 Hello and welcome to our recorded talk about SW360 Software Bill of Material Management and License Obligation Management. This time we are two persons presenting you this presentation. My name is Michael Jürger, I work for Siemens. I provide physiology and SW360 to Siemens businesses so they can implement the license compliance process and I will start with a presentation about SW360 in general. And then we have my colleague, Koakihama, he works at Toshiba and likewise he is an expert on open source license compliance in his organization as well. So maybe some general introduction about SW360. If you haven't heard about this software project already. I compare it a little bit like to a video cassette management application. Like 30 years ago you had these different video cassettes and you wanted to keep track on the movies that have been recorded to different video cassettes and instead of inserting the video cassette to the video recorder to look what has been recorded to there. People started writing their software, small software applications, managing the contents of different video cassette tapes and SW360 is a very similar thing. You have different products that your organization is shipping or maybe software project that your organization is sending over to customers and you would like to keep track of the open source software content therein. And if you think about open source software people will ask like okay is it open source but should it be maybe there is also freeware like software which can be freely used but it's not available as open source or maybe they are shareware. And then people ask like okay what is it about or commercial software that you are shipping as part of the product as well. So there can be any kind of third party software components and if you think this thing a little bit further it could be even own components that your organization is providing internally maybe a different business unit or a different sub company or like a daughter company or whatever subsidiary is providing software components that are reused in some other corners of the company and you would like to keep track of that. So whatever your product contains in terms of software components third party or owns you would like to understand what is software bill of material and SW360 manages this. Can be many different use cases being implemented based on that software bill of material. One very popular right now is about understanding the vulnerabilities that that are ruling for this particular software product because of particular software components are integrated and another thing is the open source license clearing. So open source license clearing is basically understanding the license situation of all the involved software components and and to understand that you can ship this as a whole to the customer and one basic thing about the licensing with open source component especially is that you need to provide the license text along with the open source component that you're shipping the license text of the open source component along with the open source software that you are shipping when you're shipping your product. So if you contain if your product contains multiple open source software components and they're coming with all different licensing you need to collect all the different licensing in text form and provided as an open source software declaration open source read me compliance bundle information whatever with your software product when when handing it over to the customer and SW360 does that by the idea of maintaining a central catalog of the open source and other software components in use and along with this catalog you can provide for each of these components the license information the licensing information and when you when you set define a particular set of software components you can take the all the different license information from the affected software components to generate that that information for your product that's one basic use case of SW360 and there are other use cases of course so maybe you have a problem with one software component you would like to understand in which products or projects the software component has been shipped I said already there is vulnerability management which is also based on on managing the software bill of materials understanding which software components are in lets you better understand which vulnerabilities need to be fixed for your software and so on and so on. Another basic thing for SW360 is about how the license information is maintained SW360 as well as Phosology maintain a license information using SPDX documents or SPDX formatted information so SW360 itself and that's also important to understand doesn't do any scanning at all SW360 is just for keeping track of information of connections of relations and whatever but SW360 doesn't take a piece of software and tells you okay I found this licensing inside other tools can that much better can do that much better and one tool of them is obviously Phosology so the idea is that Phosology is being used for determining the license information then this license information is being expressed as SPDX documents and these SPDX documents are understood by SW360 for each software components when this license information should be aggregated based on the software components being part of the product so SPDX is just the format of choice Phosology can import SPDX information from other tools other tools can generate SPDX information so there is pretty much like the spec enforced in the SPDX exchange and SPDX information for license information for copyright information or exchanging just a bill of material and that was already the the very brief introduction and very basic introduction about how SW360 works and it manages the software bill of material and now we come to the second part of our presentation which is about the licenses and license obligation management by my colleague Koki Hama from this slide I will introduce new feature related to open source licenses this is Koki Hama from Toshiba Corporation nice to meet you as you know open source have a variety of licenses for example you can see what open source licenses exist in the SPDX website you can find more than 400 OSS licenses there it is essential to manage and follow the obligation collection in order to use OSS properly this management must be done by the organization OSSAR provides easy to understand information about these obligations on its website SW360 is now able to import licensees and obligations information from the SPDX and OSSAR websites SW360 users can then check this information from the GUI of course it is possible to link them to each software component items license and obligation information can also be added by the user then SW360 supports users input by input assistant function or elements of obligation these functions are explained in the next after slide before starting introduce the new features let's look at the SW360 project components releases and license obligations each project is linked to a component release these release information are linked to the licenses finally the license will be linked to the various obligations in this way SW360 manages license obligations in a comprehensive way from this slide I'd like to explain with screenshots this is the admin page of SW360 from the license page administrators can import SPDX and OSSAR information the license page automatically downloaded the information such as the license name, SPDX ID, license tickets or whether the license is OSI approved or not next the license obligation import for time imports the obligations of about 50 licenses let's look at the results of importing SPDX and OSSAR what you see now is the result of importing vsd3 license as you can see you can see the full text of the license this license contains a lot of important information but it is not easy to read and understand all of it it is not easy to read and understand all of it but from the view of point of OSS compliance it is necessary to understand it correctly the information obtained from OSSAR is useful for understanding the license sentences you can check each license result on SW360 GUI let's look at the results in details about vsd3 license obligation information includes information for each use cases how to display the copyright and distribution of the code it also includes information about which license it is compatible with and information about patents sw360 also allows you to enter your own license obligation in this case the user can enter an obligation based on the predicted candidates this also allows you that to enter information for each use case in addition you can always see your edits in the view this allows the user to see how the obligations will look to the person reviewing them this screen is still under development so it may be slightly different in the latest version you can also create several obligation templates from the import obligation elements this information will be very useful for your organization to manage open source licenses in this way sw360 allows you to manage and add OSS license obligations thank you for listening