From where we come:
Quiet a while ago we started in one of our projects to automate the compliance aspect of open source usage. As compliance actually is something that should be on top of everybody's agenda, it still seems to be something that is not yet widely adopted. However, you might have made your way here, because you did accept the fact, that something should be done.
Compliance is a complex topic and we did not see the complete picture when we started almost 5 years ago. The main idea has been to develop an expert system, which is able to automate obligations determination. The first solution for this has been provided in early 2016 based on the concepts we were developing together with our lawyers from CMS.
Meanwhile the expert system - our legal solver - is only one capability in the sphere of capabilities we have been developing to cope with the challenges of open source compliance:
- Legal Solver
- Component crawlers
- Component repository
- Situation data repository
- Logging, Audit Journal and Analysis
- Identity Management
- DeepScan for effective license determination
- Package manager integrations
- Compliance artefact generators
- Approval workflows
- COTS and infrastructure components management (for MDD relevant reporting)
At the end of 2017 we added the remains of VersionEye (by Robert Reiz) which gave us a better understanding of the crawling for component data. Still we are steadily improving the supply of component meta information, which is one of the most relevant aspects, if you plan to automate compliance. The better your data, the simpler the decisions.
Unfortunately declared licenses are just one half of the truth. In reality the effective licenses are more relevant than the declared ones. Thus in 2018 we invented DeepScan, a source scanner for license data, which may be handed a repo or file URL and that is returning a complete list of findings.
2019 we started to dockerize and modernize our complete infrastructure. We moved from AWS EB to docker-based Fargate services. Meanwhile we found the OpenChain-project and loved to see that the OpenChain-approach to open source compliance is identical to our approach.
Where we want to go:
So we joined the OpenChain project and together with the leads of FOSSOLOGY, SW360 and the other ACT tools we are developing the Open Source Tooling Capability Map.
The above diagram shows an interim work result from the WG. All following versions can be found at Sharing-Creates-Value repository on Github.
TrustSource covers almost all capabilities except snippet scanning, binary and container analysis. Here we focus on providing interfaces to other vendors / open source tools such as BANG or tern (from vmWare). Thus TrustSource meanwhile integrates most capabilities of the tooling chain.
Throughout 2020 we will focus on
a) Segregating our services further and offering more API based access to allow our customers to pick the features they want to complete their individual tooling chain.
b) Extending the quality of vulnerability assignment further. In short we will provide the Vulnerability Lake, which is a harmonized data lake providing a simplified data structure and a comfortable API to research vulnerabilities. This will then be used to assess new components faster for known vulnerabilities as well as the unification of different vulnerability data sources willing to provide us with information.
c) Improve meta-data supply. It is always a challenge to collect the right information. To widen the number of repositories, storages repos being researched and crawled will improve the amount but not necessarily the quality of information. Thus we are investing in a solution that helps to qualify collected data.
d) Improve interchangeability so that e.g. the event journal of TrustSource could not only trigger a DeepScan but also a Fossology Scan.
The sort order is driven by priority with the most important on top.
If you are interested in supporting or contributing, feel free to review the contribution terms, clone a repo, study the docs and contact us for further co-ordination. We will maintain a Slack channel as well as a mailing list and a confluence space.