The days of having only a few open source dependencies are over. Projects often have thousands of open source dependencies in their supply chain and companies may have millions. Even worse, risk is viral -- projects inherit and pass on the risks of all their dependencies. At the same time, software is shipping more frequently.

This creates numerous challenges for commercial and open source projects of any size -- how to discover the myriad of components being used across a range of ecosystems and scenarios, where to get high quality data to drive smart decisions, how to capture and evaluate comprehensive policies.

Enabling high-confidence, rapid delivery, requires integrating supply chain management automation deep into the engineering system. Core to this is accurate discovery and identification of dependencies and trustworthy, high-quality compliance and security data about the discovered components.

In this talk we detail the challenges in this space, look at various approaches such as ClearlyDefined, a crowd-sourced, open source project aimed at discovering and curating compliance data about open source components, and relate experiences running high performance, massive scale compliance systems for a wide range of open source and commercial projects.