TrustSource provides a collection of services required to manage the challenges in Software Security and Compliance, especially handling open source. TrustSource has been designed according to the requirements as outlined by the OpenChain Tooling Workgroup Reference Model.
To cope with the challenge, TrustSource provides a set of services as depicted in the following diagram. Some of the services are available as open source, some are still closed source or implemented only as part of the managed service.
On the lefthand side you will find the Software Composition Analysis (SCA) tools. Here all our solutions are available as open source. You will find SCA tools capable to be integrated into build-processes for automated dependency resolution, scanning of docker files or scanning of repositories. We do not yet provide an own implementation for the scanning of binaries. Here we recommend Armijn Hemel's BANG.
The SCA arena is more complex than it looks like in the first place. Complexity results from the plethora of ecosystems as well as their ongoing evolution. It becomes a challenge to keep track of all the changes and developments. However, we expect the ecosystems over time to invest into dependency resolution and documentation by themselves. Already today yocto for example is able to produce an SPDX of the recent build.
Since the actual goal of SCA is to generate an accurate list of ingredients, the Software Bill of Materials (SBOM), we also accept such lists as input through CLI-upload to our service API. This can be done either in the TrustSource internal, CycloneDX v1.2-v1.6, SPDX v2.2 and v2.3 standard JSON formats.
From here, the internal processing begins:
- Identified components will be enriched with existing meta data and curated metadata
- Licenses will be checked against the project context and obligations determined
- Components will be checked against known security vulnerabilities
- Known information on encryption is used
- Findings will be collected into a commit specific "analysis"
All this happens automatically. The intuitive user interface with its traffic light analogy guides even developers without detailed legal expertise through the tasks identified towards the completion of a sound documentation. To-Do-Navigators support the collection of data required to provide a sound notice file.
The new feature "Bulk repository scan" allows to chain all identified components for detailed file based scanning. You just request to scan "a solution" and TrustSource will chain all components part of the SBOM (transitive) for a DeepScan. All data will be collected and added to the component base where required. You may decide the scope: Copyright, licenses and/or encryption. DeepScan will assess them all. It will use the given versions, download the sources and asses these. For all components.
This may take a while. But you will get notified when the results are available.
Comments
0 comments
Article is closed for comments.