Thank you. Okay. My name is Koki Hamma from Japan and so today, oh yeah, yeah, thank you, thank you.I'd like to explain OSS compliance and its tools.Yeah, first I will talk briefly about OSS complianceand then I will introduce some tools. I will also do a little demonstration. I will also show youyou know how I use the tools to build a system in my company. Finally, I would like to explainhow to enhance the system in the future. And yeah, last one, of course, Q&A session.Okay, let's start. So, open source compliance. As you may have noticed, I named this chapter theme fromthe book I introduced after. So, OSS compliance in enterprise. So, of course, the theme is stillfor the session title. Okay, let's start with brief explanation. I can't listen to you.Ready? Now I'm speaking. Does anyone hear my voice?Thank you, thank you, thank you very much. Sorry for Mr. Taniguchi.So, maybe many people now can hear my voice. Okay, I would like to continue.So, as you know, OSS is essential for many companies. There are many reasons for this.For instance, you can use OSS that is already completed. This means you can utilizesophisticated software without having to code from scratch. Moreover, in recent years,OSS has become more accessible. It is even possible to use the appropriate OSS from the internet with just a few lines of additional commands. There are many types. For example,there are many OSS database applications such as Postgres SQL, MySQL, CouchDV, etc.And users can choose from them freely. With this background, it is commonplace forcompany to include various OSS in their products and services. It is alsocompress to design through OSS in many development sites, thus making OSS mandatory for companies.Now, let's move on to OSS compliance. Of course, as many of you know, OSS is notunconditionally available. This is true for both personal and company use.But if you are going to use OSS as a company, you have to investigate various information more carefully.For example, you need to meticulously review the license. There are many OSS licenses,but they all have different obligations. We need to carefully respect the licensethat OSS has. You need to check the copyright as well. Often, it is difficult to find it,but this doesn't mean that they should be ignored. In addition, vulnerability and expert controls information are all important and need to be checked.Of course, since this is here justexample, it is difficult to deal with everything. I would like to insist that users need to review a lot of information about using OSS. Let's talk about something a little more complicated. Users should consider how to check this OSS information Then checking them, especially when a company uses a lot of OSS,there is a high possibilitythat important information will be missed without the proper strategy. However, if you start to consider strategy for OSS analysis, you will not be able to find an easy solution. Is there a standard way to do any OSS compliance? And whose approval is needed?At this time, OSS user may consider using expert and tools. A lot of things need to be done for OSS compliance, but it's hard to know where to start. Is there a point of arrival in the OSS compliance? We must be careful as long as we use OSS.OpenChain provides some important tips for your OSS compliance works. From here, I will briefly discuss about OpenChain, a project under the Amber Breller of Renux Foundation, which aims toestablish effective and common utilization of OSS and OSS licenses. OpenChain is also working to help reduce OSS management costs. And OpenChain is based on three cores. I will talk about OpenChain a bit more. The OpenChain specification defines a number of requirements. These requirements are for OSS license compliance programs. It has undergone several revisions and 2.1 is now available as the latest version. It is now included in theISOIC database list.OpenChain spec is now becoming more of an international standard.At the end of this chapter, let's consider what strategy we can use to improve OSS compliance.For example, you may want to hire more people to pursue these missions.It's easy to say, but I don't think it's something most company can do right away.It is also important to share information both in and out of the company.Not all programs can be solved immediately, but you can set to remove forward with your mission. However, this alone will not easily improve OSS compliance.It doesn't matter how much information only the person in charge follows. In addition,ビシュエルとプレピアユアレジケーショナルマテリアス.エデュケーション can also read to OSS compliance.Originately, there are already some education materials in the world.The origin title of this presentation, as well as the slide provided by OpenChain are available for this.And finally, I suggest the use of the tool. I'll talk more about it in the next section,but I think it's one path strategy.Yeah, I'd like to show you what you can do with the tools.Many OSS compliance tools have been developed in the world today.And some of them are already in use by many companies.It is difficult to write about all the tools and their effects,but I'd like to introduce some of them.The tools feed up the tracking of your OSS compliance works.Term the tool do license analysis for you.This may be typical feature of OSS compliance tools that many people imagine.Term of them take a machine learning approach to license analysis.This kind of work is not always done by people who are accustomed to working with the CUR.Term of them provide an easy to use GUR.It's also automatically generated document for you to use when you share the results of your analysis with your customers or your colleagues.It is very useful for those who want to spend more timesreforcing the document content rather than creating it.The tool can help you with your compliance tasks.Naturally, the use of OSS barriers from project to project.OSS licenses have different obligations to fulfill their planning on their usage.That is, companies need to manage not only which OSS are used in which project,but also how they are used.Then, inevitably, you need to keep track of who has reviewed it.Term tools also exist to assist with reviewers.This information tends to be scattered throughout the company.This is a special tool for larger companies.If the same content is checked over and over again by different departments,a lot of types will be lost.In order to avoid that, the condition of the information is very important,and what's where the tool will be useful again.Now, I will introduce what the tool does.It's not a bad idea to create your own tool with this feature. However, there are OSS tools out there to assist you in your OSS compliance work.It is important to remember thatOSS tools can be used at a low cost.You can also share your tool usage now with the OSS community.Improving OSS compliance is not just for your company.It's for the entire supply chain.Therefore, you will be able to find members to develop OSS tools with.Now, I would like to introduce some OSS tools in practice.First, I would like to introduce Phosology.GPL to license OSS developed under the umbrella of the Linux Foundation.Users can use Phosology to pass through the detection of licensee,copyright,etc.Phosology includes many such agents,and new agents are being developed as OSS.Temporal methods for outputting the results of the analysis are also provided,including ability to output the results in SPDX format.Let's demonstrate a little bit more in use in practice.This is the start page of the Phosology.So, you can read some explanation about Phosologyand what kind of package you can analysis.You can read from this page.And when you start login, you can see the home page.So, if you want to search licensein your open source files, you can use some several methods.In this case, I would like to introduce the upload packages.When you upload the packages to Phosology,you can select some optional analysis.So, you can check for them and open it and select analysis.For example,copyright agent,etc.agent.And so, many, many useful analysis agents exist in the Phosology.After you set the Phosology setting, you can upload.While uploading the softscore, you can check how many agents areproceed like this.So, if you update it, you can check progress of such engines.So, back to the browsing page.So, you can find which you already updated.So, now updating.So, you can find some license names from the agent discovered.And so, which files are not includes which kind of license.You can check them.For example, if the license name checked,what kind of files includes that re-license in this case.So, you can open this and find the file itself.And context in the copyright notice or license or emails or any kinds of useful information.So, if you back to the top architecture of the file, you can get the list of copyright or email names.So, thanks to Phosology engines, you can check almost all email lists in the file packages.After you reviewed, you can make a spdx format document or files.That is all Phosology.And next, I would like to introduce SW360.SW360 is a web application that centralizes information related to OSS,which is licensed under EPL2 and manages OSS in unit of components such as license information,export control information, and vulnerabilities.You can manage information in one place, especially you can get results from the Phosology.Tent-right management of what OSS components each project uses.In addition to the GUI operations, API can be used to facilitateparts registration and to read spdx data.It also has the ability to create right-sense documentation to provide to customers.In addition to the default languages, English, Japanese, and Vietnamese,and other languages can be added if someone translated the license obligation files.So, I will describe the architecture of SW360 in more detail.The information a project has is not a component,but rather a unit of information precisely release information.This is a reasonable way to manage which version of OSS is being used byEach project.Since the license of OSS change depending on the version,so, I will show the screen shot of SW360.So, this is the top page of the SW360.So, if you clicked the flag over the country,so, in this case click the Japan,you can change language.So, this means even if you cannot read their English,you can use SW360.And after logging in SW360,you can start from this page.This page shows what kind of project you are included.And what kind of component you are registered.So, you can check this one at the same time.So, if you clicked the component tabs,you can list of the component information.In this case, I clicked the browser.So, this is written many information such as when created or who created.And what kind of license includes this license,this OSS.So, if you clicked the license link,you can read the license tickets like this.So, this SW360 provides the function import spdx information automatically.So, it is very easy to download this kind of information from SW360.And if you check the project information,it is also includes some information.For example, project name or visibility,this means who can see this project.And when created and project types,and administrator or ECC states,many kinds of information you can check from SW360 project information.So, of course,some project use a lot of open source software.So, from this link to release and project buttons,you can check what project use whatopen source software and these versions.This is our SW360.So, after,I would also introduce some OSS tools.So, next one is OSS review tools kits.This is also open source tools.This still aims to assist with the tasks that currently need to be performed in the context of license compliance checks.So, this still mainly six functions,analyzer,downloader,scanner,and advisor,evaluator,reporter.So, if you use OSS review tool kit,you can get those code,related source code,andthis kind of license.And so, result of your analysis document.So, any kinds of OSS compliance helped by OSS review tool kits.And next one is the turn.This is mainly used for the container analysis.So, sometimes it is difficult to find the package or license in the container.OSS includes the containers,but this turn supports these tasks.When you use scan engines,scan functions,this turn use scan tool code kits.Mainly,this is manipulated by the command line interface.And so, as a result,SW360 antenna.This is the scan artifact of the project,anddownload source for dependencies,and validate source code and license,and make some documents.So, this is one of theSW360 related open source software.So, if you hope,if you want to integrate it,this one,maybe you can use with SW360.And so, last one is scan OSS.Q you are interested in snippet scan in the source code,you can use this.So, this result from the open source knowledge database.This knowledge database has alot of source code and this kind of information.Okay.So, next.I would like to explain utilizing tools for open source compliance in enterprise.So, my colleagues and I developed it in my company.We have integrated several OSS toolsand developed them in the company.Of course,it also includesSW360 andSW360,which I introduced it in the previous chapters.This tool is literally available topeople in a variety of professions.Engineers are not the only people involvedwhen company use OSS.Of course,legal professional may perform OSS license checking work.The same goes for manager and member of the quality control department people.By building a management system that is accessible to all OSS stakeholders in my company.We can easily see who is doing what to do each other.There is one more important pointin this system.The tools for OSS compliance are consistently evolving.Everyday,newfeature are deep,box are fixed,official manual are created.We are careful to be among the first toadapt them.I believe that just as OSS compliance is not something that one companycan handle alone,the OSS compliance system should be enhanced with the community.So,now,I will explain the system a bit more.It is mainly about user support.Building a system isimportant,of course,but it's pointless if no one can use them system.And if the user considers the operation of the tool to be more complex than the compliance task,some we came up with some user support.For example,hands-on training,documentation,andmulti-language support,I will briefly explain each of them.The effective thing about hands-on is that youcan receive immediate user feedback.Users who are new to the go tool can quickly understand where they will stumble.If you hold it online,you won't get a direct response,but you can do itfor a large number of people at once.Of course,as long as there are no network problems.And if youare hands-on with OSS tools,there are some additional advantages.You can exchange ideas withpeople outside the company on what operation was appropriate.In some cases,official alreadyoffered a hands-on slide.You can also hold hands-on sessions in collaboration with the community.Next,I would like to talk about documentation.Hands-on is an ideal way,but users cannot alwaysparticipate in it.In this case,the document will guide the user.This can also becreated with the community.We have published documentation and blogs on SW300 andphosology and more.I already introduced this kind of article,Open Change Japan.Some peoplefeedback to me.Thank you very much.Finally,I've talked about multi-languization.English is importantfor OSS compliance,but English is not always native language of OSS users.So,even if you are not familiarwith English,you need to operate OSS compliance tasks.So,we have to be working on varioustranslation activities.Especially,I have contributed the community by translatingsome document and developing new op ones to support a wide range of languages.Listently,we did thisdevelopment for SW360.Where the SW360 community member were very sincere in their response to our course,allowing us to successfully develop multi-language function features.The member ofOpen Change Japan provided me with a various opinion when I translatedEnglish to Japanese.Thank you very much.So,the first system we introduced has been developed with the user support withsome successes.The number of users the system has included.Of course,but the awareness ofOSS has also improved.Many of my colleagues have begun to care about OSS compliance.It can also be said that the very existence of such a system has changed the mindset of users.At the end of this chapter,I will list what I have done with the community.I worked with the community to develop,get hands-on and document and translate.In next section,I will explain how I plan to make the system more user-friendly.From here,I will discuss the improvement of the OSS system.Of course,new features may be developed.That's one way.On the other hand,various OSS compliance tools arereleased every year.Choose them well and incorporate what you need into the system.This work needs to be continued.Some communities are introduced the latest OSS management tools.We improve the quality of the system by participating in them.Time communities are open to the people of theparticular region,while others are open globally.You can participate in both.I want to explain in detail whyyou should join the community.The knowledge of open source software tools shared by communityand by the company's community can be spread throughout the supply chain throughout thecommunity.If affects you even if it is not directly related to your company.As you know,if a license violation occurs,the entire supply chain is immediately contaminated.That's how closely connectedthe company in the supply chain are.I'm wondering if we can take advantage of thisand share information about OSS tools and these userages.Now,I want to introducecommunity of tools I participated in mainly.They are several,but I will introduce theOpen Chain Reference Tooling Group.The group holds online conference on web days.Anyonearound the world is welcome to join the group as it is held twice a day,covering the same topic.We are contemplating how to combine the many tools already available in the world to achieve a workflow.In fact,all the tools presented today were discussed here.Consider joining the mailing list if you areinterested in.Today,I will reduce some tools from this one.OK,finally,I will explain about sharingOSS tools in my words.We can have this discussion with the community to discussbut workflows for OSS compliance management are good and how to achieve them.Touch know howcan be shared to improve compliance throughout the supply chain.finally,somebody,take advantage oftool to improve compliance and performance.Keep Open Chain Spec in mind then.Also,once thetool is in price,make sure you have good user support.Also,research what tools are available isimportant.Joining several community will give you a lot of information.finally,we encourage youto use OSS tools.Then,exchange idea with the community on how to use the OSS tools.Then,have acommunity discussion about what tools are suitable for you.Yeah,let's manage OSS by OSS withcommunity.Thank you for hearing my session.Any question?If you have a question,please post somecomments in the chart.What's rock?OK,I will check the track.Track leadership comment.No question?OK,so,today,after this presentation,of course,I would like to share mythis slide.So,if you have a question about this slide,please send me your email.So,I willhappy to answer them.OK,thank you for question.How far is it?And,theUSS.W363 talk to each other.Yeah,so,many,they connect it with their API.So,if you already have thefossil of the instance,you can use the connecting function very easily from theでGRI. So, FOSOLOGYMAKER hash for the API.And so, if you input SW360, you can use the connect to FOSOLOGY and SW360.Okay?So, in one detail, so in my case, if I...Thank you for the answer.So, if I...Okay, so if you attach some source codes into the SW360, you can sense FOSOLOGY directory by using IPR.And then, FOSOLOGY user can analysis the license or any kinds of information from the source code.And after, if FOSOLOGY user sets the status to the closed SW360 user can receive the FOSOLOGY results.So, like this, FOSOLOGY and SW360 connect each.Okay?Any other question?How do you speed the option in compliance process?Yeah.So, good question.So, in a half way of to realize this one.So, at first, yeah, I hope this kind of documentation for...I hope SPDX documentation, using SPDX documentation on my tasks and includes the open source compliance process.So, but I tried to do so, but it was difficult.So, now, I plan to explain how to use or what is SPDX at first.So, because then we set the open source compliance process in company.So, we need to care a lot of information to include SPDX.But, so, sometimes people will know SPDX, but sometimes don't wear SPDX documentation now.So, I think SPDX compliance and SPDX documentation and the compliance process is very good combination.And, so, if I use SW360, SW360 imports SPDX information and FOSOLOGY is also same.So, not defined specific way, but I try to realize this with SW360 and FOSOLOGY and other tools.So, this mean, if I set the compliance process with the tools, if tools already supported SPDX documentations,user automatically need to care SPDX documentations in open compliance processes.Yeah, similar stage, yeah.So, we are in middle stage too.So, but I think if we continue to improve this one, we can establish.Because now, open source specification or SPDX become a very global standard.So, a lot of people hope to do so.So, recently, my colleagues changed their mind.So, I think it is difficult, but we can realize while utilizing SPDX and related tools finally.OK, I would like to close the session.So, if you have a question, please send me a mail.OK, and so, if I like the track, it's also OK.So, I would like to answer all questions.Yeah, so, I will close it.Thank you for attending.