Creating complete, machine-readable SBOMs in standardized formats can be a significant burden for many open source projects, especially for resource-constrained, large integration efforts, projects dealing with complex dependencies, etc. Detection of undeclared dependencies and unwanted snippets is one of their main challenges.
The workshop introduces osskb.org, a free of charge service by the Software Transparency Foundation (STF) designed to make accurate open source scanning accessible to all. Integrated as a back-end already by popular open source tools like FOSSology, ORT, FOSSLight, scanoos.py, TheiaIDE… osskb.org detects open source files and code snippets against one of the largest open source knowledge bases, providing license information and without compromising user privacy.
The workshop will show how to create and audit SBOMs using osskb.org and several of these popular open source SCA clients, used in compliance. It will also show how you can configure the openAPI that provides access to osskb.org into your tool of choice so you boost its detection and license information enrichment capabilities.
