From where we come:
Quiet a while ago we started in one of our projects to automate the compliance aspect of open source usage. As compliance actually is something that should be on top of everybody's agenda, it still seems to be something that is not yet widely adopted. However, you might have made your way here, because you did accept the fact, that something should be done.
Compliance is a complex topic and we did not see the complete picture when we started almost 5 years ago. The main idea has been to develop an expert system, which is able to automate obligations determination. The first solution for this has been provided in early 2016 based on the concepts we were developing together with our lawyers from CMS, namely Philippe Heinzke.
Meanwhile the expert system - our legal solver - is only one of the capabilities developed in the sphere of TrustSource. Currently we cover:
- Legal Solver
- Component crawlers
- Component repository
- Case data repository
- Logging and Audit Journal
- Identity Management
- DeepScan for effective license determination and copyright scanning
- Package manager integrations
- Compliance artefact generators
- Approval workflows
- COTS and infrastructure components management (for MDR relevant reporting)
- Vulnerability Crawlers & Database
At the end of 2017 we added the remains of VersionEye (built by Robert Reiz) which gave us a better understanding of the crawling for component data. Still we are steadily improving the supply of component meta information, which is one of the most relevant aspects, if you plan to automate compliance. The better your data, the easier the decisions.
Unfortunately declared licenses are just one half of the truth. In reality the effective licenses are more relevant than the declared ones. Thus in 2018 we invented DeepScan, a source scanner for license and copyright data, which may be handed a repo or file URL and that is returning a complete list of findings. Also during 2018 we met the OpenChain-project and loved what we saw. The OpenChain-approach to open source compliance has been identical to our approach, which made a natural fit.
2019 we started to dockerize and modernize our complete infrastructure. We moved from AWS EB to docker-based Fargate services and invested a lot of work into improvements of DeepScan. Meanwhile it can be used to identify changes in repositories between scans thus opening up a new way to managed and oversee C or C++ based projects. A free, public version is available at https://deepscan.trustsource.io.
During 2020 we went back to overhaul the individual services and integrated them further. To improve the vulnerability management, we bound the CPE and the PURL identifiers together. Now it is possible to add them to the packages.
Also the integration of our ComponentDB and DeepScan has been improved. This means that the background service will automatically download and screen each component version if not yet scanned for copyright and effective licenses, whenever it enters the component DB - e.g. via a scan - automatically. The processed findings will be available for all companies using the platform.
In addition DeepScan has been released as open source CLI tool. This allows to integrate DeepScan into your BuildChain an even upload results as scans to TrustSource.
Where do we want to go:
So we joined the OpenChain project and together with the leads of FOSSOLOGY, SW360 and the other ACT tools we are developing the Open Source Tooling Capability Map. During the first quarter of 2021, the capability map has received some updates and
The above diagram shows an interim work result from the WG. All following versions can be found at Sharing-Creates-Value repository on Github.
TrustSource covers most of the capabilities except snippet scanning, binary and container analysis. To cope with these deficits, we extended our capability to accept uploads using CycloneDX or SPDX (v2.1 and v3.0). To not re-invent the wheel, we use these as interfaces to other vendors / open source tools such as BANG, tern (from vmWare) or anchore. Thus TrustSource meanwhile integrates most capabilities of the tooling chain as shown in the following diagram:
Focus throughout 2021
During Q1 we heavily work towards releasing the v2 of TrustSource. Due to the ongoing addition of features we recognized the need to re-organize the look and feel. Due to our commitment to the OpenChain standard, we structured all features along the inbound / manage / outbound analogy of OpenChain. We expect this to further ease orientation and handling of OSC tasks. Besides this, the following feature can be expected:
a) Continuing the segregation of our services. Meanwhile DeepScan and VulnerabilityLake can be used separately. Also more services can be used API based for a more individual selection of features to complete their individual tooling chain.
b) Extending the quality of vulnerability assig
nment further. In short we will provide the Vulnerability Lake, which is a harmonized data lake providing a simplified data structure and a comfortable API to research vulnerabilities. This will then be used to assess new components faster for known vulnerabilities as well as the unification of different vulnerability data sources willing to provide us with information.
c) Improve meta-data supply. It is always a challenge to collect the right information. But we also want to make them more accessible. We are currently planning a new dependency graph, allowing to make better sourcing decisions.
d) Improve integrations so that e.g. the event journal of TrustSource could not only trigger a DeepScan but also a Fossology Scan.
e) Introducing tags, so that sorting and filtering will be even more effective and pretty simple to arrange.
Last year we already investigated the opportunity to provide an open source community edition. But due to irritations and casualties Civid19 caused to some of our developers, we did not bring this effort to an end. Parts of TrustSource already are open source, e.g. DeepScan, DeepScan-CLI and the scanners. But our core is not yet. However, while preparing the v2.0 many of the missing steps have been completed.