In an ideal world, FOSS reviews are automated and done early and often so that FOSS issues - technical, licenses or security can be caught and resolved expeditiously. The FOSS community currently does not have comprehensive open-sourced tooling for highly automated FOSS reviews for their projects, lacking which, FOSS project maintainers are unable to provide clearly defined metadata for their software and its dependencies. Lack of clarity in FOSS metadata makes compliance difficult and adversely affects project adoption and growth.
Projects built using package managers automatically download dependencies. Add to it, deployment using CI/CD and they now also expect quick turnarounds with FOSS reviews and compliance.
In this talk, I present a new tool called OSS Review Toolkit (ORT), that enables highly automated FOSS reviews within CI/CD. It does this by combining a new dependency analysis tool with existing FOSS dependency and scanning tools and with the new ClearlyDefined initiative, a platform to discover, curate and share FOSS component metadata.