rogue Wave Software
 
PPTX
Open Source at Scania
Shane Coughlan
 
PPTX
OpenChain Automotive Work Group Meeting #2 - Lyon
Shane Coughlan
 
PDF
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Shane Coughlan
 
PPTX
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
Shane Coughlan
 
PPTX
OpenChain Reference Tooling Work Group in 2020
Shane Coughlan
 
OpenChain Telco - 2022-02-03
Shane Coughlan
 
Automotive Processes and Open Source
Shane Coughlan
 
Ten Elements of Open Source Governance
Rogue Wave Software
 
Open Source at Scania
Shane Coughlan
 
OpenChain Automotive Work Group Meeting #2 - Lyon
Shane Coughlan
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Shane Coughlan
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
Shane Coughlan
 
OpenChain Reference Tooling Work Group in 2020
Shane Coughlan
 

What's hot (7)

PDF
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
Shane Coughlan
 
PDF
Open source business models for FOSSASIA 2015
Gilles Gravier
 
PDF
FOSSLight Open Source Project
Shane Coughlan
 
PDF
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
PDF
FIDO Adoption and Market Trends in Japan
FIDO Alliance
 
PPTX
Free and Open Source Software - Challenges for the Automotive Supply Chain
Shane Coughlan
 
PDF
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
Shane Coughlan
 
Open source business models for FOSSASIA 2015
Gilles Gravier
 
FOSSLight Open Source Project
Shane Coughlan
 
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
FIDO Adoption and Market Trends in Japan
FIDO Alliance
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Shane Coughlan
 
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 
Ad

Similar to How to Manage OSS Licenses in CI/CD Development (20)

PPTX
OpenChain: How to manage OSS licenses for CI/CD development
Shane Coughlan
 
PPTX
Improvements in meta spdxscanner through FOSSology - Ueba San
Shane Coughlan
 
PPTX
Open Source License Compliance with AGL
Paul Barker
 
PPTX
OpenChain, SPDX and FOSSology
Shane Coughlan
 
PPTX
License compliance in embedded linux with the yocto project
Paul Barker
 
PPTX
Android for the Enterprise and OEMs
Black Duck by Synopsys
 
PDF
Yocto Project - OSCON 7-17-2012
Jeffrey Osier-Mixon
 
PDF
Automating License Identification with SPDX-Tool in Ada
Stephane Carrez
 
PDF
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
The Linux Foundation
 
PPTX
How Teradata uses Stacki
StackIQ
 
PPTX
Eclipse IDE Yocto Plugin
cudma
 
PDF
Strategies for developing and deploying your embedded applications and images
Mender.io
 
PDF
Pwx 90 cdc_guide_for_luw
MiguelAngel De Paz González
 
PDF
Yocto Project Linux as a platform for embedded system design
Alex Gonzalez
 
PDF
Open source software governance with DejaCode
nexB Inc.
 
PPTX
Yocto Project introduction
Yi-Hsiu Hsu
 
PPTX
Software update for embedded systems
SZ Lin
 
PPTX
About SPDX Lite - Japanese Deployment Initiative via OpenChain Japan Work Group
Shane Coughlan
 
KEY
Tycho - Building plug-ins with Maven
Pascal Rapicault
 
PPTX
The Open Source Effect on Dell EMC - Joshua Bernstein - Dell EMC World 2017
{code} by Dell EMC
 
OpenChain: How to manage OSS licenses for CI/CD development
Shane Coughlan
 
Improvements in meta spdxscanner through FOSSology - Ueba San
Shane Coughlan
 
Open Source License Compliance with AGL
Paul Barker
 
OpenChain, SPDX and FOSSology
Shane Coughlan
 
License compliance in embedded linux with the yocto project
Paul Barker
 
Android for the Enterprise and OEMs
Black Duck by Synopsys
 
Yocto Project - OSCON 7-17-2012
Jeffrey Osier-Mixon
 
Automating License Identification with SPDX-Tool in Ada
Stephane Carrez
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
The Linux Foundation
 
How Teradata uses Stacki
StackIQ
 
Eclipse IDE Yocto Plugin
cudma
 
Strategies for developing and deploying your embedded applications and images
Mender.io
 
Pwx 90 cdc_guide_for_luw
MiguelAngel De Paz González
 
Yocto Project Linux as a platform for embedded system design
Alex Gonzalez
 
Open source software governance with DejaCode
nexB Inc.
 
Yocto Project introduction
Yi-Hsiu Hsu
 
Software update for embedded systems
SZ Lin
 
About SPDX Lite - Japanese Deployment Initiative via OpenChain Japan Work Group
Shane Coughlan
 
Tycho - Building plug-ins with Maven
Pascal Rapicault
 
The Open Source Effect on Dell EMC - Joshua Bernstein - Dell EMC World 2017
{code} by Dell EMC
 
Ad

More from Shane Coughlan (20)

PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
PDF
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
PPTX
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PDF
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
PPTX
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
PPTX
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
PDF
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
PDF
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
PPTX
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
PPTX
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
PPTX
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
PDF
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
PDF
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
PPTX
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 

Recently uploaded (20)

PDF
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
PDF
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PPTX
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
PDF
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
PDF
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
assetexplorer- product-overview - presentation
nonameist3434
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 

How to Manage OSS Licenses in CI/CD Development

  • 1. How to manage OSS licenses for CI/CD development Takuma Ueba Fujitsu Computer Technologies Limited 1553ka1 CC BY-SA 4.0
  • 2. whoami Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I have contributed to the following communities  Linux kernel  U-Boot  Yocto Project Developer of In-house Embedded Linux Distribution for Fujitsu Our Distribution is built with Yocto Project My team-member is maintainer of meta-spdxscanner(Lei Maohui) and dnf-plugin-tui(Zheng Ruoqin) Our Distribution is used for 80+ products  IVI  Server System Controller  Storage System  Network equipment etc.. Mainly platform community
  • 3. Agenda Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Why SPDX is needed? Simple introduction of “meta-spdxscanner” Case Study (CI/CD development) Future Work (Current effort) Finally The names of products are the product names, trademarks or registered trademarks of the respective companies. Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material.
  • 4. Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Difficult to manage OSS information in various formats product vendor SPDX OSS package information lack of information list delivery software A software B software C delivery delivery Company A Company B Company C supplier Missing OSS License Information!?
  • 5. Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Extracting all license and copyright information Centralized format of package information for easier management delivery software A software B software C delivery delivery Company A Company B Company C SPDX OSS package information SPDX SPDX Software Package Data eXchange ® Standard format for communicating licenses, copyrights, etc. concerning software packages SPDX is an efficient method to comply with OpenChain.
  • 6. Simple introduction of “meta-spdxscanner” Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED  Patches come from 3rd party Yocto Project meta-spdxscanner SPDX files openembedded-core meta-oe meta-……  OSS source code ・default output: SPDX files (considering OpenChain) ・currently use FOSSology as a license scanner (but considering change to scancode-toolkit.) ・support for SPDX “Modification” field Yocto Project is embedded linux distribution build environment and De facto standard in WW. (e.g. Automotive Grade Linux (AGL), SoC vendor BSP … built with YP) do_fetch do_spdx do_package・・・do_unpack Yocto Build process
  • 7. Case Study (CI/CD development)  If integration (CI) is performed, new OSS and license will be added, so it is necessary to clarify the license to deliver.  In CI/CD development, reducing scan time is an theme. e.g. In Weekly Deploy environment, If it takes several hours, it does not fit the development cycle. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED scan time delivery delivery scan time delivery delivery scan scan delivery delivery time integration integration scan integration integrationscan integration integration
  • 8. Case Study (CI/CD development)  “meta-spdxscanner” improved performance by reusing previous scan results. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED 0 50 100 150 200 250 ntp busybox openssl openssh Spendtime(seconds) OSS first reuse
  • 9. Future work (current effort)  Automatically import spdx files from Yocto build process to SW360 (OSS management tool). Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED meta-spdxscanner License scanner  Scan only files with differences. (Currently, If there are differences in the source file, the entire file is rescanned.) Automation Easier license-clearing! Output only differences to spdx
  • 10. Finally Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I'd appreciate it if you could give me feedback using meta-spdxscanner. github URL: https://github.com/dl9pf/meta-spdxscanner If you want to know more about meta-spdxscanner, please ask me.
  • 11. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED

Editor's Notes