BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Software Composition devroom X-WR-CALNAME;VALUE=TEXT:Software Composition devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:11617@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T140000 DTEND:20210207T140500 SUMMARY:Software Composition Analysis Devroom Welcome DESCRIPTION:
Welcome to the Software Composition Analysis Devroom
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_weclome/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Kate Stewart":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Philippe Ombredanne":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Maximilian Huber":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Michael C. Jaeger":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11567@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T140500 DTEND:20210207T142000 SUMMARY:OSS Review Toolkit - project update DESCRIPTION:In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_ort/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Thomas Steenbergen":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11655@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T142000 DTEND:20210207T143500 SUMMARY:ScanCode projects update DESCRIPTION:This is a presentation of the latest features and updates in ScanCode toolkit and its companion projects.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_scancode/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Philippe Ombredanne":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11631@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T143500 DTEND:20210207T145000 SUMMARY:FOSSology SCA integration DESCRIPTION:FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_fossology/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Anupam Ghosh":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Gaurav Mishra":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="shaheemazmalmmd":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11669@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T145000 DTEND:20210207T150500 SUMMARY:SCANOSS: Democratising Open Source Risk Management DESCRIPTION:Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_scanoss/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Alan Facey":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11656@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T150500 DTEND:20210207T152000 SUMMARY:Tern and the State of Cloud Native Compliance DESCRIPTION:Container and VM images contain many packages and are quite a challenge for composition analysis.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_docker/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Rose Judge":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11736@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T152000 DTEND:20210207T153000 SUMMARY:OSS Projects Update - Concluding Q&A DESCRIPTION:The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_qna/ LOCATION:D.composition END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11661@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T153000 DTEND:20210207T153500 SUMMARY:Overview Software Bill of Materials (SBOM) DESCRIPTION:What is a software bill of materials, and why is there all the interest about it? In this session, a quick overview of the minimum viable fields to represent an SBOM, and efforts to help with automation of them.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_overview/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Kate Stewart":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11521@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T153500 DTEND:20210207T155000 SUMMARY:Automating creation of Software Bills of Materials DESCRIPTION:A Software Bill of Materials (SBoM) can communicate details about a software package's contents, as well as the inputs and sources that were used to build it. However, SBoMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package evolves. Effective use of SBoMs will typically require creating them during the build process itself using automated tooling. In this talk, I will present a proof-of-concept for generating an SPDX SBoM for CMake-based projects.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/automating_creation_of_spdx_sbom/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Steve Winslow":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11509@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T155000 DTEND:20210207T160500 SUMMARY:CycloneDX Software Bill of Materials DESCRIPTION:This presentation will give a quick introduction to CycloneDX. CycloneDX is an open source software bill of materials specification. A software bill of materials provides unique benefits which complement those provided by traditional software composition analysis. This will be discussed along with some of the tooling available to make production and consumption of SBOMs manageable at scale.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_cyclone_sbom/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Patrick Dwyer":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11353@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T160500 DTEND:20210207T162000 SUMMARY:Double Open: An automated open source compliance pipeline for Yocto built on SPDX DESCRIPTION:The Double Open project is developing an open solution for automating open source compliance in the Yocto build system, and embedded Linux systems as the wider target. The developed tooling utilizes the SPDX file format as its data storage throughout the pipeline to enable strong modularity and interoperability with other tooling.
In this talk we are going to present a general overview of the pipeline.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_double_open/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Mikko Murto":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11456@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T162000 DTEND:20210207T163500 SUMMARY:Eclipse SW360 DESCRIPTION:SW360 is a Web application for managing the software bill-of-material ("SBOM") of software projects and products. It is an Eclipse project licensed under the EPL-2.0 and thus available for everybody as Open Source Software. The application has a Web UI and REST endpoints for entering or importing the SBOM from dependency or package management systems. In addition, the import of SBOM files using the SPDX spec is supported. Based on the imported SBOM or a software project, a number of functionality is possible, ref to management of vulnerabilities, license and trade compliance or statistics about component usage. The submitted talk introduces and presents SW360.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_sw360/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Smruti Prakash Sahoo":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jaideep Palit":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Abdul Kapti":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11737@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T163500 DTEND:20210207T164500 SUMMARY:Software Composition and SBOM - Concluding Q&A DESCRIPTION:The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_managing_qna/ LOCATION:D.composition END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11482@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T164500 DTEND:20210207T170000 SUMMARY:Building the world’s first free open source database of FOSS and their vulnerabilities. DESCRIPTION:VulnerableCode is a free and open source database of vulnerabilities and the FOSS packages they impact. It is made by the FOSS community to improve the security of the open source software ecosystem. It’s design solves various pre-existing problems like licensing, data complexity and usability.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_vulnerable_code/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Shivam Sandbhor":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11540@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T170000 DTEND:20210207T171500 SUMMARY:Evolving vulnerabilities in CycloneDX DESCRIPTION:CycloneDX is a software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. It's developed in the open and widely implemented in open source tooling. As well as quick introduction to CycloneDX, this talk will look in particular at the vulnerability extension.
Modelling vulnerabilities in software is surprisingly complex. In this talk we'll look at some of the current issues in the CycloneDX vulnerability extension, summarise some of the ongoing discussions in this area, and get people's input on proposals for improvements.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_cyclone_vulnerabilities/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Gareth Rushgrove":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11261@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T171500 DTEND:20210207T173000 SUMMARY:DeepScan - assessing your code for effective licenses DESCRIPTION:In this talk I want to present the recently open sourced deepscan tooling, which allows the comfortable analysis of repositories for effective licenses, copyrights and known files. I will show how the tool is structured and how it works. How the similarity analysis is used and what the current results are. Also I will demonstrate how the free analysis service can be used and how it may be used to review and re-assess findings.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_update_deep_scan/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jan Thielscher":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11564@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T173000 DTEND:20210207T174500 SUMMARY:Automating your license compliance policy with OSS Review Toolkit DESCRIPTION:In this session we will demonstrate how to write a license policy in OSS Review Toolkit to automatically check the licenses found in a project and its dependencies.
One of the reasons OSS Review Toolkit was started by its creators was a need to go beyond the usual allow/deny license policy in most SCA tools. For instance we wanted to be able to write checks with multiple levels of compliance depending on what was being reviewed or based on package meta data. In this session we will demonstrate how one can write license policy with checks/rules that take into account package metadata date or the code, license and product context.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_automating_license_compliance_with_ort/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Thomas Steenbergen":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11738@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T174500 DTEND:20210207T175500 SUMMARY:Usages of Software Composition - Concluding Q&A DESCRIPTION:The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_usages_qna/ LOCATION:D.composition END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11658@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210207T175500 DTEND:20210207T180000 SUMMARY:Devroom Software Composition: Concluding Remarks DESCRIPTION:If we come to this presentation: A big thank you for all persons who have submitted their presentation and many thanks for all attending.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Software Composition URL:https:/fosdem.org/2021/schedule/2021/schedule/event/sca_conclusion/ LOCATION:D.composition ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Kate Stewart":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Philippe Ombredanne":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Maximilian Huber":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Michael C. Jaeger":invalid:nomail END:VEVENT END:VCALENDAR