Open Source Compliance? But more efficient, please!

Open Source Software (OSS) is everywhere and has become indispensable for modern software development. A typical software product today often contains more than 90% open source. The use of OSS has continued to skyrocket in recent years for a variety of reasons.

Alarmed by spectacular cyberattacks on the software supply chain, the USA has issued regulations such as the “Executive Order on Improving the Nation’s Cybersecurity” and the EU is currently drafting the European Cyber Resilience Act (CRA). For legally compliant use, all open source components must therefore be known and named. As a rule, the entire supply chain is represented by an SBOM (Software Bill of Materials).

However, the creation of a complete SBOM with correct origin of components and copyrights can be very time-consuming and expensive, especially if software from different projects is used which were published under different licenses. For a complete analysis of a product based on Android, for example, six-figure sums of EUR can quickly be incurred for the audit. Especially for medium-sized companies, these costs are often unplanned and usually an immense challenge.

All market players therefore largely agree that efficiency in the preparation of a legally compliant SBOM must be increased. Various approaches are being pursued here:

With the ISO standard 5230 of the OpenChain, an important standardization of the compliance process was defined in order to define a common understanding and vocabulary. Furthermore, with SPDX and CycloneDX, two standards for the description of compliance-relevant data were launched, so that an exchange of data within the supply chain can be managed more efficiently.

Since most scanners today still work with text recognition or curated databases, some research projects were initiated which want to use AI to automatically increase the efficiency of SBOM creation. However, initial tests still indicate a considerable development and research effort will be needed to make this work.

Another idea is to reuse previously curated license information. Repositories such as github now provide this from the start, and new tools are emerging daily to track dependencies and facilitate license compilation. However, the reliability of the information provided does not always meet legal requirements. Projects such as OSSelot or Clearly-Defined allow the reuse of SBOMs of already audited open source pacts, and offer better curated data according to their own presentation. The data is partly collected automatically, and anyone can easily contribute missing information.

SW360’s (Open Source) and SBOM Insight’s (Commercial) approach allow building your own catalog of audited components along the supply chain, and also make it possible to reuse trusted data between projects.

In order to facilitate license and copyright recognition, some projects pursue the approach of restructuring the code itself and providing it with further information. REUSESOFTWARE was created to provide recommendations on how to make full license information automatically recognizable directly in the code. More than 1,000 projects have already been curated and included. The Linux clean-up activity from 2017 also took a similar approach to provide all files in the kernel with a unique SPDX identifier.

Finally, we see increased efforts by all stakeholders to incorporate license detection right into the development process in a CI/CD pipeline and continuously keep the SBOM up to date.

It remains to be said that several approaches are currently being pursued in order to perform the creation of an SBOM more efficiently from an economic point of view, but the question of liability in the event of errors in the list is not conclusively clarified.

Bitsea identifies hidden risks in software systems and supports in maintaining IT compliance. We advise customers on the sustainable use and management of OSS. Our customers include well-known corporations from the automotive, telecommunications, logistics, and aerospace industries. Bitsea is a partner of the OpenChain project.