Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
35 lines (33 sloc) 1.93 KB
amazon_s3_presentation_url amazon_s3_video_url author categories comments date image layout session_id session_track slideshare_presentation_url speakers title youtube_video_url tag
connect
yvr18
true
2018-09-16 09:00:00+00:00
featured file_name path
true
YVR18-209.png
/assets/images/featured-images/YVR18-209.png
resource-post
YVR18-209
Open Source Development, Tools
None
biography company job-title name speaker-image
""
Linaro
Director of Foundation Technologies
Mike Holmes
MikeHolmes.jpg
biography company job-title name speaker-image
""
Linux Foundation
Sr. Director of Strategic Projects
Kate Stewart
KateStewart.gif
YVR18-209:Building Accurate BOMs: Open Source Tooling Options
session

When creating reference builds of open source projects that others can use, being able to accurately document what was included is increasingly important to determine if a security vulnerability may apply, or accurately figuring out which open source licenses need to be complied with. Until now this has been a pretty manual process, and as a result, gets passed down the supply chain, and we end up with a bit of a mess or requires $$$ tooling.

In the last year we've seen a significant number of open source tools emerge that can help with this task and permit much of the manual work to be automated so accurate machine sharable files can be created. This talk will provide an quick overview of the state of open source tools able to generate/consume SPDX documents, then would like to do some brainstorming on logical points in the reference builds and upstream projects it makes sense to use them and what some of the limitations. Where gaps are identified, see what needs be done to fix.

You can’t perform that action at this time.