 Hello, everyone. Yeah, can you hear me? Yes. As Shane introduced me, I am, I'm Kyung-Hye Kim, and I'm working for over 17 years for Princess Comfort Alliance as electronics. So I am very, a little famous in Korea, but maybe everyone here don't know me yet. Have you ever heard about post-life before Shane and Helio introduced? Oh, yeah, thank you. Post-life is now very famous in Korea, but globally it's not famous, so it's a good opportunity to introduce you guys about post-life. And there is a sewing game is my colleague, and she will introduce post-life demo after me. And we are not sisters, but there are too many games in Korea, so you think we are sisters. Just a colleague. Yes. Post-life is really, really good tool for open source compliance. I explain about post-life briefly. Today I would like to talk about post-life open source project. The presentation is divided into three parts. First, I introduce explain what post-life is, and then we move on the automate how we can automate compliance using post-life. And last, I explain how we can automate security using post-life and conclude this presentation. This is the open source policy and process. It's over 15 years. And as it has been establishing open source policy and process based on Linux Foundation's guidelines, but there is no suitable tool 15 years ago, so we made it. And we needed a tool like Red Star Shores. So as it developed its own tool in 2014 and has been continuously upgraded every year because the process is changed and improved. And in 2021, we open sourced this tool as post-life with the intention of contributing to open source compliance industry and making it easier for other companies to automate their processes like LG. And post-life is named to signify becoming a light for open source compliance, free open source software, and light. If you have any questions about post-life, please visit post-life.org. You will find a list of information on the topic. And you can visit the demo site using this site, and there are many, many documents, and you can find the YouTube content of post-life. Post-life YouTube content is better than my presentation. And post-life consists of scanner and hub. Post-life scanner is a tool that scans dependencies, source code, and binaries. While post-life hub is a system that manages everything related to open source. We automated the open source compliance process in the hub using scanning the result, which says open source BOM, open source bill of materials. And after using post-life hub, we are making the open source software notice and package. I explained this next slide. And post-life hub manages all about open source, license management, open source management, and vulnerability management. As Helio explained that if we started the open source compliance, but we can manage the security vulnerabilities also, and compliance process management, and supply chain management is necessary. So we use the supply chain management using post-life hub. Last one is export management. Post-life hub has many functions such as export management. For example, we can compare to software BOM using project version one and project version two. And post-life scanner consists of pre-check and dependency checker and source code checker and binary checker. And we are using the many open source tools such as pre-checker use is reuse. And so scanner use is named scan code and scan with this open source. And dependency scanner use is a lot of dependency package manager open source. And as it has a lot of specific platforms such as Android and Yocto platform, so we make a platform specific scanner post-life scanner. So we are open or post-life scanner. It's the Python package and you can use it anytime. Post-life hub is a kind of web service to provide open source compliance. We believe that post-life hub is an essential tool for open chain component program. We get the open chain component program. Thanks to post-life hub, such as red lines, we can achieve the open chain spec. So I think it is very good to use, very good for your open chain components. Now it's the compliance automation. This is the, we followed the four step process based on Linux Foundation's guideline to ensure compliance with open source license obligation when developing software. First time is the identification stage. The development team analyzed the open source component used in the software. For example, post-life scanner or other open source scanners or commercial scanners, anything is good. We use a post-life scanner and after analyzing the open source component, we can get the OSS-BOM, open source software bill of materials and it is reported, post-life report type. In the approval stage, the open source list is sent to OSPO, open source program office like us for review and confirmation of the correct license and associated obligations. And this result is on open source BOM again. And in the notice, step three in the notice and verification, and the development team create an open source package and by gathering the source code that needs to be disclosed based on license obligation. After verifying that, the package has been created properly. We review this one and OSPO generated the open source notice. Finally, in the distribution stage, the open source package and notice generated by OSPO are distributed to the designated site. For example, opensource.ag.com, that's done. And this allows customers to view to the open source component used at opensource.ag.com. This is the process of open source compliance and we are automated using post-life scanner and post-life hub. And here are some ways to automate compliance with developers. We are using Jenkins and post-life pre-checker. Here are some ways to automate compliance with copyright and license attribution rules. I think the most important thing is that for developers to check open source component and license by themselves, not OSPO, not other compliance managers. So developers push the source code and Jenkins is operated and repository checker, post-life pre-checker, lint mode means that post-life pre-checker checks. The source code has the right information about copyright and license. So check the license and copyright writing rules and if it's not compliant, developers make up the source code and again, same and compliant okay, it's good. It's the Jenkins example but honestly, we are not just demo so we didn't adapt yet. But our goal is to adapt this one to all source code repositories. And this is another example of post-life scanner. I mean after push the source code to repository and Jenkins is operated and open source BOMs are generally automated, generated and mailing the BOM compared to post-life scanner people and after and reporting to developer and mailing it. Yes. And security automation is, I explained this one. Lastly, let me briefly explain the method of automating vulnerability management using post-life based on the open source BOM we have analyzed. Post-life can automatically send an email like this when new vulnerabilities are discovered in the existing project. I mean vulnerability is changing every day so we completed the one open source project developed and one day the vulnerability is now come and you can develop, can receive this mail by new vulnerabilities coming. And we can adapt this one Jenkins also similar to compliance automation. Vulnerability management can also be automated using Jenkins like this. Post-life scanner and post-life hub API. Actually, post-life hub provided less to API so we when push the repository check and we use the post-life hub API, we can the vulnerability information also. Yes. And as I explained everything about post-life hub but it's the summary of the features provided by post-life hub in addition to open source license management and compliance management, vulnerability management and you can see the supply chain management. Actually, we are using this function supply chain management means that if we get the software from other third party software, third party company and we can get the open source list and we register the post-life hub and we can their open source BOMs and open source vulnerabilities as well. Yeah, that's my end of my presentation and we show the post-life demo. My name is So-im and I will show key and simple demo using post-life. First, I created a project in the events and let's see the identification tab. We can enter open source information and in identification tab and I entered open source information which will include it in my software and you can also upload a scanner result in SPDS format is okay and if you use a post-life scanner, you can upload a post-life scanner result in post-life hub and you can enter the open source information by third party or source or binary and if you go to BOM tab, you can see all the open source information from another tab and you can check the license obligation and also you can check the restriction. If you click our icon, you can check which restriction exists in this license and also you can check the vulnerability of the open source. If you click vulnerability icon, you can see the CVE IDs of that open source and you can also click the CVE ID, you can check the vulnerability information in more detail and let's move on next step. If you entered all the open source information in identification tab, you can check the open source list to be too obligated to disclose source code and after check the list, I uploaded the source code for disclosing and then let's move to notice tab. You can issue the notice for license to licenses are obligated to notify. If you click preview button, you can see deferred html format of notice. There are open source information and it includes license text also and you can select the report notice type various formats like spdx or html or text. Yes, of course, you don't have to do anything else for making the notice and but if you want to hide open source version, you can check those things, you can modify it on the system too and let's move final step distribution. This step is not released to open source version yet but because yes, you can upload issued notice and source code to public site so that users can download those files. In case of edgy, we upload those files to opensource edgy.com. In this case, if you go to opensource edgy.com, you can see the notice of those models like this and customer can download those files and so far I showed how to manage open source compliance process and vulnerabilities on the full site hub. And also you can check vulnerability information in another separately vulnerability list and you can just type open source name and you can search vulnerability information in here too. And that's all I prepared for today. Thank you. Yes, and so it takes too long time to open these two. I mean we made it since 2014 and seven years ago and we open source. Yes, yes, I think so. You mean the distribution page? I think it is a little hard because many companies are using the other their own distribution site so we have to, we can provide the public API but companies are organizing the different sites so it is really difficult to open the distribution station. Yeah, yeah. Yes. Yes, right. Yeah. And also post-race hub is integrated to other commercial tools such as post-id and bretto. Their scanners can, they are their own report type and they, we are open the rest API so there are two commercial tool companies using our APIs and their result to integrate the input post-race hub. Yes, so many commercial tools, if you're using commercial tools you can request the commercial tool companies to using post-race hub integration. Yeah, actually line plus in Korea uses post-id, I can tell. I don't know, I can tell their information and they requested the post-id company and they made the plugin. Yes, yes. Actually I want to demo for you for developers and self-check is for developers and maybe you can create the self-check in that for developers just to input the, you want to analyze for developers. If your source is uploaded in GitHub or public repository and just click this one and analysis result is uploaded. For example, self-check the other, it takes too much time so I show the other result. Yeah, scanning is, it takes too much time to scan, so I can show the other side. Maybe demo site is, after the analyzing this, developer can check this information and developer can check the OSS information like this one and obligations such as the notice obligation. I mean, it's the function for developers not all sports. So yeah, you mean that it's the internal post-race scanner. Yeah, actually post-race scanner uses scan code and scan OSS, so it already integrated. Yes, you can integrate any other scanners to using this URL because we opened all source code of post-race hub so integrate any, any scanners. Actually in Korea at least adopting the other tool that post-race scanner just the other open source, not open source scanner just the other commercial tool. Yes, government laboratories, yes, not common company, research lab such as, yeah, that's all. Yes, yes, yes, yes. You mean that if you bypass or procedures, right? Yes. If you want to skip or procedures, you can using the self-check list also or yes, it's not automated configuration yet. But many companies want to like you, so we are thinking of this and when setting up this post-race hub, we can check, we can configure, skip each process, procedure, but it is not, it is not this year's roadmap. Sorry. Yeah, yes. Yeah, very good question and a little difficult question also. And actually we think we, the scanning result is proper from development team, but we can check the some, actually we can check the open source license exact one now we just from download location. It's similar to Heria's opinion based on PURL. I mean many scanners result are false positive as you know. So I think the sleeping machine is not important to more days go so on. So dependency check is most important I think and actually sometimes we check the false positive because we can get the result, the source tab and there are source directory and open source component is quite different we can check and we can ask the development team, is it the positive, false positive? Sometimes we ask, but sometimes we skip one. Yeah, so it is not 100% perfect I think. Yeah, yes. You mean that development team input 100 of URLs and how we can analyze this one? Yeah, it's a very good question, it's our secret. Actually the development after we run the dependency check it's almost to cases. I mean first of all before dependency check we have only more 10 or 20 components and after dependency check we can one over 100 component URLs. So actually we have the automatic analysis program. It doesn't open yet. We only use the internally and actually we are using the OIT. I mean URL release input and automated analysis is coming so I can show you. Is it recorded? But I believe you don't distribute the content. Yes, yes. Actually it is for example is the auto analysis. I mean that there are too many URLs so if you use auto analysis and analysis result is coming out. We can using this auto automatic analysis so we save our time. It is the result of automatic analysis and we use the OIT and scan code. Only scan code? Yes, sorry. It's not OIT just the scan code and scan code results that license text is MIT and MIT and copyright through top three so we can register this open source by automatically. But it's not open source yet. Yes. Yeah, thank you. Thank you.