This webinar discusses a Universal CVSS Calculator released by {metæffekt} GmbH. The open-source online tool is intended to support the assessment of vulnerabilities with their various CVSS scores from multiple authorities. It was created due to the lack of CVSS calculators which could ingest multiple vectors with different CVSS versions and compare the scores consistently.
Read The Slides
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
For the second year in row, we welcome Philippe Ombredanne to recap the FOSDEM event for us. This is a great way to catch-up on one of the best events in the world discussing open source development, management and (most importantly for us) legal, licensing and automation.
Gary O’Neall of Source Auditor talked about how the new SPDX Services Profile proposal structures information. This profile is likely to have an important on business process management, as it covers topics far beyond open source compliance, with one example being fields for topics like Export Control. Gary’s deep background as a core contributor to the SPDX Project allowed him to contextualize this discussion from a historical perspective.
The OpenChain Project ran a series of webinars about using open source tools for open source compliance ran between September and December 2021. They have been re-published in the main webinar series to improve discoverability. This episode explores how a tool called VulnTotal can help with open source security management.
Philippe Ombredanne from nexB lead a technical deep dive into VulnTotal on the 7th of February 2023. It was about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. Called VulnTotal, it came out of Google Summer of Code 2022:
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)
VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This is OpenChain Webinar #68, released on 2024-02-01. It was originally published as “Automation Case Study #7 – VulnerableCode technical deep dive into VulnTotal” on 2023-02-07.
During our recent OpenChain Automotive Event we had some excellent talks. One that we decided to pull out of the main recording and release solo is ‘Complexities of Open Source in Automotive’ by Russ Eling. This type of high level overview is an excellent starting point for people in complex manufacturing industries that want to use our open source standards for licensing and security.
About Russ and OSS Consultants
OSS Consultants is an official OpenChain Partner with decades of experience. Russ at OSS Consultants has offered his time to speak with anyone that has questions about managing use of open source – even if it is as simple as how to get started on your open source journey. Simply send an email to info@ossconsultants.com to schedule a time.
This webinar highlights a new open source tool for open source compliance and security that originates in China. This tool was created by a company called XMIRROR. The open source CLI offers SPDX support, so is immediate interest to tooling communities around the world, particularly from the perspective of integration with open source tooling frontend solutions.
This webinar features Alexios Zavras, Chief Open Source Compliance Officer at Intel Corporation and a long-term friend and collaborator around the OpenChain Project. This time the topic was SPDX 3.0, a significant generational update to SPDX, a sister standard to OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974.
SPDX is a Software Bill of Materials (SBOM) specification, so it operates one layer down from the fundamental processes outlined by OpenChain’s standards, and it provides an excellent way to meet our requirements for an SBOM to be used by companies. The second generation of SPDX has been an ISO/IEC standard for two years as ISO/IEC 5962. The third generation shows interesting promise as a way to manage license compliance, security and more.
This webinar provided a snapshot of developments around open source and security topics, an increasingly important part of open source governance and management. While not intended to cover all the issues seen, it was designed to give a strategic overview to interested parties.
This webinar explored the topic of how security can be addressed in the context of open source development and deployment. While critical to the long-term management of open source, it has been a historically under-developed area of resource allocation.
