Brussels / 3 & 4 February 2024


Open Source based Software Composition Analysis at scale

Creating and processing SBOMs at scale based on Open Source solutions: Intro to a new Eclipse Foundation Project Apoapsis (see also ) providing a server concept to run continuous Software Composition Analysis for a large number of heterogeneous repositories. The talk will show the general setup how you can continuously generate your SBOMs and reports and provide the status of the published reference implementation the "ORT-Server" interacting with the OSS Review Toolkit. Diversity and agility are high values in the Software community. Diversity and agility in Software Development processes and tools are a challenge for automation, though.

Accurate Software Composition Analysis is an important capability to keep transparency throughout the Software Lifecycle and is the base for the fulfillment of important non-functional requirements in the business context (e.g. SBOM-creation, Vulnerability Tracking, License compliance etc.)

To handle automation with both aspects - accurate Software Composition Analysis and heterogeneous and agile environments -  the Abstraction Layer for Software Composition Analysis (ALSCA) of the new Eclipse Foundation Apoapsis Project plays an important role.

The Eclipse Apoapsis-project consolidates the requirements from the tooling side on the one hand and the requirements from the institutionalized operation side in medium to large organizations on the other hand. Concerning specifications and wording it will be based on the capability map created by the Open Chain Tooling Group in the context of Open Source Management (

The Eclipse Apoapsis project provides blueprints to run central Software Composition Analysis pipelines at scale while covering a large range of project setups (e.g. from Mobile Apps using Cocoapods to Cloud Services using Java/Maven) and configurable extent of analysis (e.g. from mere SBOM-creation to full-blast Dependency Analysis including Vulnerabilities and Copyright/License reports).To achieve this, the ORT-server is based on the OSS Review Toolkit and makes use of its integration APIs for dependency analysis, license scanning, vulnerability databases, rule engine, and report generation. The Eclipse Apoapsis project itself will concentrate on the server functionality including user and role management and the necessary APIs.


Photo of Marcel Kurzmann Marcel Kurzmann