Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
In system and software engineering, the management of third party components has become a first class activity. It consists for all versions of all products in identifying the list of embedded components, keeping all information discovered about these components (name, copyright, license, web site, etc.) and managing the life cycle of products and components. As these activities involve distributed actors, it is required to share the centralized data properly. Because harvesting information about new third party components can be a significant effort, it makes sense to save this information for future projects. This information may also be needed in the future in case of prosecution. It is therefore important to keep track of the discussions about the acceptance or rejection of components and associated licenses. This process while absolutely required, represents a cost and reduces the advantage of using third party components. It is consequently important to improve the productivity thanks to automation and computer assistance when it is possible. The goal of COTSAQ is to provide a solution to these needs.
The COTSAQ project provides a web based solution for managing Intellectual Property of software and systems. The project's scope includes the following:
Providing management of Intellectually Property (IP) including the ability:
- To manage product or component life cycle.
- To query all information about a component or product (name, version, copyright, license, website etc).
- To track discussions, acceptance and rejection status of a component.
- To generate various synthetic reports and documents.
- Developing a web based application.
- Developing server oriented components for use by the web based application.
- Providing installers for usual server platforms like Linux distributions or Microsoft Windows.
- Ensuring multi-platform and database support.
- Ensuring compliance with standards like SPDX.
- Providing extension points for customization.
Source code scanning is outside the projects scope.
The primary function of COTSAQ is to identify the list of third party components in each version of each product. In the screenshot below for example, Apache 2.2.14 has been added as a distributed part to the product named Product_4 version V2.1. For each version of each component, a comprehensive record is stored, including license, name, web site, authors, local policy, comments, ECCN, etc.
From this data, COTSAQ can help you keep track of the active components (distributed in active products) or to search what products are using a given component, as shown below where the user is looking for products using any version of component spring.
COTSAQ provides other types of reporting, such as the comparison of the list of third party components in two versions of a given product. The screenshot below shows such a report, where Product_2 has switched from jre 1.6.0_27 in version V1.0 to jre 1.7.0_55 in version V2.0, and stopped distributing Felix although it remains a dependency. Most reports can be exported to a variety of document formats including PDF, DOC and XLS. The software package also provides support to import data such as lists of third party components from XLS files.
COTSAQ is a web application deployed on familiar frameworks using Linux or Windows with an Apache web server, a MySQL database (could be a variety of others) and written in PHP. While not Eclipse based, it aims at keeping its philosophy in term of architecture. It provides extension points for simplifying its customization using plug-ins and scripts. Typical extension points may include:
- Additional fields in all records.
- Document generators.
- Data extractors.
- Connectors to external tools.
- Notification technology.
- Others to be determined.
The server application is organized around the Model-View-Controller (MVC) paradigm and uses the PHP framework Laravel. Binaries, source code and any other artifacts like patches, documents, etc. of each component are usually stored on an autonomous repository (SMB, FTP, HTTP server) and are only referenced by COTSAQ using URLs.
Joining PolarSys will provide strong visibility to current and future member companies. As most of them need to manage the Intellectual Property of their products, COTSAQ nicely fits into the overall goal of PolarSys which is to support embedded systems development. These factors will help provide a good environment for the project, encourage engagement and will directly benefit the evolution and adoption of the project.
An initial prototype has been developed by ProMeTil for AIRBUS since 2012. This prototype constitutes the initial contribution. It includes the following capabilities:
- Product management: status, versioning, licensing, list of components used in the product.
- Component management: status, versioning, identification, URL to source/binary repository.
- Licenses management: identification.
- Users and access rights management: roles, project specific access rights.
- Document generation: bill of material, license booklet.
- Cross-references: find which versions of all products are using a given version of a component.
- Export data to spreadsheet formats.
- Provides notifications.
Hereafter is the list of third party components used in the initial contribution:
|COTS Name||COTS version||License name|
|JSON-JS||2||MIT modified (http://www.json.org/license.html)|
|Silk Icon||1.3||Creative Commons Attribution License 2.5|
COTSAQ is proposed under the Eclipse Public License 1.0, which fits with the constaints of the interested parties.
- Initial code contribution summer / September 2014.
- COTSAQ 0.7 released Q4 2014 (see short term improvements).
- COTSAQ 0.8 released Q2 2015.
- COTSAQ 0.9 released Q4 2015.
- COTSAQ 1.0 released Q2 2016.
Short term improvements (COTSAQ 0.7):
- Customizability and configurability: logos and graphical charter, roles, user defined fields, reports, open architecture.
- Multiplatform and database support.
- Use open databases of licenses (SPDX, OSI).
- Manage requests for new components / versions.
- Better search tool for COTS selection.
Long Term improvements:
- Share 2nd layer open database of COTS.
- Stronger connection to COTS repositories (Maven, SMB, SFTP, webDAV).
- SSO (LDAP, SiteMinder).
- Connection with leading code scanners.
- Industrialization with Java/Apache Tomcat.
Better automation of the workflow:
- Request for new COTS (anti-virus scan, source code analysis, etc.).
- COTS periodic intelligence inspired by Debian watch/uscan capability.
- Formal license model and obligations check list.