![Page 1: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/1.jpg)
SPDX: The Lingua Franca of Open Source Governance
Gary O’Neall,Source Auditor
Tim MackeyBlack Duck by Synopsys@TimInTech
![Page 2: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/2.jpg)
License (mis-)managementStories from 15 years of Open Source analysis
![Page 3: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/3.jpg)
Microsoft Acquisition of a SaaS CompanyC
TO C
red
ibili
ty
Time
“Here’s the Open SourceDisclosure” –Based on Grep’ingFor licenses
“Here’s some more we missed” – based on engineer’s observation
“Here’s some more” after surveying all engineers
“Oops – forgot this one”
![Page 4: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/4.jpg)
Large Software Supplier using Apache MQ
Image licensed under CC0-1.0 by pixabay.com
![Page 5: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/5.jpg)
Large Software Supplier using Apache MQ
• LGPL Library inside another open source package inside a large app
• Found and fixed by Apache, but already out there• The original source was removed by Apache –
makes it hard to meet the source distribution obligations
• Would have been easy to update the versions if they knew of the issue
• Apache could have probably avoided the issue if they had tooling in place to maintain the embedded licenses (partially addressed by RAT)
![Page 6: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/6.jpg)
Audits for Inbound Software
• Large corporation which embeds software in devices
• Very concerned about compliance
• Most inbound software suppliers’ disclosure is incorrect
• Hires external software auditors• Cost of audits• Concerns about confidentiality• Just doing a 3 way NDA is a challenge
Image by Tim Gouw licensed under Pexel’s license
![Page 7: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/7.jpg)
GhostScript and iText – version caution!
• Depending on version and which fork, Ghostscript may be under GPL, Aladdin Free Public License (which forbids commercial distribution), or AGPL
• Recently, a Ghostscript litigation tested the enforceability of open source licenses (reference https://qz.com/981029/a-federal-court-has-ruled-that-an-open-source-license-is-an-enforceable-contract/)
• Versions of iText prior to 5.0 use a choice of Mozilla Public License or the GPL license. Versions 5.0 and later use the AGPL license. Image by Lorenzo Cafaro under Pexel’s license
![Page 8: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/8.jpg)
Unnecessary scares
• GPL in contrib directories – zLibcontrib/ada/zlib.ads “…under the terms of the GNU General Public License …”
• GPL build tools
• Lawyers looking at the list of all identified licenses without additional info can get quite (unnecessarily) concerned
• Takes some time during analysis to determine how the GPL code is used
![Page 9: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/9.jpg)
Did we really distribute this?
•Leaking tools as part of the distribution
• Testing tools – some GPL with redistribution requirements
• Build environment tooling
Image by Hossam M. Omar under Pexel’s license
![Page 10: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/10.jpg)
So what’s this SPDX thing?
![Page 11: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/11.jpg)
What’s in your software?
•What are the ingredients?
•How is each ingredient used?• License
• Relationship to product
•What do we know about each ingredient?
![Page 12: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/12.jpg)
Document Document
![Page 13: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/13.jpg)
SPDX for Governance
•Generate
•Store
•Aggregate
•Query
![Page 14: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/14.jpg)
Governance Today
Code Deployments Audit
BOMBOM BOM
![Page 15: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/15.jpg)
Governance Challenges
Requires Manual Labor• Keeping Spreadsheet updated
Requires Compliance• Reporting usage
• Adherence to Policy
Hard to standardize tooling• Require aggregation of diverse tool
outputs
Governance Goals
Automate building a master BOM
Automate Reporting
Produce single aggregable output
![Page 16: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/16.jpg)
Governance with
![Page 17: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/17.jpg)
Code Deployments Audit
BOMBOM BOM
Governance with
![Page 18: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/18.jpg)
Demo
Apache JenaFuseki
SPARQL
https://gitlab.com/yevster/spdx-server
Auditor
![Page 19: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/19.jpg)
List All Licenses For My Version
Enforcing Licenses with SPARQL
prefix spdx: <http://spdx.org/rdf/terms#>
prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
select distinct ?name ?licenseConcluded ?licenseDeclared
{
?pkg rdf:type spdx:Package ;
spdx:name ?name .
?pkg spdx:licenseConcluded ?licenseConcluded .
?pkg spdx:licenseDeclared ?licenseDeclared
.FILTER regex(str(?pkg), "1.0.23")
}
![Page 20: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/20.jpg)
List Packages With No License Declared
Enforcing Licenses with SPARQL
prefix spdx: <http://spdx.org/rdf/terms#>
select distinct ?item ?itemName
{
{ {?item spdx:licenseDeclared ?license} } .
OPTIONAL {?item spdx:name ?itemName} .
FILTER (?license in (
spdx:noassertion,
spdx:none
))
}
![Page 21: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/21.jpg)
List Packages With No License Declared – Filtered For Our Version
Enforcing Licenses with SPARQL
prefix spdx: <http://spdx.org/rdf/terms#>
select distinct ?item ?itemName
{
{ {?item spdx:licenseDeclared ?license} } .
OPTIONAL {?item spdx:name ?itemName} .
FILTER (?license in (
spdx:noassertion,
spdx:none
))
.FILTER contains(str(?item), "1.0.23")
}
![Page 22: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/22.jpg)
List Details On Specific BOM Item
Enforcing Licenses with SPARQL
prefix spdx: <http://spdx.org/rdf/terms#>
select distinct ?item ?p ?o
{
?item spdx:name 'jep' .
{?item ?p ?o}
.FILTER regex(str(?item), "1.0.23")
}
![Page 23: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/23.jpg)
List Packages With Sensitive Licenses
Enforcing Licenses with SPARQL
prefix spdx: <http://spdx.org/rdf/terms#>
select distinct ?item ?itemName ?license
{
{
{?item spdx:licenseDeclared ?license}
UNION
{?item spdx:licenseConcluded ?license}
} .
OPTIONAL {?item spdx:name ?itemName} .
FILTER (strstarts(str(?license), str(licenseList:AGPL-3.0)))
.FILTER regex(str(?item), "1.0.23")
}
![Page 24: SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech](https://reader030.vdocuments.site/reader030/viewer/2022040315/5e1bf04e2417ec049f43f70a/html5/thumbnails/24.jpg)
Questions?