From where we come:
Quiet a while ago we started in one of our projects to automate the compliance aspect of open source usage. As compliance actually is something that should be on top of everybody's agenda, it still seems to be something that is not yet widely adopted. However, you might have made your way here, because you did accept the fact, that something should be done.
Compliance is a complex topic and we did not see the complete picture when we started almost 5 years ago. The main idea has been to develop an expert system, which is able to automate obligations determination. The first solution for this has been provided in early 2016 based on the concepts we were developing together with our lawyers from CMS, namely Philippe Heinzke.
Meanwhile the expert system - our legal solver - is only one of the capabilities developed in the sphere of TrustSource:
- Legal Solver
- Component crawlers
- Component repository
- Case data repository
- Logging and Audit Journal
- Identity Management
- DeepScan for effective license determination and copyright scanning
- Package manager integrations
- Compliance artefact generators
- Approval workflows
- COTS and infrastructure components management (for MDR relevant reporting)
At the end of 2017 we added the remains of VersionEye (built by Robert Reiz) which gave us a better understanding of the crawling for component data. Still we are steadily improving the supply of component meta information, which is one of the most relevant aspects, if you plan to automate compliance. The better your data, the easier the decisions.
Unfortunately declared licenses are just one half of the truth. In reality the effective licenses are more relevant than the declared ones. Thus in 2018 we invented DeepScan, a source scanner for license data, which may be handed a repo or file URL and that is returning a complete list of findings. Also during 2018 we found the OpenChain-project and loved to see that the OpenChain-approach to open source compliance is identical to our approach.
2019 we started to dockerize and modernize our complete infrastructure. We moved from AWS EB to docker-based Fargate services and invested a lot of work into improvements of DeepScan. Meanwhile it can be used to identify changes in repositories between scans thus opening up a new way to managed and oversee C or C++ based projects.
Where do we want to go:
So we joined the OpenChain project and together with the leads of FOSSOLOGY, SW360 and the other ACT tools we are developing the Open Source Tooling Capability Map.
The above diagram shows an interim work result from the WG. All following versions can be found at Sharing-Creates-Value repository on Github.
TrustSource covers most of the capabilities except snippet scanning, binary and container analysis. Here we focus on providing interfaces to other vendors / open source tools such as BANG, tern (from vmWare) or anchore. Thus TrustSource meanwhile integrates most capabilities of the tooling chain.
Focus throughout 2020
During Q1 we heavily work towards releasing the Community Edition of TrustSource. The CE will be available on Github.
a) Segregating our services further and offering more API based access to allow our customers to pick the features they want to complete their individual tooling chain.
b) Extending the quality of vulnerability assignment further. In short we will provide the Vulnerability Lake, which is a harmonized data lake providing a simplified data structure and a comfortable API to research vulnerabilities. This will then be used to assess new components faster for known vulnerabilities as well as the unification of different vulnerability data sources willing to provide us with information.
c) Improve meta-data supply. It is always a challenge to collect the right information. To widen the number of repositories, storages repos being researched and crawled will improve the amount but not necessarily the quality of information. Thus we are investing in a solution that helps to qualify collected data.
d) Improve interchangeability so that e.g. the event journal of TrustSource could not only trigger a DeepScan but also a Fossology Scan.
The sort order is driven by priority with the most important on top.
If you are interested in supporting or contributing, feel free to review the contribution terms, clone a repo, study the docs and contact us for further co-ordination. We will maintain a Slack channel as well as a mailing list and a confluence space.