[00:00.000 --> 00:11.640]  Yeah, hello everyone. My name is Shaheem and I am Gaurav with me. We both are working
[00:11.640 --> 00:19.360]  for a physiology community and we are from Siemens. So maybe let me start. So, Phosology
[00:19.360 --> 00:28.080]  is open source license compliance project. Initially, it was published by HP in 2008
[00:28.080 --> 00:37.880]  and in 2015 it has become Linux foundation collaboration project and Phosology is a Linux
[00:37.880 --> 00:46.640]  application. It works on Linux distributions and different tasks done for OSS license compliance
[00:46.640 --> 00:55.880]  by Phosology are scanning for licenses, copyrights, author ships, emails and ECC statements. Apart
[00:55.880 --> 01:03.360]  from this, we have key words and IP address statements as well. And we also generate documentation
[01:03.360 --> 01:12.240]  like read me OSS text documentation and unified report as well. So and then we have export
[01:12.240 --> 01:20.400]  and import of SPDX files. So maybe we can discuss about SPDX files later in the slides.
[01:20.400 --> 01:25.920]  So Phosology is about finding the licenses as I said already. So we scan for the source
[01:25.920 --> 01:32.880]  code. So the source code might have the license text, reference to the license text or written
[01:32.880 --> 01:39.120]  text explaining some licensing and then we might also have the license relevant statements.
[01:39.120 --> 01:48.480]  So this all will be identified by Phosology. And later we have uploaded a component called
[01:48.480 --> 01:56.720]  thrift which is Apache source code. And Phosology have found Apache license. Apart from Apache
[01:56.720 --> 02:02.920]  license we have many more licenses. It is because it is very natural that OSS project
[02:02.920 --> 02:10.080]  reuses the available OSS from other projects. So for example, if you see Phosology have
[02:10.080 --> 02:21.520]  found 25 other licenses, relevant licenses in Apache, apart from Apache 2.0. So what
[02:21.520 --> 02:28.000]  is the uniqueness about Phosology is we have conclusions. So if you take licensing can
[02:28.000 --> 02:34.160]  be simple, but it might be challenging as well because you might see some unknown licenses,
[02:34.160 --> 02:39.920]  written statements about licenses, some licenses might be unclear and there might be some
[02:39.920 --> 02:51.760]  incomplete license statements as well. So actually to do this I think one required a
[02:51.760 --> 03:04.000]  good domain knowledge. So yeah, SBOM and Phosology. So we are producers of SBOM as well as the
[03:04.000 --> 03:13.480]  consumers. So Phosology produces SBOM in SPDX version 2.3 format which includes the file
[03:13.480 --> 03:19.280]  level information, license findings and its conclusions and copyrights as well as the
[03:19.280 --> 03:28.040]  custom license text. So as a consumer Phosology import all this information and add it to
[03:28.040 --> 03:36.680]  a component as well. So more information about the SBOM will be discussed later in the slides.
[03:36.680 --> 03:43.320]  So yeah, maybe Gaurav will take over and explain about the releases and more SBDX features
[03:43.320 --> 03:50.040]  of Phosology. Thank you. Thanks. So yeah, with Phosology we recently released
[03:50.040 --> 03:57.280]  few versions and in all of them we majorly try to sync our license set with the SBDX
[03:57.280 --> 04:04.360]  license set so we are up to date. And at the same time we are continuously working to improve
[04:04.360 --> 04:11.680]  our REST API so we can provide more automation flexibility to anyone who is interested to
[04:11.680 --> 04:21.160]  use it. And like recently we had some GDPR updates thanks to Orange like how the user
[04:21.160 --> 04:25.640]  data will be managed in the server and things like that we recently updated to Bootstrap
[04:25.640 --> 04:35.640]  UI. We are planning to move to React but yeah, it's in the works. With 4.1 we recently integrated
[04:35.640 --> 04:43.360]  scan code so you can upload your source code to Phosology itself and let Phosology scan
[04:43.360 --> 04:50.000]  using its own scanners or if you prefer you can also use scan code and import the license
[04:50.000 --> 04:56.320]  findings in Phosology itself. We also worked a little on our copyright false positive reduction
[04:56.320 --> 05:02.960]  using Spacey and with the latest release so we would like to say we are reused.software
[05:02.960 --> 05:11.760]  standard compliant in our source code and we also try to display the information like
[05:11.760 --> 05:20.200]  whatever reused linter provides. So you can check if any project supports reused standard
[05:20.200 --> 05:26.840]  they do it like that. So Phosology can, you can very easily know how much scan you have
[05:26.840 --> 05:34.120]  to do. So we are coming to the recent updates with SBDX within Phosology. So since it's
[05:34.120 --> 05:42.960]  a pretty old project and we had some difficulty to comply to the SBDX standards. So we decided
[05:42.960 --> 05:48.200]  to take on the challenge in two steps. So first step is done what we are presenting
[05:48.200 --> 05:54.520]  and the second is actually a work in progress. So what we initially started with the pain
[05:54.520 --> 06:01.160]  point was the license name which gets end up in the report. So Phosology initially use
[06:01.160 --> 06:06.880]  short names so which are supposed to be unique and they are actually used for identification
[06:06.880 --> 06:13.200]  with internally in Phosology. So here we added a new field called SBDX ID so where you can
[06:13.200 --> 06:17.600]  have different variants of the same license. So for example in a license there is a copyright
[06:17.600 --> 06:24.320]  by X but for a different one the same license with a copyright Y. So the license text changes
[06:24.320 --> 06:30.280]  but you can still use the same SBDX ID for both of them and that will be end up in the
[06:30.280 --> 06:37.320]  report whatever you generate. In case the SBDX ID is missing or is not in the SBDX license
[06:37.320 --> 06:42.560]  list so we also perform a check on that. So it will be converted as a license ref and we
[06:42.560 --> 06:50.120]  have introduced this license ref Phosology prefix for that. In the upcoming updates we
[06:50.120 --> 06:57.360]  will further enhance this and provide users way to write actual SBDX license expressions
[06:57.360 --> 07:10.200]  including the and or and with exceptions. So with the reports with various dog fest with
[07:10.200 --> 07:18.360]  SBDX we came to understand that many of our reports were flawed. So we try to fix them
[07:18.360 --> 07:26.560]  as well as at the same time update it to the latest spec 2.3. So what was wrong so the
[07:26.560 --> 07:31.200]  extracted licensing info was missing. So as I said you can have your own custom license
[07:31.200 --> 07:38.280]  text in Phosology so if any of the file has a finding of that license text or a conclusion
[07:38.280 --> 07:43.840]  on it. So the license text itself was missing from the report so we have fixed that and
[07:43.840 --> 07:49.880]  also the packet verification code used by SBDX. The algorithm internally was a little
[07:49.880 --> 07:58.360]  wrong so yeah minor fix and then at the same time we compared the spec and the fields which
[07:58.360 --> 08:03.760]  Phosology can store. So we figured out like we can have the version information as well
[08:03.760 --> 08:10.440]  in the report the release date along with external left to like PURLs, Maven, Nougat
[08:10.440 --> 08:21.360]  and such stuff. And at the same time Phosology also allows you to manage your acknowledgments
[08:21.360 --> 08:29.520]  and obligations. So we use the attribution text field for providing acknowledgments to
[08:29.520 --> 08:36.320]  specific files and the same attribution text field for the entire package if you have any
[08:36.320 --> 08:44.320]  obligation related to a license. And also the calculation of conjunctive licenses and
[08:44.320 --> 08:52.480]  disjunctive license was wrong. So yeah Phosology has a special license called dual license.
[08:52.480 --> 08:58.640]  So yeah we have fixed how we are going to calculate that now. So not every license in
[08:58.640 --> 09:06.840]  the report is now a disjunctive license set. And yeah also at the same time added the missing
[09:06.840 --> 09:12.520]  license name and text also for the listed licenses. So yeah with that I guess pretty
[09:12.520 --> 09:21.040]  much all our SBDX reports should now be valid. So yeah thank you and please consider starting
[09:21.040 --> 09:30.320]  us on GitHub if you do use them and if you have any questions. Yes please. Okay so the
[09:30.320 --> 09:35.040]  question is which format we use for SBDX. So Phosology currently supports the RDF and
[09:35.040 --> 10:04.600]  the tag value format. Okay so yeah the question is like
[10:04.600 --> 10:11.080]  with the SBDX ID if there is a custom license text how it ends up in the report. So yeah
[10:11.080 --> 10:18.040]  with SBDX IDF format so it's a self-contained report so it will contain your SBDX ID the
[10:18.040 --> 10:23.920]  license name as well as your custom license text along with all the other various formats
[10:23.920 --> 10:29.560]  which Phosology supports. Readme OSS your unified report they will work the same. It's
[10:29.560 --> 10:33.760]  just that instead of using the license name which was coming from the short name field
[10:33.760 --> 10:38.880]  we are going to use the SBDX ID field now. Yeah but how do you include the text of the
[10:38.880 --> 10:48.600]  license in the SBDX file? Okay. Because otherwise you get only. Yeah so if you see here SBDX
[10:48.600 --> 10:54.600]  has this field called license text. Okay. So you can include information like name of
[10:54.600 --> 11:01.680]  the license, license ID, its text if you have any external ref and such stuff. Okay. So
[11:01.680 --> 11:11.200]  it's there for IDF. For tag value I'm not very sure we need to check because for custom
[11:11.200 --> 11:17.720]  text they do support it for tag value format as well. But yeah for standard they do not.
[11:17.720 --> 11:28.800]  Yeah. Okay. Thank you. Any more questions? Any support to the SBDX IDF? You are planning
[11:28.800 --> 11:42.400]  to do it. Yeah. Yeah yes you're planning. Okay. Any more colleagues? Yeah. Thank you.