Hi, my name is Yoshitsa Morizumi.I will talk about license compliance and security management for embedded systems.G-Azenda on this slide is a follow.After a brief introduction,I will talk about the problem in software development and backbone.After I list the problem,I will talk about building a system to solve them.Finally, I will talk about the summary and future prospect.Let me introduce myself.My name is Yoshitsa Morizumi.I work as an engineer at Ujitsu.Since I joined the company,I have been involved in operating system development and technical support.By engaging in the development of a real-time OS,I learn the basic knowledge and structure of the OS.I have been involved in the development and support of device-running Linux.Recently,I also worked on MC-Carnel in Fugaku Supercomputer.First,I will talk about the problem in software development and backbone.Let's start with compliance issue.In recent year,the size of software in embedded system has been increasing.App product is made up of a combination of many pieces of software.OSS is often used for software.Software comes from multiple suppliers and is ultimately integrated into the product.Product vendor must completely with copyright and license for all software they use.However,Information may not be provided by this software supplier or may not be complete.It is also difficult to manage different format for different suppliers.As a result,product may contain unintended software or may not complete with copyright or license.Secondary,Security issues.Embedded system include a variety of open source software.The product is composed by combined OSS and e-house developed software.You should be aware of vulnerability when using OSS.Borality reported daily and fixed by the OSS community.But depending on the version of software used,the product may contain vulnerability.Borality can be exploited to gain and authorizes access to a product.Or to an intentionally shut down OSS system.Product vendor need to understand vulnerability and take corrective and meticulity actions as needed.Also,bug us inherit in software and even during testing.bug can be introduced into product.As a result,the product may contain vulnerability or bugs.Here is summary of the software development issues we have discussed.G1 is compliance.You need to know all of the software component used in the product.You must also complete with this software license and copyright.This second is security.You need to identify vulnerability in the software include in the product and address them if necessary.You also need to ensure code quality.S-bomb is a way to solve compliance problems.By the way,what do you think S-bomb is?S-bomb stands for software build of materials.Uncomplete list of software parts include in the product.It can be used to protect the software supply chain.They are various way to implement and create an S-bomb.The information required for S-bomb include the author name,supplier name,component name,version string,hash value,and identify.You will also need licensing and probability information.Let's look at how S-bomb is used in the software lifecycle.I will explain by following the NTIA materials.For example,when you building software,you can use S-bomb to manage what software code is included.When you release software,you can use S-bomb to manage supplier name,software name,version number,license,and so on.Software maintenance allows you to manage vulnerability information in this S-bomb.The S-bomb works throughout the software lifecycle.Here are three typical implementation of S-bomb.SWID stands for Software Identification.It is standardized by ISO,created by NISD.Designed to provide organization with a way to track G-software installs on G-device.SWIDs are in XML format.SWID is considered as a more lightweight binary format for IoT device.Next.CyclonDX is created by OpenWeb application security project.Lightweight S-bomb specification designed specifically for software security requirement and related risk analysis.This specification is written in XML with JSON in development.SWIDX stands for Software Package Data Exchange.It is standardized by ISO,created by Linux Foundation.SWIDX provides a standard language for communicating software-related components.License,Copyright,and security information in multiple file format.A variety of format are available.For example,TagValue,Json,Yamu,Example,and Spreadsheet.This presentation will focus on the easy to use SPDX from Yoct.Yoct is a build tool often used in embedded system development.SPDX can be created in a variety of ways.Here are some of them of different purpose.SPDX can be output range software is built.G tool in the green frame insert.Those tool includes OSS-ReviewToolkit and Quotemaster.Yoct can output SPDX with CreateSPDX or Meta-SPDX scanner.Meta-SPDX scanner invokes external tools of ScanCodeToolkit or Phosology.G tool in the red frame is used by imputing source code after building.ScanCodeToolkit can scan source code and vinylify for license and copyright, and output SPDX files.ScanCodeToolkit can output SPDX to the installer's container image.Phosology can scan the source code for license and copyright, and output SPDX files.G WebUI also provides a workflow for compliance.G blue frame is a transformation tool.SPDX.org has a tool for convert SPDX.In additional tools, there are tools that work with Java and Python.There are also online tools.Phosology can handle SPDX in a variety of ways.Compare how to create SPDX fan building software with Yoct.Meta-SPDX scanner creates the SPDX file by calling Phosology or ScanCodeToolkit.It does not work alone.You need to have another scanner, but you can use one of your purpose.Meta-SPDX scanner is a new feature of Yoct.Available from Yoct 3.4.You don't have to have another scanner.You can use it alone.It is to use.Just add line to gyoctconfigurationfilelocal.comLet's reconsider the compliance issue.Now, the supplier provides the espon with the software.An espon is a complete list of gcomponent and license it contains for the software.In addition, typical implementations such as SPDX facilitates file format conversions.Product vendor can extract all software license and copyright included in the product.Gunified format makes management easy.Next, let's talk about building a system to solve the problem.Here are some of the problems in software development that I mentioned at the beginning.In recent years, software development for embedded systems often use Yoct.Many development environment provided by hardware vendors are based on Yoct.Build a software development environment that combines Yoct and other tools to solve the problem listed above.Fossilogy is an open source license compliance software system and toolkit.Contain tools for scan license.Provide a web interface for viewing scanned result and compliance workflow.Meta-spdx scanner passes the source built by Yoct to a scanning tool such as fosilogy.It also receives SPDX files from tools like fosilogy and add them to one of the built output.Code checker is a source static analysis tool using Sheerang static analyzer and Sheerang Teddy.It has various command tools for performing scan and web interface for managing them.This slide shows the system configuration.Use docker container to simply system construction.You need to configure the docker.So refer to the documentation if necessary.URL is shown on this slide.Here is an example of how the system can be used from the user perspective.FanU builds software with Yoct.It prints out SPDX files and a list of vulnerability.You can refer to it.Source code in automatically registered in fosilogy and scanned.You can check and clearing license information for G-web UI.G result of this static analyzes in code checker can be visited from G-web UI.You can check the number of problem and the detail of the problem.We will build a concrete system.The minimum Yoct setup is shown on this slide.Create a directory to extract the Yoct environment and run the following command.A directory called build will be created and move it into it.You must edit the local.conf file in gcon folder to work with code checker and fosilogy.G code checker settings.Code checker is available on the docker hub.So get it with the docker run command.G version number must match the code checker used by meta code checker.Version 6.17.0 is currently in use.G meta code checker configuration is shown in this slide.G name of use for the code checker report endpoint settings.Must already be created in G-web UI.G code checker web UI is accessible on port 8001 on the host.The creation of the product used in code checker report endpoint is shown in this slide.Select new product.Enter any require information.and save.You are done fine.Item are added to the list.This is the setting of postgres that manages the database used by fosilogy.Postgres is available in docker hub.So start it with docker run command.After starting postgres,initialize the database used by fosilogy.Create a user named fosi and a database named fosilogy and grant them permission.G password of the fosi user,specify fosi.Next,fosilogy is available in docker hub.So start it with docker run command.G meta spdx scanner setting is shown in this slide.Token is the key used to refer to fosilogy from meta spdx scanner.Token is created in fosilogy.fosilogy is accessible through port 8002 onjihost.login with fosi as the user and password.You can create access token from the user account settings in the admin menu.Make it readable and writable.fosilogy checks add one line configuration to local.com.Once you set it up to gpoint,built it with bitfake core image minima.Next,I will introduce how to see the result.Access to code checker web UI.Click on the product to see a list of statically passed source code.Let's select one.Here I selected the source code for the set command.Display any source code is found.Select one of the indicate problems.We have detected a problem with null pointer accessdepending on the row of processing route.Next,access to fosilogy web UI.login.Select the browse menu.Select the created folder.A list of scanner source code appear.Select the source code to display a list of detect license.Here,I selected the source code for the set command.In the source code detail,you can see the license found and the result of highlighting.The text associated with the license.You can also clear the detected result.Check the result of CVE check in host environment.Go to temp deploy CVE from your build directory.You can check that the reliability information file has been saved.Similarly,for spdx files,access temp deploy spdx from the build directory.You can see the spdx file is saved.I will talk about this summary and feature work.SBOM is effective for solving software development problem using OSS.Introduction to how to easily build a development environment that combine yokt with other tools.In the future,I would like to compare meta spdx scanner with create spdx,a new future of yokt.Also,I would like to consider linking with other tools when building a development environment.For example,GOSS management tool SW360.Please let me know if there are any other good tools.This is the end of the presentation.Thank you for your attention.