OSS Review Toolkit - project update
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 637 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/52435 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
FOSDEM 2021160 / 637
1
2
7
8
10
11
12
17
29
33
35
38
40
44
48
50
54
59
63
65
85
87
91
95
97
105
108
114
115
119
120
122
126
127
129
130
133
137
140
142
143
147
149
151
156
159
160
161
168
169
170
175
176
177
178
179
182
183
184
187
189
191
193
197
198
204
206
209
212
220
222
224
227
230
233
235
238
242
243
245
247
252
253
255
258
260
261
262
263
264
265
272
273
278
281
282
285
286
287
288
289
294
295
296
302
304
305
308
310
316
320
323
324
328
330
332
335
338
342
343
347
348
349
350
351
360
361
365
368
370
372
374
377
378
380
381
382
383
386
390
392
395
398
402
405
407
408
409
414
419
420
422
425
427
430
439
451
452
453
458
460
461
464
468
470
471
472
473
475
478
485
486
487
491
492
493
495
496
498
509
510
511
512
516
532
534
538
543
548
550
551
554
556
557
559
563
568
570
572
574
575
577
583
585
588
591
593
595
597
601
602
603
604
605
606
607
610
611
617
627
633
634
00:00
Projective planeOpen sourceSoftware development kitSource codeComputer animation
00:09
Open sourceDisk read-and-write headComputer fileOffice suiteOpen setInformation securityEuclidean vectorOperator (mathematics)Computer configurationData storage deviceConfiguration spaceProxy serverElectronic visual displayData modelError messageContext awarenessOnline chatGraph (mathematics)Programmable read-only memoryStandard deviationFile formatChinese remainder theoremDemo (music)Operations support systemCodeMessage passingInformationNetwork topologyTable (information)Angular resolutionSource codeLevel (video gaming)Core dumpComa BerenicesPort scannerBootingSet (mathematics)Sample (statistics)MaizeElement (mathematics)Convex hullSelf-organizationRootFunction (mathematics)Software developerFormal grammarHome pageSoftware development kitDistribution (mathematics)Web browserLine (geometry)Group actionLibrary (computing)BiostatisticsAlgorithmUniform resource locatorExecution unitMoment (mathematics)CASE <Informatik>Instance (computer science)Video gameReal numberStandard deviationConnectivity (graph theory)Traffic reportingOpen sourceSource codeDisk read-and-write headWeb 2.0SoftwareComputer fileLibrary (computing)Proxy serverComputer configurationMultiplication signProgramming languageResultantView (database)Filter <Stochastik>Port scannerDifferent (Kate Ryan album)InformationFile formatFunction (mathematics)Data managementInformation securityIntegrated development environmentData storage deviceInternet service providerProjective planeSlide ruleNetwork topologyMappingException handlingTable (information)IdentifiabilityWritingElectric generatorModulare ProgrammierungVulnerability (computing)Configuration spaceSoftware developerElectronic visual displayEndliche ModelltheorieFlow separationRule of inference40 (number)Social classLie groupMilitary baseLink (knot theory)Observational studyProgram slicingTemplate (C++)Forcing (mathematics)Physical lawPresentation of a groupOperator (mathematics)Insertion lossPlastikkarteWeightBitBus (computing)Computer animationProgram flowchart
06:39
outputFunction (mathematics)Error messageRepository (publishing)Bit rateLie groupPort scannerStatement (computer science)Configuration spaceComputer-assisted translationGame theorySoftwareRevision controlElectronic visual displayLjapunov-ExponentBootingMathematicsInstallation artBuildingResultantCommon Language InfrastructureElectronic mailing listFunction (mathematics)Port scannerComputer configurationSource codeElectric generatorType theoryArithmetic meanOrbitOnline helpInstance (computer science)QuicksortSource code
08:13
CodeInformation securityVulnerability (computing)Axiom of choiceDisintegrationExplosionInformation securityINTEGRALAxiom of choiceAdditionStandard deviationConnectivity (graph theory)Odds ratioSoftware maintenanceVolumenvisualisierungVideo gameExpressionInternet service providerOrder (biology)Speech synthesisProjective planeOffice suiteSource codePoint (geometry)Computer animation
09:20
Element (mathematics)Computer animation
Transcript: English(auto-generated)
00:05
Welcome to this OSS Review Toolkit project update. My name is Thomas Thimbergen and I'm the Head of Open Source for Here Technologies. We use OSS Review Toolkit or ORT for short for doing all of our FOSS reviews. Besides me being an ORT maintainer, I'm also a contributor to the various projects listed here
00:23
as we're trying to build a FOSS solution for doing FOSS reviews. So what has the ORT team been up to? We added an advisor component to add security vulnerability data to your ORT scans. For now, only Nexus IQ is supported as a provider, but more providers will follow soon.
00:44
We also improved our reporter component. That's the component that you can use to generate various output formats and so show the results of various output formats. So now we have an ASCII output that we can also use to generate PDFs.
01:00
People have been asking us for more options to generate their own third-party notices. So now via Apache Framemaker template, you can create your own highly customized notices. Also for those who are using GitLab, you can now use the new GitLab license model reporter
01:21
to display ORT license finding directly into GitLab's UI. Also we added in the web app and in the static HTML so-called how to fix, displaying how to fix information. So this allows you to not only just throw a violation or an error, but instantly show how this can be resolved.
01:42
I will demonstrate this later in this presentation. We also added support for SPS manifest. This allows you to basically to manually define software packages. This is especially useful if either OR doesn't support your package manager or if it's a program language that doesn't have a package manager really,
02:01
like C or C++. Then to make it easier for you to classify licenses that have an exception, you can now use the with operator. So you can now specify lgpl 2.1 and lgpl 2.1 with classpath exception 2.0. So now you can classify it as two separate licenses. So you can now basically specify license plus exception when you classify licenses.
02:25
We now also added the ability to override the declared license for a specific package. So ORT already had the capability to automatically translate the declared license. So it's very Apache to Apache 2.0 that does it automatically. But now you can also override it for specific packages
02:42
if you want to have your own mapping from a declared license to an SPS identifier. We also added several new configuration options and improvements to how you can use ORT. For instance proxy support, software 360 storage. I will not go on to that since we don't have the time. We also made some performance improvements to reduce the time that it takes
03:03
for ORT to run in your CICD environment. And we also started a partnership with FOSSID. So you can now use ORT inside FOSSID and from ORT you can also call FOSSID. So to give you an overview, I just included this slide.
03:20
I don't really have the time to spend everything, but you can see here roughly gives you an idea of how that pipeline works and for people who haven't seen it yet. So it analyzes the package manager, then it downloads the source, the scanner can be used to scan the actual source code,
03:43
then you can write policy rules to say OK for licenses that are found and the security advisories that are found. And then the reporter, as I said before, will give you all of it in various output formats. So I thought it was best to just demo what we have
04:04
because it's just easier to see features in real life to understand them. So let me start with one of the first features, which is how to fix new text. So here you see an ORT report. So you can see the summary, you can see how many violations, in this case there are 40 violations.
04:22
There were 14 declared licenses found and 44 detected. And for people who are not familiar with ORT, you can have the table view with different filters. So we now added also that you can see more options for the information that we have. And then you finally have the tree view where you can see all information basically as a tree.
04:45
So one of the features that I wanted to highlight is the how to fix new text. So most tools you have a violation, but how to actually resolve the violation, you have to then click a link and review the documentation. What we now added is a new feature which allows you to define how to fix new text in Markdown.
05:07
What it basically adds is, again, you see your violation. Okay, now I'm a developer, this says missing company license. Okay, how do I fix this? What do I need to add? So you can see exactly the steps, specifically for SBT,
05:20
how a developer can then add the license, in this case, for this example company. So you can give really precise instruction to the people that read the report, how they can fix the violations that you've thrown. Another feature that I want to show you is SPX package manifest.
05:40
So we had this project called move decay, which is a Python project that was using C libraries. But of course, C doesn't have a standard package manager, but we still wanted to show these C packages in our scans. So you now can do this by simply adding an SPX file to the source code repository,
06:08
and you're showing the example, and then it will literally show up inside the report. So you see the report of that project being scanned, and you see your SPX document file, and you see exactly the information as we specified it.
06:21
It's also possible to specify a SPX file on the root, and then basically describe directories below it. That's also possible. The final feature that I wanted to show was the ORT helper CLI. This feature has been there for quite a bit,
06:41
but we never actually showed it in all of our presentations. So if you have ORT compiled, you can go to the helper CLI build install orta-h directory, and if you then type orta-h, it will print the following. ORT helper CLI is basically a helper, as I said, it's a helper CLI.
07:06
It allows you to do certain things. So for instance, you can generate .ORT yaml files, you can generate scope exclude, but one of the features I really want to see is list licenses.
07:21
So imagine that you have a large amount of scan results that you have to process through. So then we use the helper CLI. I'll show you the output of what it can do. So the list license command has the option to basically show you for each license finding inside the source code,
07:40
show you exactly where those license findings are, and exactly show you in a clustered way what those license findings were. So in all of these four locations, this license text was found. In one, this license text was found, and in two, you see this is the full BSL license.
08:02
And then this plus here, this indicates whether it was included or excluded by the helper, meaning that it's going into the release artifact, yes or no. So that's all the features that I want to show. So let's go back. So what do we have planned for 2021? So we're going to add support for making license choices.
08:24
As the rest of ORT is based on SPDX, again, license choices, we are literally going to allow you to say, like, hey, if you find this SPDX expression, I want you to submit ANDs and ORs, I want you to resolve the ORs like this. So that new feature you will see in the coming months.
08:43
Then we're going to add, as I said, additional security providers, such as renderable code, to our advisory component. Then we are also working on, we'll be working on SPDX 3.0. I myself, I'm working on the standard as I'm a maintainer of SPDX.
09:02
So you will see SPDX 3.0 in ORT. Further improvements that we're working on is, again, there's performance, we're working on improving the GitLab integration as well, and we'll be working on the documentation. That's it. Thank you for listening, and I'm happy to answer any questions that you may have.