Overview
Learn about Software Composition Analysis at scale through this 26-minute conference talk from the Eclipse Foundation that introduces Eclipse Apoapsis, a new project providing server-based solutions for continuous software analysis across diverse repositories. Explore how to generate and manage Software Bills of Materials (SBOMs) and reports using the ORT-Server reference implementation in conjunction with the OSS Review Toolkit. Discover how the Abstraction Layer for Software Composition Analysis (ALSCA) addresses the challenges of maintaining transparency in software lifecycle management while accommodating diverse and agile development environments. Understand the project's approach to fulfilling critical non-functional requirements including SBOM creation, vulnerability tracking, and license compliance. Examine how Eclipse Apoapsis bridges tooling requirements with operational needs in medium to large organizations, following specifications from the Open Chain Tooling Group's capability map for Open Source Management. Gain insights into implementing central Software Composition Analysis pipelines that support various project configurations, from mobile apps using Cocoapods to cloud services using Java/Maven, while offering flexible analysis options ranging from basic SBOM creation to comprehensive dependency analysis with vulnerability and license reporting.
Syllabus
Eclipse Apoapsis - Open Source based Software Composition Analysis at scale - OCX 2024
Taught by
Eclipse Foundation