Watch Philippe Ombredanne on Tooling in the Software Supply Chain
Watch the recording of the webinar Tooling: Software Supply Chain Management Automation with "open source on open source" by Philippe Ombredanne. In this second episode of the webinar series on software supply chain management Philippe Ombredanne discusses tooling. On the 32-minute mark he provides live demo's of ScanCode: a server to script and automate the process of Software Composition Analysis and VulnerableCode: a free and open database of software package vulnerabilities.
Abstract
Free and open source (FOSS) code is the essence of modern software. Therefore it is imperative to track FOSS across the supply chain(s). For provenance, licensing, composition and dependencies, security and vulnerability, quality, obsolescence and sustainability. And of course, open source demands open source tooling. In this webinar we'll explore the state and trends in open source tooling and automation:
- The range of tooling & automation domains and how they are served by leading FOSS tools
- The key trends and insights for supply chain management tooling and SBOMs
- New and upcoming FOSS tools
- How to leverage these and participate to create better, more secure software more efficiently
About Philippe Ombredanne
Philippe Ombredanne is a FOSS hacker on a mission to enable easier and safer to reuse FOSS code. He is the maintainer of ScanCode, the industry standard license detection tool and other open source tools for software composition analysis and license & security compliance at aboutcode.org.
Ombredanne is the project lead of two supply chain projects: FOSS Code Supply Chain Assurance. This project is building a new system to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. The other project is the Free Software Vulnerability Database: a resource to aggregate software updates. Both projects were funded by NGI0.
Webinar series: The Ins and Outs of Open Software Supply Chain
Philippe Ombredanne's talk is the second in a series of webinars about open source supply chain management. The series will explore topics such as the software bill of materials, legal consequences, tooling, and the Cyber Resilience Act.
- April 6. Speaker: Armijn Hemel. Topic: Open Source in (Consumer) Electronics Supply Chains. You can watch the recording here.
- April 13. Speaker: Philippe Ombredanne. Topic: Tooling. You can watch the recording here.
- May 4. Speaker: Carlo Piana & Alberto Pianon. Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe. You can watch the recording here.
- May 11. Speaker: Shane Martin Coughlan, Topic: ISO standards and certification. You can watch the recording here.
All episodes start at 13.00 at CEST (Amsterdam, Berlin, Rome).
Special thanks
Special thanks to all the people who made and released these excellent free resources:
- Presentation template by SlidesCarnival at https://www.slidescarnival.com/ licensed under CC-BY-4.0 https://www.slidescarnival.com/terms-of-use#templates-license
- Photographs by Unsplash https://unsplash.com/license licensed under the unsplash license https://scancode-licensedb.aboutcode.org/unsplash.html
- All the open source software authors that made VulnerableCode, ScanCode and other AboutCode FOSS projects possible.
Related NGI projects
- Binary-analysis-ng improvements: BANG is a tool to analyse firmware and other binary files.
- FOSS Code Supply Chain Assurance: Mitigate attacks through software dependencies.
- Free Software Vulnerability Database: A resource to aggregate software updates.
