Over five years ago, Adrian Bridgwater wrote a Forbes article pronouncing that “If Software Is Eating The World, Then Open Source Will Chew It Up (And Swallow).” That statement is just as true today. Open source components have become a basic building block for software developers, providing them with ready-made solutions from a vast community that help them keep up with today’s speedy and frequent release cycles. However, open source components also present developers with a new set of challenges to address. Eclipse SW360 is an open source tool from the community aimed at helping developers manage their open source components.
The Eclipse Foundation, creator of the Eclipse IDE and Jakarta EE, to name a few, created Eclipse SW360 as an incubator project, licensed under the Eclipse Public License. It’s an application that helps quality and R&D managers, developers, legal counsels, software architects, and more manage their bill of materials — the software projects in their products and all of the components that comprise those projects.
According to their documentation Eclipse SW360 is “both a web application and a repository to collect, organize and make available information about software components. It establishes a central hub for software components in an \organization.”
Eclipse SW360’s GitHub page explains that it is a “server with a REST interface and a Liferay CE portal application to maintain your projects / products and the software components within.”
SW360 provides a centralized location for licensing, compliance, quality, and security information about software components, allowing organizations to track the components used in a project or product. It also helps teams remain agile by easily integrating with other scanners, static code analysis, or build infrastructure.
Happy to discover an open source tool from the community and for the community, I played around with Eclipse SW360 to give you a rundown of its main and most exciting features.
Users can approve new open source components with both a specific project resolution and globally, clearing their status across all software projects. You can also add a custom clearing status per individual project.
Eclipse SW360 supports multiple types of components, including proprietary, open source, and third-party.
SW360 enables its users to easily track the licenses of their open-source components and can be integrated with Fossology and used as a front-end tool.
Attributes like programming language, vendor, release date, and more can be added to each software component. In addition, more attributes can be added in the context of license clearing and approval.
True to the spirit of open source, everyone gets a chance to give this technology their own spin and add new languages to the interface. Currently supported are English, Japanese, and Vietnamese.
Once the software bill-of-material has been set up, you can also assess the export control and customs (ECC) information for each project.
ECC classifications can be set for each component, and the application allows assigning a specific role for ECC experts. Experts are the only ones with permissions to modify ECC data, while other users can enter ECC data, which will need to be approved by the ECC experts.
SW360 is a great free tool from the community, for the community, providing a variety of features and capabilities for managing components.Still, most development and security teams, managers, and stakeholders need additional capabilities to fully enforce open source compliance and security.
In order to remain agile and keep up with DevSecOps practices, teams might need tools that offer automated policies and workflows, allowing them to trigger a process as soon as an issue arises. For example, when a compliance issue is detected, the details will be automatically sent to the relevant owner.
Creating advanced automated workflows to enforce policies automatically is also important, especially as teams get bigger. Users require the capability to impose a quality or security gate to block components with specific licences of vulnerability types from even entering the code base by failing pipelines.
Team leads, managers, and stakeholders often require enhanced reporting capabilities to help with complex or time-consuming auditing and reporting tasks, like customized attribution reports or detailed security status reports.
Eclipse SW360 offers a variety of users a free and easy tool to manage a bill of materials in one centralized location, providing them with some of the data that they need to manage their software projects’ components.
Like all free tools, Eclipse SW360 has both advantages and limitations. I highly recommend it as a tool for developers and managers who are not using another technology, so they can gain the visibility they need over their open source components. Organizations that aren’t using other technologies should definitely give it a go.