India, US, EU, and other governments introduced cybersecurity regulations for anyone distributing software. Any software maintainer, contributor, and developer, needs to be aware of their software dependencies and any associated risk, and how to efficiently manage these software components. This is most often – and now regulated – with SBOMs.

Open source compliance – both licensing and security – is simple: Generate SBOMs and checkmarks in the compliance process. But correct compliance requires accuracy and quality. This can be challenging with false positives, undeclared reuse of files and snippets, vulnerability reachability, binary scanning, new manifest and exchange formats, and vulnerability disclosures, and other issues. All developers need to know how to resolve these challenges in compliance pipelines.

In this talk, Ayan will discuss best practices and share open source tools