Welcome to this OSS Review Toolkit project update. My name is Thomas Thimbergen and I'm the Head of Open Source for Here Technologies. We use OSS Review Toolkit or ORT for short for doing all of our FOSS reviews. Besides me being an ORT maintainer, I'm also a contributor to the various projects listed here

as we're trying to build a FOSS solution for doing FOSS reviews. So what has the ORT team been up to? We added an advisor component to add security vulnerability data to your ORT scans. For now, only Nexus IQ is supported as a provider, but more providers will follow soon.

We also improved our reporter component. That's the component that you can use to generate various output formats and so show the results of various output formats. So now we have an ASCII output that we can also use to generate PDFs.

People have been asking us for more options to generate their own third-party notices. So now via Apache Framemaker template, you can create your own highly customized notices. Also for those who are using GitLab, you can now use the new GitLab license model reporter

to display ORT license finding directly into GitLab's UI. Also we added in the web app and in the static HTML so-called how to fix, displaying how to fix information. So this allows you to not only just throw a violation or an error, but instantly show how this can be resolved.

I will demonstrate this later in this presentation. We also added support for SPS manifest. This allows you to basically to manually define software packages. This is especially useful if either OR doesn't support your package manager or if it's a program language that doesn't have a package manager really,

like C or C++. Then to make it easier for you to classify licenses that have an exception, you can now use the with operator. So you can now specify lgpl 2.1 and lgpl 2.1 with classpath exception 2.0. So now you can classify it as two separate licenses. So you can now basically specify license plus exception when you classify licenses.

We now also added the ability to override the declared license for a specific package. So ORT already had the capability to automatically translate the declared license. So it's very Apache to Apache 2.0 that does it automatically. But now you can also override it for specific packages

if you want to have your own mapping from a declared license to an SPS identifier. We also added several new configuration options and improvements to how you can use ORT. For instance proxy support, software 360 storage. I will not go on to that since we don't have the time. We also made some performance improvements to reduce the time that it takes

for ORT to run in your CICD environment. And we also started a partnership with FOSSID. So you can now use ORT inside FOSSID and from ORT you can also call FOSSID. So to give you an overview, I just included this slide.

I don't really have the time to spend everything, but you can see here roughly gives you an idea of how that pipeline works and for people who haven't seen it yet. So it analyzes the package manager, then it downloads the source, the scanner can be used to scan the actual source code,

then you can write policy rules to say OK for licenses that are found and the security advisories that are found. And then the reporter, as I said before, will give you all of it in various output formats. So I thought it was best to just demo what we have

because it's just easier to see features in real life to understand them. So let me start with one of the first features, which is how to fix new text. So here you see an ORT report. So you can see the summary, you can see how many violations, in this case there are 40 violations.

There were 14 declared licenses found and 44 detected. And for people who are not familiar with ORT, you can have the table view with different filters. So we now added also that you can see more options for the information that we have. And then you finally have the tree view where you can see all information basically as a tree.

So one of the features that I wanted to highlight is the how to fix new text. So most tools you have a violation, but how to actually resolve the violation, you have to then click a link and review the documentation. What we now added is a new feature which allows you to define how to fix new text in Markdown.

What it basically adds is, again, you see your violation. Okay, now I'm a developer, this says missing company license. Okay, how do I fix this? What do I need to add? So you can see exactly the steps, specifically for SBT,

how a developer can then add the license, in this case, for this example company. So you can give really precise instruction to the people that read the report, how they can fix the violations that you've thrown. Another feature that I want to show you is SPX package manifest.

So we had this project called move decay, which is a Python project that was using C libraries. But of course, C doesn't have a standard package manager, but we still wanted to show these C packages in our scans. So you now can do this by simply adding an SPX file to the source code repository,

and you're showing the example, and then it will literally show up inside the report. So you see the report of that project being scanned, and you see your SPX document file, and you see exactly the information as we specified it.

It's also possible to specify a SPX file on the root, and then basically describe directories below it. That's also possible. The final feature that I wanted to show was the ORT helper CLI. This feature has been there for quite a bit,

but we never actually showed it in all of our presentations. So if you have ORT compiled, you can go to the helper CLI build install orta-h directory, and if you then type orta-h, it will print the following. ORT helper CLI is basically a helper, as I said, it's a helper CLI.

It allows you to do certain things. So for instance, you can generate .ORT yaml files, you can generate scope exclude, but one of the features I really want to see is list licenses.

So imagine that you have a large amount of scan results that you have to process through. So then we use the helper CLI. I'll show you the output of what it can do. So the list license command has the option to basically show you for each license finding inside the source code,

show you exactly where those license findings are, and exactly show you in a clustered way what those license findings were. So in all of these four locations, this license text was found. In one, this license text was found, and in two, you see this is the full BSL license.

And then this plus here, this indicates whether it was included or excluded by the helper, meaning that it's going into the release artifact, yes or no. So that's all the features that I want to show. So let's go back. So what do we have planned for 2021? So we're going to add support for making license choices.

As the rest of ORT is based on SPDX, again, license choices, we are literally going to allow you to say, like, hey, if you find this SPDX expression, I want you to submit ANDs and ORs, I want you to resolve the ORs like this. So that new feature you will see in the coming months.

Then we're going to add, as I said, additional security providers, such as renderable code, to our advisory component. Then we are also working on, we'll be working on SPDX 3.0. I myself, I'm working on the standard as I'm a maintainer of SPDX.

So you will see SPDX 3.0 in ORT. Further improvements that we're working on is, again, there's performance, we're working on improving the GitLab integration as well, and we'll be working on the documentation. That's it. Thank you for listening, and I'm happy to answer any questions that you may have.