Improvements in meta spdxscanner through FOSSology - Ueba San
Download as PPTX, PDF0 likes276 views
The document details improvements made to the meta-spdxscanner by Fujitsu, highlighting its role as a Yocto layer for source code license scanning with SPDX format output. It compares outputs from dosocsv2 and fossology, emphasizing ideal responsibilities of SPDX including proper licensing information. Future work includes enhanced integration with fossology for generating high precision SPDX files and soliciting feedback from users.
Improvements in meta spdxscanner through FOSSology - Ueba San
- 1. Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES LIMITED Improvements in meta-spdxscanner through FOSSology Takuma Ueba Fujitsu Computer Technologies Limited 0 1518ka1
- 2. whoami I have contributed to the following communities • Linux Kernel • U-Boot • Yocto Project Developer of In-house Embedded Linux Distribution for Fujitsu Limited Our Distribution is built with Yocto Project My team-member is maintainer of meta-spdxscanner (Ms. Lei Maohui) Our Distribution is used for 80+ products. • IVI • Server System Controller • Storage System • Network equipment etc Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES LIMITED Mainly platform community 1
- 3. Simple Introduction of meta-spdxscanner Yocto Layer of source code License scanner Default output: SPDX format (is best format) (considering OpenChain Project) Default scanner: DoSOCSv2 Fossology 3.x doesn’t support CUI (at this point), so it could not be used with Yocto Project Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES LIMITED Patches come from 3rd party Yocto Project meta-spdxscanner SPDX files openembedded-core meta-oe meta-…… do_fetch do_unpack …… do_spdx …… OSS source code 2
- 4. Comparing Outputs by DoSOCSv2, FOSSology Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES Ideal SPDX file DoSOCSv2(0.16.1) FOSSology(3.3.0) SPDXVersion: SPDX-2.0 DataLicense: CC0-1.0 FileName: ./LICENSE SPDXID: SPDXRef-file-LICENSE-4919- 7310aaf0 FileType: OTHER FileChecksum: SHA256: 4919cfb14a73cd64fcef67b107613970cf165 9a09aa675dba31314f373bc7204 LicenseConcluded: NOASSERTION LicenseInfoInFile: LicenseRef-BSD-style LicenseComments: <text></text> FileCopyrightText: NOASSERTION FileComment: <text></text> FileNotice: <text></text> :(snip) SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 FileName: bzip2-1.0.6/LICENSE SPDXID: SPDXRef-item1699540 FileChecksum: SHA1: 1c0c6888759a63c32bca7eb63353af2cd9b d5d9e FileChecksum: MD5: ddeb76cd34e791893c0f539fdab879bb LicenseConcluded: LicenseRef-bzip2-1.0.6 LicenseInfoInFile: LicenseRef-bzip2-1.0.6 FileCopyrightText: <text> copyright (C) 1996-2010 Julian R Seward. All rights reserved. copyright notice, this list of conditions and the following disclaimer. </text> :(snip) LicenseID: LicenseRef-bzip2-1.0.6 LicenseName: bzip2 and libbzip2 License v1.0.6 ExtractedText: <text> This program, "bzip2", the associated library "libbzip2", and all documentation, are copyright (C) 1996-2010 Julian R Seward. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: :(snip) SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 FileName: bzip2-1.0.6/LICENSE SPDXID: SPDXRef-item1699540 FileChecksum: SHA1: 1c0c6888759a63c32bca7eb63353af 2cd9bd5d9e FileChecksum: MD5: ddeb76cd34e791893c0f539fdab879 bb LicenseConcluded: LicenseRef-bzip2- 1.0.6 LicenseInfoInFile: LicenseRef-bzip2- 1.0.6 FileCopyrightText: <text> copyright (C) 1996-2010 Julian R Seward. All rights reserved. copyright notice, this list of conditions and the following disclaimer. </text> :(snip) LicenseID: LicenseRef-bzip2-1.0.6 LicenseName: bzip2 and libbzip2 License v1.0.6 ExtractedText: <text> This program, "bzip2", the associated library "libbzip2", and all documentation, are copyright (C) 1996-2010 Julian R Seward. All rights reserved. :(snip) insufficient SPDX output By DoSOCSv2 ≒ SPDX 2.0 2.1: Mandatory item ・LicenseConcluded: no output ・LicenseInfoInFile: mistake ・FileCopyrightText: no output Ideal SPDX output By FOSSology 3
- 5. FOSSology available for YP soon! Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES LIMITED We are making available to use fossdriver in meta-spdxscanner So you can soon use FOSSology from Yocto Project fossdriver is intended to enable control of a FOSSology server from Python programs. ※ Quoted from fossdriver’s readme Let’s use improved meta-spdxscanner and SPDX file Please give me feedback on meta-spdxscanner and SPDX topics. You are available to use high precision SPDX file! 4
- 6. Future Work Copyright 2018 FUJITSU COMPUTER TECHNOLOGIES LIMITED The names of products are the product names, trademarks or registered trademarks of the respective companies. Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material. Let’s improve SPDX file precision together For maintenaince reason, we want send REST API calls FOSSology server to generate SPDX files 5
Editor's Notes
- #2: 0