Open Compliance Reference Tooling
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 637 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/52781 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 2021302 / 637
1
2
7
8
10
11
12
17
29
33
35
38
40
44
48
50
54
59
63
65
85
87
91
95
97
105
108
114
115
119
120
122
126
127
129
130
133
137
140
142
143
147
149
151
156
159
160
161
168
169
170
175
176
177
178
179
182
183
184
187
189
191
193
197
198
204
206
209
212
220
222
224
227
230
233
235
238
242
243
245
247
252
253
255
258
260
261
262
263
264
265
272
273
278
281
282
285
286
287
288
289
294
295
296
302
304
305
308
310
316
320
323
324
328
330
332
335
338
342
343
347
348
349
350
351
360
361
365
368
370
372
374
377
378
380
381
382
383
386
390
392
395
398
402
405
407
408
409
414
419
420
422
425
427
430
439
451
452
453
458
460
461
464
468
470
471
472
473
475
478
485
486
487
491
492
493
495
496
498
509
510
511
512
516
532
534
538
543
548
550
551
554
556
557
559
563
568
570
572
574
575
577
583
585
588
591
593
595
597
601
602
603
604
605
606
607
610
611
617
627
633
634
00:00
Data managementOpen sourceOpen setMetadataRule of inferenceContext awarenessLatent heatFunction (mathematics)File formatGroup actionWhiteboardMarkov chainRegular graphStochastic processPresentation of a groupSuite (music)WebsiteCollaborationismElectronic mailing listWeb pagePay televisionIdentifiabilityIndependence (probability theory)ChainDisintegrationIntegrated development environmentLattice (order)ImplementationEuclidean vectorFormal verificationSoftwareConnectivity (graph theory)Term (mathematics)Distribution (mathematics)Content (media)Convex hullSynchronizationRange (statistics)BPMNPrice indexEvent horizonTask (computing)Computer fileOpen setExpert systemContext awarenessDifferent (Kate Ryan album)Self-organizationFlow separationGroup actionProjective planeRange (statistics)Helmholtz decompositionUsabilityDisk read-and-write headStochastic processSoftware developerDependent and independent variablesCombinational logicMultiplication signAnalytic continuationCASE <Informatik>MathematicsPosition operatorCentralizer and normalizerInformation technology consultingDot productMereologyPhysical systemProduct (business)Representation (politics)Characteristic polynomialOnline helpConnectivity (graph theory)InformationMarkov chainLink (knot theory)Differential equationRule of inferenceRight angleMoment (mathematics)Data managementEvent horizonOpen sourceFocus (optics)State observerMetadataEndliche ModelltheorieMobile appWhiteboardGateway (telecommunications)Office suiteTerm (mathematics)Workstation <Musikinstrument>GoogolLatent heatGraph (mathematics)Interface (computing)Process modelingSoftwareContinuous integrationDemo (music)Positional notationFeedbackMultiplicationFunction (mathematics)BitInternet service providerBit rateType theoryComputer animationXMLUML
08:28
Computer fileStochastic processOpen sourceNetwork topologyCompilation albumOpen setTexture mappingGroup actionComputerSystem administratorJava appletInstallation artIntegrated development environmentBuildingBinary fileInclusion mapMIDIRootFeedbackExpected valueConvex hullLemma (mathematics)DemonFunction (mathematics)Execution unitDemo (music)Rule of inferencePhysical systemAutomatonBitView (database)File formatContinuous integrationCASE <Informatik>Continuous functionMetadataOpen setSoftware developerOnline helpDescriptive statisticsRevision controlPort scannerFiber bundleResultantFeedbackFunction (mathematics)Electronic mailing listPerformance appraisalSet (mathematics)Connectivity (graph theory)CodeOpen sourceBinary codeWordContext awarenessAdditionUniform resource locatorNetwork topologyNeuroinformatikDistribution (mathematics)Stochastic processMarkov chainPresentation of a groupInterface (computing)DemosceneRaw image formatLine (geometry)StapeldateiGroup actionCASE <Informatik>Latent heatProcess (computing)MereologyContent (media)Rule of inferenceGraph (mathematics)Link (knot theory)Execution unitMappingWhiteboardTraffic reportingWindowInformationCompilation albumVector potentialOntologyEvolute1 (number)Patch (Unix)Client (computing)Boss CorporationRoutingGame controlleroutputScripting languageGastropod shellPower (physics)Point (geometry)MathematicsHypermediaPhase transitionComputer animation
16:44
Function (mathematics)Port scannerRule of inferenceOnline helpOpen setContinuous functionContinuous integrationCASE <Informatik>FeedbackJava appletConstructor (object-oriented programming)Computing platformMilitary operationOperations researchStack (abstract data type)Variable (mathematics)Computer fileConfiguration spaceRevision controlRead-only memoryBefehlsprozessorSet (mathematics)Total S.A.Data storage deviceGradientIntegrated development environmentComa BerenicesError messageMaxima and minimaStapeldateiScripting languageFunction (mathematics)BitInformationMultiplication signResultantTraffic reportingGraph coloringComputer animationSource code
17:56
View (database)VideoconferencingFeedbackContinuous functionCASE <Informatik>Connectivity (graph theory)Element (mathematics)DemonLemma (mathematics)QuicksortPrice indexError messageRule of inferenceExecution unitSimulationOpen sourceOffice suiteContext awarenessEuclidean vectorRootDirectory servicePattern languageMetadataOpen setPersonal digital assistantSubsetVector potentialOffice suiteCASE <Informatik>Rule of inferenceSoftware developerTraffic reportingContinuous integrationDifferent (Kate Ryan album)Stochastic processNumberArithmetic meanMereologyPerformance appraisalResultantFunction (mathematics)Vector potentialPhysical systemAdaptive behaviorSlide ruleSubsetFiber bundleGraph (mathematics)Default (computer science)FeedbackConfiguration spaceMobile appOpen sourceComputer fileIterationSoftwareProjective planeError messageData storage deviceComputer configurationUniverse (mathematics)Forcing (mathematics)INTEGRALDialectComputer animationEngineering drawingDiagramProgram flowchart
21:49
CASE <Informatik>Open sourcePrice indexRule of inferenceOffice suiteError messageExplosionGamma functionTraffic reportingArrow of timeElectronic mailing listComputer animationEngineering drawing
22:29
Open sourceOffice suiteCASE <Informatik>Point (geometry)Open sourceDistanceIterationResultantOffice suiteComputer fileEngineering drawing
23:11
Repository (publishing)Price indexOpen sourceOffice suiteError messageRule of inferenceChinese remainder theoremFunction (mathematics)VideoconferencingOperations researchData storage deviceMilitary operationJava appletConstructor (object-oriented programming)Computer fileConfiguration spaceVariable (mathematics)Integrated development environmentComputing platformRevision controlBefehlsprozessorRead-only memoryMaxima and minimaComputer programPerformance appraisalMessage passingCASE <Informatik>ResultantTheory of relativityPerformance appraisalError messageComputer animationSource code
23:54
VideoconferencingRule of inferencePrice indexFormal grammarChinese remainder theoremError messageMessage passingOffice suiteOpen sourceContext awarenessEuclidean vectorDirectory serviceRootPattern languageMetadataOpen setVector potentialPersonal digital assistantSubsetCASE <Informatik>Point (geometry)ResultantElectronic mailing listOffice suiteError messageOpen sourceCASE <Informatik>Software developerReal numberContext awarenessLimit (category theory)Connectivity (graph theory)Source codeXMLComputer animation
24:38
Open sourceOffice suitePrice indexError messageRule of inferenceInformationRevision controlCASE <Informatik>Context awarenessEuclidean vectorRootPattern languageDirectory serviceMetadataOpen setPersonal digital assistantVector potentialSubsetVideoconferencingSanitary sewerText editorFile formatSoftware testingRepository (publishing)Connectivity (graph theory)Limit (category theory)Stochastic processRootComputer fileSoftware testingCASE <Informatik>Traffic reportingPattern languageExclusive orResultantNetwork topologyOpen sourceError messageCausalityData managementDifferent (Kate Ryan album)Multiplication signPairwise comparisonFeedbackPerformance appraisalOffice suiteSoftware developerContext awarenessIndependence (probability theory)Information securityRule of inferenceOperator (mathematics)Computer animationEngineering drawing
27:47
Convex hullVoltmeterRule of inferenceError messageHypermediaMachine visionOffice suiteOpen sourceContext awarenessEuclidean vectorMetadataOpen setPersonal digital assistantSubsetVector potentialCASE <Informatik>MetadataMereologyPresentation of a groupElectric generatorRule of inferenceCASE <Informatik>Computer fileConnectivity (graph theory)FeedbackSystem callMathematicsTheory of relativityStudent's t-testTraffic reportingComputer animation
29:09
Euclidean vectorPrice indexModemExecution unitError messageRule of inferenceExplosionCASE <Informatik>Function (mathematics)Maxima and minimaInclusion mapLemma (mathematics)Image resolutionRepository (publishing)RootComputer wormLie groupCountingMenu (computing)SoftwareUniqueness quantificationTotal S.A.MaizeWeb browserMetadataOpen setDemo (music)DemosceneInterior (topology)Port scannerModulo (jargon)Field (computer science)outputProjective planeRepository (publishing)Open sourceOffice suiteCASE <Informatik>Level (video gaming)Execution unitLatent heatDeclarative programmingPhysical systemDemo (music)ResultantMetadataHome pagePort scannerStochastic process1 (number)Arrow of timeRootLink (knot theory)Connectivity (graph theory)CodeFunction (mathematics)Event horizonMultiplication signReal numberCore dumpPoint (geometry)TouchscreenSoftware testingMathematicsAddition2 (number)Closed setSelf-organizationEngineering drawing
35:03
WebsiteGroup actionWeb pagePay televisionElectronic mailing listOpen sourceSlide ruleElectronic mailing listEmailLink (knot theory)DemosceneOpen setGroup actionComputer animation
35:57
Element (mathematics)Physical lawComputer animation
Transcript: English(auto-generated)
00:07
Hello, welcome to my talk about the open compliance reference tooling My name is Mosse Kutzman. I'm working at Bosch IO in Germany and I'm also the representative of Bosch in the open chain governance board. So I'm part of open chain initiative and
00:27
I'm also a regular participant of the tooling group, but not as a tool developer But rather you will see later on the process side and I'm not a lawyer So this also has a big disclaimer up front. This is no legal consultancy here
00:45
I'm talking merely about the tooling how you could Integrate that in your processes and also want to focus on this interface between process and tools
01:01
in the tooling group We had a dream kind of and today also We want to give you an overview of more or less the status what happened here in the open compliance reference tooling and our idea from the beginning was to Provide open source compliance tooling based on available open source tools
01:25
Why because well all over the supply chain we have several Participants and we want to give everyone the availability of the tooling so that everyone can have that based on open source and
01:42
on the other hand As this is based on open source. We have a great opportunity to collaboratively Improve our systems all across our organizations. So this is the two effects that we have and Today
02:01
We will see also about the process not only the tooling and This term technical depths might be very familiar But today I would like to for this talk introduce the term metadata depth Why so if we look at the standard
02:20
In chapter 3 3 1 a process shall exist for creating and managing a bill of materials that includes each open-source component and it's identified license from which the supplied software is comprised price and The component information and specifically it's the identified licenses exactly the metadata We refer to here and why metadata that's yeah in this context is that our observation is that?
02:48
The people wait until the last second in order to perform this process to collect all this information and yeah, our good practice is
03:03
To start as early as possible. So the longer debate the new eight the bigger is this pile of of Issues that you collect until the end and at the end. This is not fun you have to work a lot and You're also not always in the comfortable position that you have this
03:25
ability to set this up from the beginning because for different reasons history or legacy or you have Just have a distributed development But even in such cases, I would recommend to apply a high feedback rate as soon as possible to get a picture about your current situation of your
03:44
Supplied software that what is comprised of and Enable you to manage them raining issues properly and today want to give you a reference how you this could look like with the tooling and
04:01
Yeah, if we talk about reference and you can think okay, this is overall reference but With the heterogeneous contacts of all our organizations you may imagine that there will be probably not only one reference and in order to Yeah, keep take this into account here. I wanted to make a short example two different contexts
04:22
You might have an organization a on the right side With in-house development, for example in a continuous integration continuous deployment setup Has several releases a week and there's a central pipeline. For example, like like shown here on the other side You might have organization B
04:40
Who that primarily outsourced its development and performing multi project management and so on with but with the complete responsibility for the final deliverable and But perhaps only one or two releases a year. So we that spans a range of different contexts and in order to give you
05:01
Yeah short heads up this talk would rather Focus on the right side with central pipeline on that organization type what we plan to do is also to Yeah, enhance this reference or set up its second one in the next month
05:22
To yeah Provide a better overview and here while you're welcome contributions overcome also in the tooling group One learning of the last years that we were already working together is it's not only about the tool even fear the tool group, but
05:43
yeah, there's It's rather a combination of several tools that are combined then with data management specific roles in the Organizations and all this needs to be considered and therefore to be able to understand the tooling side I would like to begin with the overall process as this will give us the opportunity to cover several
06:02
Aspects where the tooling may be needed and in the second part We want to give you a short demo of the running tool One running tool that can do this reference and some hints how to set it up on your own the process representation therefore Hypotating here is in BPN and this business process modeling notation
06:24
so here's also some details if you want in the links and With the special characteristics here and BPN is this every role is a lane and but not only the human roles, but many you may also represent systems or tools with the role and that's what we did here and
06:47
Here I would switch over to my Tool That I used to do this So here I make it a little bit bigger
07:02
We start with the five lanes that we have here, so we have the development team we have the open source office as the role we have the curation team and finally here as I said the open compliance reference tooling as also as a lane and Here as I saw okay, this will not cover everything. I added another lane compliance reference tooling backend
07:25
So that everything can be considered in this picture and About the roles itself, so it's the composition potentially depending on your organization might be that
07:42
several roles would be covered by the same person or the same team in your organization or Potentially you have for each of those roles an extra person or extra team to do this Okay, so
08:01
To start with this. Let's go through This process so you have those events. This is the star event and some gateways activities and let's assume that We go to happy path. So Here we start the system is well configured the development team may configure its automation by providing URL and
08:25
Customizing the output and then here we follow this activity Link here down to the open compliance reference tooling and here this is now the faces and that will work done
08:41
So the tooling will start with an analyzer creating a bill of material based on the dependency tree that is Analyzed in here, so based on the contents of the direct and transitive dependencies It will download the sources
09:02
For the specific components and provide them to the scanner In the scanner, so the bill of material that was a raw material Raw list of components here as you can see here bombs. This is now the bomb dot one So based on the scanner results
09:21
These this list is enriched with the metadata So here bomb dot one we have really a comp list of components with the metadata means additional license information copyrights and everything and This bill of material dot one with the metadata will be fed into the evaluator and here you can see the evaluator
09:43
will be configured by License classifications potentially also policy rules That will be used to check this bill of material So bomb dot one is the same than bomb dot two because the bill of material will not be changed in this step But we will get some policy issues potentially
10:03
Let's assume that also here. There are no policy issues as this is the happy path Then the bomb dot two will be used to create The evaluated bomb here the bomb dot three and intermediate result internal reason and
10:21
Potentially then also if you have a specific distribution context Generate the so-called first compliance bundle that could differ depending on your distribution context as a minimum, this would be the disclosure document and This will be fed back to the development team here up here in this lane
10:44
And they can use the first compliance bundle for their release. So that would be the end-to-end workflow in this process and a happy path and The real world typically looks different
11:02
Let's come to this later because now want to show you this process in action so I always talk about we because I'm not I'm presenting here, but I Had the help of my team. So thank you for my team also to provide me with the example and the setup and
11:22
The process that I just showed can have here so the bpmn and the PNG and the role description is available in our github of the open compliance reference tooling group and it's planned also to enhance this picture with the mapping to the respective tools because There are several and today for the today's demo I would yeah to keep it simple base it only on as
11:46
OS s review toolkit called board as the orchestrator that will do this setup That I just showed and the scan step in the scan step will use then scan code as a scanner if you want to repeat the steps that I will show at home then
12:05
here Just for your presentation and to to make it easy for you as well I just didn't do it in my own company, but I took my private computer Windows computer, I created a new user and did exactly those steps and
12:21
Find out found out. So this After this installation of word you have this Command or two requirements and that's very very helpful Because then you can really check. Okay, everything is everything in place And here you can see you need a job or you need a Python then scan code. I installed as well
12:43
Python scan code to keep it keep it more simple then also for the tooling and so good for the download and Then this is also where my team where was supporting me if the word binary And installed the word and the word requirements command
13:03
Gives the feedback and this is the feedback I got so I hear the scan code Here's a little legend minus means Okay Not found plus the tool is there but not the required version or differing version and the star is okay It's there and here you can see pointing is there good is there it is there and scan code is there
13:25
But in your version, but that wasn't a problem and this is pretty handy if you want to start and Yeah, I had some troubles to be honest with the past settings but finally managed to have this and then started my
13:41
Demo and here to see what's in there here You see I this was really a fresh user that I created. I am had my downloads here scan code Python git And here the fastem example fuller than I used
14:01
The example is based on semver4j why because you know you start and Saw, okay. Cool. It's using a dependency chain unit and so that Yeah, we found use of use of useful to use this because it had this J unit
14:23
Dependency and then In order to make it more interesting for you I also added some manipulations mainly but mainly on the art files that I used within this so if we go back to the Process that we have seen so here you see that the development team would configure the automation
14:44
By providing UL in my case as I now pretend to be the development team I have December for J folder here in my false X for stem example folder and We're was so then now
15:02
configuring it In here, so if we go back to the happy part that I just showed Here you can see The different steps. So here I have a batch file, but you could also implement that Yeah by well you can run each of those commands in the common line interface
15:20
You can put it in the Jenkins or whatever pipeline or whatever you want. And here you can see I start or The analyze step here. I provide the URLs This is easy because it's just a sub folder semver4j and the output shall be In the output subfolder then as a second step
15:42
I start a scan with exactly this analyzer result YAML that was put in this output folder one step Before and the output of the scan will be placed in this output folder again Then in the third step, I would start the evaluation step You would say hey, where's the download? The download is directly here in the scan step. So it's you don't need to
16:06
start it Specifically but in the evaluate step here you can also see I will use the output again here the scan results from the scanner in the step before and The results will also go to the output only the last step the report. I
16:27
Also use the output now here from the evaluation result YAML But in this case, I put it in the subfolder reports to make it Yeah better better overview in this
16:42
Okay, so let's start Now, let's see how that works. So here you see I start this batch in the PowerShell script and in this PowerShell and Now those steps will run through if you set it up the first time
17:04
You will see it takes a little bit longer because the scanner takes longer, but now here you see the first step starts with the analyzer it will analyze the result and Write it to the output folder as we have configured now the second step here runs and
17:25
Here you will see it already knows a little bit because it recalls The information from the last run so therefore this step runs a little bit faster and here The third step is the evaluate step and here you see found zero or zero warnings zero hints
17:44
That's good because that shall be our happy path example and then finally the third step will the fourth step will start with the report that generates the Subfolders and now let's check. What is
18:05
What we did here Sorry for this. So here this would be our case number one. They have happy path So would have continuous deployment this development and continuous integration with a fast feedback. So
18:21
As you have seen this is automated so I could start it again and again and again and this is exactly the idea So we have a team that produces new iterations new increments of their software and they want to have a fast feedback from the system ideally then also always
18:41
continuous updated first compliance bundle that they can use for their release and Now, let's go to the next slide. So what how does that look like in the Interim steps you could see. Okay, we had this raw bomb from the analyzer result that is in the output folder that was used in the other steps and
19:04
then we had the scan results and after the scan result was used in the Evaluator and here put evaluation results Only the evaluated bomb here is in this subfolder as I mentioned the reports and this is also going back
19:22
To this process overview. You can see the difference between reporter and generator the reporter Which provides scan reports or we can have a look at what is was in there and the generator might be configured differently for
19:40
from the development team because You might need a different disclosure document perhaps for embedded devices or apps or whatever So that could differ here. I didn't configure anything. So I got a notice default with the License license tax copyrights everything but yeah as a text file, so nothing nothing special
20:06
But this is also not the goal today Here, this is the scan report the evaluated bomb Where you can see all the packages here. It didn't provide some details because we will see this later and Examples but important here rule violation summary zero errors your warnings your ends resolve perfect
20:26
so this is very cool for the project because they have no nothing to do and to be honest In order to reach that goal. We already made some adaptions to this to the run
20:41
and now for those cases For to show you the reality we will turn that back so here I made a subset of potential real-world cases and I made those cases so that every part every lane every role is Considered at least once they might be much more as you can imagine, but for me
21:06
it's it's important to show you what what does that mean in the process and together with the two and Here let's start with the case number two So this is a very simple one from the process side because this would be open source office issue
21:21
What what does that mean? So here? In the real world, it might be that we have a scan It runs and it detects a license and this is an unknown license. So there's a license classification missing So the solution would be that the open source office needs to evaluate that classify it and provide an updated license
21:46
classification YAML file in the Tooling and this is how it would look like at the end so the report here was is not green here see three arrows zero warnings zero hints, but three arrows and
22:02
One of those arrows you see here is for one Detected license the EPL to zero Unhandled license and this is what I manipulated in here So in the license classification list, I just commented this commented the EPL
22:20
classification out so I got this second violation here and now The team would need a solution because here everything is alright in the beginning here But here they get a policy issue and therefore they can also cannot use
22:41
potentially cannot use the the result file or a disclosure document because if the license not classified then potentially also the license text is not available in here or Whatever and this is what happens. So this issue is cared of the open source office They will check the license they will classify that license and update this license classification YAML
23:05
so in the next iteration when this is running then those points will be turned to Resolved so here we have exactly this case as I mentioned now, let's see how this is working
23:21
so here I Repeat this run So the steps in the beginning will be the same perhaps I can just switch to the end and check here Evaluation the evaluation step. Yeah, that's perfect I directly got this and here you see instead of three errors now
23:44
We only have two hours left zero warnings zero hints. So we got that with this license classification Update we had a Resolve this error and now only two errors are left
24:04
here in this list So we did it. So here we had the open source office involved now case three is a Unique development team issue and that would be really a real real world issue because here we have
24:24
License classified non suitable to the specific context. So the only solution in here would be okay the Development team needs to remove that component and create a new development increment Where they remove that component. So for example here if
24:42
Okay, that's copylab limited. But let's assume that would be a harmful or non suitable component What do they can they do so they yeah remove that component Because I had had the problem that was shown here in the policy violation feedback and it's an issue
25:01
so they get potentially also they would ask the open source office is this really an issue there was Yeah confirmed. Yes, this is an issue. Please remove this and they remove then the component create a new increment and With this new increment the policy violation would be gone and
25:23
This is as I said if the root cause is a real hit but More often is case four where we have Hits that are not correct. And here we have the same starting situation
25:41
the license is classified non suitable to the context, but We will see that It's it's a dependency in the test folder is and so it's not really distributed And in this case we have now another possibility as the development team Can configure that as a false positive as kind of yeah, this is not distributed. It's only a test
26:07
Folder so they added This pattern to the org.yaml for excluding this from the scan or at least from the evaluation and Now they fixed it And now let's see how that looks like
26:21
So here in the root folder and we have to put that Which dot org.yaml file and here we added this excludes with the scopes pattern test so everything that's in the test a pattern will be excluded and Not used In here what I did here now is because this is the same than our happy path in the beginning
26:46
That's what I said. This was what I was turning back But to show you here now the steps That are running in court is now In comparison to the process picture. You can see the analyzer step that runs here
27:03
You see the different package managers That are supported to create those dependency trees then here The download would start if it's not have would have been done so to download and the scan would take a little longer now here we're on the scan step and then the
27:22
scan result is created this palm dot one and now the evaluator is starting and creating this policy Issues if there were any and here you can see zero errors zero warnings It's popping up all the time zero errors zero warnings zero hints. So
27:44
With the exclusion in the dot org.yaml we already did it and then the last step we had this reporter Generating then the report again. So here as I said rule violation summary zero warnings zero hints
28:00
That's exactly the way it should be so we have here only the main component that is used and distributed December 4 J with the declared license MIT and this is yeah, we have to would have to check this detected license if there's Mismatch whatever when this is not part of this presentation
28:24
now Who would do this? Check and this is in our case five because you have seen there we have this other lane That's called the creation team. And this would be here the manipulation idea that says I
28:41
Made a manipulation that I deleted some metadata for one dependency and The creation team would need to investigate the situation and provide the metadata in the creations YAML file so how would that look like so here we have still have the Real case a real feedback in a detected license. So here you would have a no assertion for example in detected license
29:07
but I to make it simple I as I said, I just made a manipulation so I took one the scan result YAML From from the earlier run and just deleted the license declaration for
29:23
J unit 4.1 12 and so the here you can see in this summary you Have only detected license also here in this package overview There's no declare license anymore like here in the other cases only detected license
29:46
And therefore Yeah this is the question how you handle this in your organization, but Here we need a concluded license. It's called in here. So the creation team needs to investigate
30:00
So which of those detected licenses is the right one because there are different ones or is another declaration You might have different ways to do this to come to a conclusion in here and The result you have different ways to do this So even on the global level in the creations dot YAML or if this would be project specific
30:24
You could also have a subsection dot or dot YAML in the project Repository root folder if this is would be a project specific Curation, but now let's assume we do that with the creation team on the global level. So here
30:41
and we have Again the situation our input is okay The licenses are okay, but somehow we got a problem here in the policy We got a policy violation. How shall we handle it? The problem in this case is with the metadata of one component coming in and
31:02
Now the creation team gets active so they have to check this component investigate by Checking the repository checking it the sources the home page whatever and finally come up with Real metadata and they can provide that in the creation YAML
31:25
Worst case would be okay. They do not find any metadata. So it's unlicensed component or without any license So then yeah, you also have to react accordingly, but let's assume here. Okay, they found it They provided in the creations
31:41
YAML and in the next run the system would use that created data the conclude licenses and Turn those fields to green as you can see here there are different ways how you could do this and If this gets more yeah
32:01
Challenging you might also Use different tools to do this and Here one tool for example would be physiology that supports you in in this case if you have a thorough Investigation to do in the in the sources here you would see exactly
32:23
Okay, Apache to EPL one what we have already seen in the scan code Output but here's also CPL BSD three claws. So this might take some time and yeah, this is Then also why we see the need of an extra role to do this because the people need to be trained and
32:47
To and they should know what they do and Here we have also in the community the clearly defined project that
33:00
So cares about sharing the metadata, but most important also sharing already the process and and how tos how to do The curation and that's that's very helpful also to Exchange each other. So what should be do and what should be the quality of the data so that we can really use it
33:26
Here's a link to look really defined So in case if you're really lucky you can also configure the system that it shall use the curation that already there Clearly defined and then potentially save some effort on your own. So how did that?
33:42
Results from the curation team look like here. You can see the creations YAML here. I made the creation Manipulated so this is what I added here as additional creation for my venture unit So I manipulated on the other hand, but here that in a real case it would look like okay you put in the ID
34:02
And a comment so here for the demo I manipulated that and here you see then finally concluded license Then I entered here EPL 1.0 And now as a result you can see here. Okay Violation summary I put it as green even it's an arrow because green indicates that now
34:26
There's a concluded license Uh, but it's still an arrow because yeah, uh, it's the copyleft emitted in the source um Yeah, this is then another question how the team would handle this with their open source office
34:45
Um and here again in the package overview here you see now it's not a declared license But it's concluded license EPL 1.0 and here for the detected license again like in the earlier case I just didn't care because I only wanted to show you how creation would look like
35:02
and the workflow Okay, so that's um, I hope I could give you some Insights in the workflow and also to an inspiration um to use this, uh, I had some Slides where you can see okay how to set it up and uh to play around perhaps a little bit
35:25
And if you want to join us in the open compliance tooling group then Here you have the links again. So we meet uh in a bi-weekly rhythm And the invitations are sent in the mailing list. So everyone is welcome. And as you have seen we still have
35:44
Some things to do we have already a running reference, but yeah, we still There's still way to go to cover everything. So thank you very much And have a nice day Bye