Basic Simulation Showcase Setup

The basic simulated supply chain is meant to be as simple as possible and consists of three parts:

1. Part that simulates a original Software vendor (e.g. an upstream Open Source Project) with a code repository.
2. Part that simulates a Software integrator (e.g. a Software supplier that re-uses Open Source components in a derivative work) that ships a combined work and provides an SBOM
3. Part that simulates a manufacturer that gets several SBOMs from various suppliers and needs to manage them

Part 1 - Software vendor

• A) The simulation uses the Dummy Repositories from the OpenChain Tooling group
• B) The dependency-tree can be shown in the Github Dependency graph
  for simplicity Github with its onboard equipment was used instead of insisting on complete open source setup - so it is publicly available but not Open Source => Improvement potential
  Hint: You can use a local ORT-installation as alternative.

Concrete example used for:

• A) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy
• B) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy/network/dependencies

Hint: You can vary the simulation by using a different available dummy-repository.

Part 2 - Software integrator

• A) The simulation uses a "demo" branch in the Dummy Repository to simulate a modification
• B) The simulation uses an instance of the ORT-Server as ORT-based SCA tooling to analyze the repository and generate the SBOM from the Dummy Repository
  Hint: You can use a local ORT-installation as alternative.
• C) The ORT-report provides already transparency about all dependencies and findings
• D) The ORT-reporter generates the SBOM in CycloneDX and SPDX for further processing

Concrete example used for:

• A) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy/tree/demo/case_001_vulnerability => adds a vulnerable dependency
• B) WIP => will use a Sandbox Org in the public OCTETT Test-Server
• C) WIP => the report will be publicly available in the public OCTETT Test-Server

Part 3 - Manufacturer

• A) the simulation uses the SBOM provided in 2 D) as input to simulate a delivery from a supplier
  Hint: The delivery of Software/Binaries is actively ignored for simplification.
• B) the simulation uses a local OWASP DependencyTrack-installation as Vulnerability Monitoring Dashboard for incoming supplier SBOMs. A project is created and the CycloneDX SBOM is uploaded. The analysis provides transparency about all dependencies and findings.
• C) Potential extensions:
  • the simulation uses an instance of Eclipse sw360 for tracking all Software Components
  • the simulation uses an instance of Eclipse disuko as SBOM portal

Concrete example used for:

• A) see 2 D)
• B) WIP => the SBOMs will be publicly available in a public sw360 test-server