 Thank you for joining our presentation. Today, I would like to explain Establish 360, it's about the application. It can manage these forms. It's a very historical application, so there are a lot of useful features. I cannot explain all features within this presentation, so I selected the useful and new features. On the Establish 360 functions. Okay, so let's start. I'm Koki Hamar. I'm at Toshiba Corporation, and so I'm one of the members of the leader of the Establish 360 project, and sometimes I work with OpenChain, Japan Work Projects, and... Okay. Hello, everyone. I'm Tion. I work for Toshiba in Vietnam. I am leading a team to maintain the LW360 and develop new features for it. And today, this is a good chance to introduce you about some big features which are made by my team in 2022. Thank you. So today's topic is very advanced. I'd like to explain the Establish 360 in general and some news. And from the third chapter, my colleague Tien Lee explains the new features. Okay, so that's the first chapter. So I would like to explain Establish 360 in general. So, especially I talked about overview and some useful functions. If you go to the official website, Establish 360, you can find more useful functions. So that's today I introduced four main functions. Yeah, but I know so everyone knows why S-bombs are important, but so I repeatedly explained. So if you supply or provide S-bombs, so you can know a lot of information from S-bombs. But so if you don't use S-bombs, you can see limited information about the software products. So at this moment, we need to consider how to manage S-bombs. Yeah, so it's one of the use of S-bombs will be mandatory for software supply chain. So you will accompany and of course yourself will receive many S-bombs. However, how will you manage many, many S-bombs? So a lot of S-bombs format exists at this moment. Some people manage S-bombs on the spreadsheet, some people manage S-bombs on the JSON or XML. It's not a bad. However, do you want to really manage all S-bombs information like this kind of format? So one of the answer is this question is, OK, let's use Eclipse S-bombs 360. So you can use or manage S-bombs with nice GRIs. And yeah, of course, S-bombs 360 is an open source, so you can customize by yourself if you need. So S-bombs 360 is data architecture. So at first, you save third parties of their component and assigns to them into your product or project. So this kind of architecture has some strong points. So for example, you can reuse the information. And so coordinate product document, process, or support open source license, clearing process, and menu. So recently, we changed the data architecture for the license. License information for the component. For each component, license information is captured. And license information for our product is available. Yeah, but so this is all data architecture, and you may not understand how to use S-bombs 360. So from next slide, I would like to explain with the screen shots. Yeah, just a basic operation, and you can use as a way. But so as a basic due operation, I would like to explain how to register. So at first, please register your software information. In this case, you can enter the name, component, time, home page, URL, address, or et cetera. And at next, enter software version as a release information. In this case, it sets versions and license, home page, URL, main license. Because sometimes, if open source change or upgrade the versions, the license may be changed. So on the S-bombs 360, these kinds of architecture used. So this operation is similar to the register your S-bombs information. So after you register your component, then you can register the project product information, such as project A or project B, project names. And sometimes, project tag, project feasibility of versions. And so sometimes, you need to set project description. So you can set project overview. After setting the project information and component information, you can link the names. So this is an example of the information. In this case, this project uses three components. And so, of course, it's an example that you can add more information. Yeah, of course, after registrations, a lot of information you can find. So you are fabricating why you want to need components from the search functions. This is a screenshot of the search function. So in this case, the user sets project tag. So you can find a project. But so if you want to find the license information, you can find the information about the licenses. So of course, you can find the users. So this kind of function supports your management S1 on SW360. Yeah, from now, I would like to introduce some more useful functions. At first, SW360 supports multi-round-gauge systems. Now, we can support three, but within a few days, we also support the Chinese. Now, you can use the SW360 English and Japanese and so maybe from next week, you can use the SW360 with the Chinese language. So it's not difficult to add the new languages. If you are interested in translations, you can go to these language files. And so, if you translate it and make a pro request, we managed it so and we can support new languages. So and so next useful feature is the license management functions. Basically, on the SW360, all data is not imported. But so if you push the import button, so you can get the license for license texting from the SPDX files. And so, you can download the license obligations information from the other files. So, this is one of the example of the sd license. You can see this information from the SW360 license page. And so, you can also see the license obligation from other rules. And so, sometimes we need to provide the license information to your customers. In this case, generating license information report function is very useful. After you set your project information and component information, and you can go to the download pages. From there, you can select the component and the document formats. You can make the license document information. This is an image, but so copyrights or license documents or any other information. Yeah, of course, you can set the preferences can be customized, but so you can provide quickly with this function if you need to provide license document information. So, maybe you're worried about, so you need a lot of UI information, but it's not a problem because API is also supported. You can make API token very easily from the UI after generated the API token. You can almost all method or procedure by API. And so, API guide is also insulated when you install the SW360. Yeah, and so, from now, I'd like to explain or report some news about the SW360. Just recently, we renovated the website. Some information includes how to use it written in the GitHub wiki, but so we moved to this page. So, and of course, this website is also open source, and so if you want to update it or if you find the problems, please make a full request. So, any full request always welcome like a translation or a new screenshot or update description, or of course, fixing my typo. Yeah, so, and we all of our SW360 are discussing the roadmaps and from this one, from this page, you can see these roadmaps. So, there are a lot of ideas for how to improve the SW360. And so, now they are categorizing the various types. So, state of the tools, usability, less API, and more and more. So, yeah, for example, yeah, I cannot explain all that. So, for example, so, for this is in CIC based on the license information, yeah, integrated automated function, or import or support Cyclone DX bombs. And so, so, we also now discussing how to change the database. Now we are using CutsDB, but so we are now surveying what is the most benefits database for our service. So, until last year, building the SW360 is very complex and you can not easily install it. But so, recently, one of the great Contributor sets the Docker Compos installation. So, you can, if you set the Docker Compos, you can build the SW360 with a three or four command. It's very useful and so, after this presentation, if you want to try SW360 by yourselves, yeah, you can follow this one. Maybe you can try it within today. Yeah, so now, other topics that we are also talked about the new front end size. It's a concept, but so, we may change the new front ends. And so, recently, as a Contributor, do the presentation. And so, maybe we will release version 17 soon. So, I explained and talked about the SW360 overview and some useful functions and websites were loaded up. And from now, my colleague, Tien-san, explained new functions about the SW360. Thank you, Hamah-san. The next section, I would like to introduce you about three big features we implemented in Zintzir. The first one is managing vulnerability information. You can see the more detail in the GitHub issue and our boondi-quad. We make the boondi-quad from the Toshiba Revository with vulnerability information management. Actually, in the SW360 user can manage vulnerability information by using the API. And Toshiba developed a new function to support user can read, modify, and delete the vulnerability by using the web interface. These are the screenshots to add a new vulnerability. You can enter some information for the new vulnerability and click the Create Vulnerability button. After that, you can also edit it and by using the Edit icon. And you can also delete vulnerability. The next function, import.adpdx document. From the issue on GitHub, we implement a new function to make a new tab on the relay page to show the API data and API data-like information. There are some functions in Zintzir. The first one, we can import the AdPom file from component level. You can go to the component in the top menu and click the Import AdPom button. You can get the example file from Tunzava repository because we use Zit library for SW360. You can see here when we import the AdPom file, new component and new relay can create in Zit system. After you import the AdPom file, you can view and edit the AdPdx document. So we provide a new function to store the AdPdx document information when user import the AdPom file. And to view the information of a relay, for example, Zlipsy, user can go to the AdPdx document tab on the relay page. In Zit tab, user can view full AdPdx information and can view a short version. And here is a video for demo session. You go to the Zlipsy component and relay. Then you can go to the AdPdx document and see many information about AdPdx in here. React like you can see some short version. You can also edit the information about AdPdx by edit the relay. We also provide a new function to allow user to export the AdPdx document information to multiple formats like Tafai, RDF, and ZitSum, HF format. So then on we implement new dependency network between project and software. Now Toshiba is developing new function to make the dependency management of a project more flexible. And we will release the function soon. In current version of AW360, user can only add the direct relay to project. And own transitive relay depend on the relay's relationship at the component level. So if two Bozak link to same direct relay, they also have the same transitive relay. This is how it's used when practiced AW360. We find that when two Bozak, Bozak A link to component X version 1 and B link to component X version 1, the version of each dependency may be different. For example, in the case of NPM, if developer sets the version of a dependency m more than 1 by 0 by 1, so the version may be 1 by 0 by 2 for common A version and 2 by 0 by 1 for common A version 2. And current situation about AW360, only the information of the direct dependency of a Bozak can be regained in AW360, as you can see here. And this guy cannot be regained in the current AW360. So Toshiba proposed and developed a new function to make the dependency management of a Bozak more flexible. Function allow a Bozak to set up its own dependency network. This is an assemble. We have two Bozaks. Bozak assemble 2 is AW and Bozak assemble 1 is new. The link to minimast version 3 by 0 by 4. But with our Bozak, the relationship of minimast with pre-election version 1 by 1 by 7. And new Bozak will link to pre-election 1 by 1 by 11 version. And current situation, user only adds the direct release to Bozak 1 and Bozak 2. And cannot change the version of transitive release. So I'll propose a new UI and new function to manage the dependency network for each Bozak. So each Bozak can be set the dependency network dynamically. So this is the step to set up the dependency network. You can go to the Bozak and edit it. In the edit page, you can see the link to pre-election and Bozak tab and add the release. You can search a release in the search form. For example, search DFC and add to the Bozak. For the new function, user can change the release version and add the sub-release. User can also load the transitive release from the component level and change the version of the release dynamically. Then after the update, Bozak information about the directory and transitive release will be reflected in the related function. There are some related functions like license clearing tab, clearing request, ECC, import import function, and so on. And in addition, an important point, the API function will also be changed. And here is the demonstration. You can edit the Bozak and go to the add release here. In this page, user can load the dependency from component level and change the version dynamically. Add the sub-release for the libc, select the version, and add to Bozak. You can see three relics and add to Bozak and related function also reflect the information. So I would like to conclude this session. About the managing vulnerability information function, our boon request is ready to be missed. Then you can use this function. About the import import fpdx document feature, currently we already support fpdx 2x2 and 2x3 version. And now we continue to implement a new function to support the cyclone dx format. And the light on the new dependency network between Bozak and software currently we are implementing this function. And maybe it can be included in the next release of AW360, maybe the 18 version. Yes, thank you for our presentation. So that's all. And so we hope that we could tell everyone can join this one if you want to discuss about this AW360. Please join there. Yeah, thank you for listening. And if you have a question, please discuss. Sorry, we don't support at this moment. But yeah, nice idea. Hi, Pranthu. A little bit of super Kubernetes, yeah. Thank you very much. Maybe. So can you introduce more information about that? Maybe because you ask again, you were microphone. Yes, so AW360 is a very good tool to manage all kinds of information. But I wonder how we generate this information from the software. So that's the process before we reduce it into AW360. So can you share more information about that? Thank you for your question. We generate the 8.5, the NPDX document from another tool. For example, you can use a phosology to generate the NPDX file. Then import to the AW360 to manage the component and release. Thank you very much. Asker, I'm not familiar with the AW360. So can I ask a very basic question? I understand that AW360 stores some metadata, like SBDX and information about S-bombs only. So a similar question, but is there any knowledge to integrate some source code composition analysis software and so on? Are there any APIs between the two software of the S-bombs 360? Maybe you can write some script to using the red API from AW360 to execute the component and project and relate to AW360, then manage them on our system, on AW360 system. Then we also provide the export function. Then you can also export the NPDX or some report from AW360 to 360. Thank you very much. Sorry, one more question. Yes. You said that S-bombs 360 supports the SBDX version 2.2 and 2.3. And which field can handle and support the S-bombs 360? There are many attributes in the SBDX. All attributes are supported or not? Actually, new relief for SBDX version from 2.2 to 2.3 has some change. And currently, we can check the difference from between the SBDX 2.2 and 2.3 and implement the function to support the S-bombs 360 in AW360 system. Thank you very much. So thank you for attending our presentation today. Thank you very much.