Subject: What is the subject of open source compliance and security vulnerability checks?
Do you perform open source compliance activities for fonts? (Example: Open Font)
Does the company distribute mobile apps (Android, iOS) for in-house employees? If so, are you also performing open source compliance activities for them?
How do you classify the open source security vulnerability check targets? Do you include not only the software to be distributed, but also the software that is being used for infrastructure and servers as inspection targets?
Attendees
Hyundai Mobis
Hyundai Motors
Kakao
ktds
LINE Plus
LG Electronics
NCSOFT
SamSung Electronics
SK telecom
Video
Introductions and Update
Hyundai’s Open Source Governance System
Trends in Software Component Analysis (SCA)
Kakao’s Olive System
Minutes
1.OpenChain Update (Shane Coughlan, Linux Foundation)
OpenChain 2.1-ISO / IEC International Standard
Scheduled to be published on 12/14 (Mon)
Promotion scheduled for Japanese and Korean companies on the same day
2. Hyundai Motors open source governance system (Songha Paik, Hyundai Motors)
background
In 2015, joined the Open Invention Network (OIN): Cross licensing organization for patent rights for open source
A lot of OIN promotion was done in industry consortiums where Toyota, BMW, and Honda participate.
In 2016, after joining OIN from Toyota, donated 10 million dollars and was approved as a Gold Member
In 2017, received professional training for open source SW licenses and recognized the importance of compliance
New TFT in 2018
Industry characteristics
More than 100 million lines of software included in automobiles (more weighted than other software)
More than 3,000 parts are delivered from supply chain companies, and among them, about 300 parts are supplied by the first-tier supplier directly
How to manage many suppliers is an issue
Currently established compliance plan
Open source management TFT composition under the IP organization
Responsible for legal response, distribution of license policies to third-party partners, open source verification, and license notification
directional
Step 1) Establish simple standards
Case where only the open source source code is disclosed and notified
A case that reveals the edited and added parts
Establish countermeasures for the three cases in which all combined user codes are disclosed and notified
Step 2) Signed a business agreement with NIPA
NIPA asks companies to request verification, and Hyundai Motor Company receives verification reports from companies.
Step 3) Utilize the OPENCHAIN project
By utilizing the OPENCHAIN project, we are trying to raise the level of open source compliance awareness among companies.
Issue: Open source and patents
Open source can also be protected by patent, and application and registration procedures are required
It is not only necessary to comply with the licensing regulations, but also check whether there is a problem with the third party’s patent rights and whether there is any impact on the company’s patent use.
Hyundai Motor Company cross-licensing related technologies through OIN and Linux System Definition
Q&A
How many primary and secondary companies are requesting training/verification from NIPA?
Since it started this year, about 20 companies still request verification. Currently, open source verification is in progress for new models rather than already released models.
What is the patent verification method?
There is no tool to match the source code. Knowing the technology and searching for a search word in the patent tool to check if it infringes the patent
Were there any patent litigation issues related to open source?
There were no litigation cases, but disputes and issues are known to exist.
TF was started at Namyang Research Institute, and it will be expanded to the entire company.
Are there any special processes in contract
Provides drawings and specifications to be observed when requesting technology development. At this time, standard specifications related to open source are provided together to ensure compliance. Plan to create open source related provisions when contracting with companies In this
Others: The reason why the former did not join OIN
I reviewed OIN subscription twice but eventually did not sign up. It is not clear to what extent should be shared when determining the scope of OIN cross-licensing Companies with many patents may lose their license due to OIN. Judging that there is a risk
Automated process to discover and manage security, licensing compliance
SCA related research
Gartner Report Research Results
The most important tasks when using OSS were the long-term viability of open source projects (#1), open source security issues (#2), and vulnerabilities (#3).
SCA tool selection criteria
Vulnerability database: Provides a vulnerability database based on NVD
Developer support: Whether there is an open source evaluation function, recommendation function, etc. before adding IDE and Repository integration code
Open source license compliance: Can set license policies and have the ability to track licenses?
Shorter response time: whether vulnerabilities can be quickly detected and prioritized
Report issuance
Forrester Wave Research Results
In 2017, SCA was just beginning, and in 2019, existing companies settled in leadership positions and new services were born.
According to the G2 software evaluation agency
1st place is called Gitlab, 2nd place is called WhiteSource
SCA vs SAST SCA is a tool that manages open source vulnerabilities and licenses, while SAST is a tool that detects flaws in proprietary code and detects vulnerabilities before code production.
Introduction of representative SCA tools
FOSSA
The initial concept started as a license compliance management tool, and the project started with 4 people in 2018
Support for open source vulnerability management in 2020
It is said to have a rich database
Snyk
Contrary to FOSSA, it started as an open source vulnerability management tool, and recently supported license compliance management.
WhiteSource
Whitesource has been providing SCA tools since its inception, and has grown to become a leader among related companies.
Linked to Azure, Gitlab, etc.
SCA companies commonly operate a community such as a blog to provide various information.
Q&A
When did the term SCA come about?
It has already been used for a long time, but it seems that the name SCA has come out in earnest in research results from 2017.
Can Github be considered SCA?
Open source identification is possible, but it does not appear to be classified as SCA because it does not provide license identification or meta information.
Can you provide a list of SCA blogs?
To be shared Many SCA companies have blogs, and you can read a lot of high-quality articles.
4. Olive released (Hwang Min-ho (Robin), Kakao)
-Olive URL: https://olive.kakao.com
-Kakao login-based, Github integration required
-Currently, only the beta version has been released, and will be officially released by expanding the function.
-Some modules will be released as open source
5. Case Study
Mailing list member only
6. OpenChain KWG Update (Haksung Jang, SK telecom)
KWG T-shirt
In-house design production (Thanks to Soim!)
Served to all applicants (supported by the Linux Foundation)
Contributors: Jongho Hong (LG Electronics), Yunhwan Jung (Samsung Electronics), Hanjoo Kim (Hyundai MNSOFT), Dongmin Kim (NCSoft), Heedoo Jin (LG Electronics)
There is still something missing, so please give us a lot of feedback to make the translation as natural as possible! (github Issue or PR)
Received a citation from the Minister of Science, Technology, Information and Communication (in the field of merit in the development of the open SW industry): Haksung Jang, SK telecom - https://www.oss.kr/festival/award
How will the OpenChain KWG meeting be held in the future?
Would it be better to do it as it is now? Is there a better way?
There are a lot of sub-group meetings in Japan, and it would be nice if we could develop a sub-group or study group, but it will be possible only after the corona pendemic ends.
If you have any opinions on how KWG proceeds, please feel free to tell us!