Basic Simulation Showcase Setup

The basic simulated supply chain is meant to be as simple as possible and consists of three parts:

1. Part that simulates a original Software vendor (e.g. an upstream Open Source Project) with a code repository.
2. Part that simulates a Software integrator (e.g. a Software supplier that re-uses Open Source components in a derivative work) that ships a combined work and provides an SBOM
3. Part that simulates a manufacturer that gets several SBOMs from various suppliers and needs to manage them

Part 1 - Software vendor

• A) The simulation uses the Dummy Repositories from the OpenChain Tooling group
• B) The dependency-tree can be shown in the Github Dependency graph
  Hint: You can use a local ORT-installation as alternative to create the dependency graph.

for simplicity Github with its onboard equipment was used instead of insisting on complete open source setup - so it is publicly available but not Open Source => Improvement potential

Concrete example used for:

• A) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy
• B) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy/network/dependencies

Hint: You can vary the simulation by using a different available dummy-repository.

Part 2 - Software integrator

• A) The simulation uses a "demo" branch in the Dummy Repository to simulate a modification
• B) The simulation uses the instance of the ORT-Server from the OCCTET Project as ORT-based SCA tooling to analyze the repository and generate the SBOM from the Dummy Repository
  Hint: You can use a local ORT-installation as alternative.
• C) The ORT-report provides already transparency about all dependencies and findings
• D) The ORT-reporter generates the SBOM in CycloneDX and SPDX for further processing

Concrete example used for:

• A) https://github.com/Open-Source-Compliance/JAVA_Maven-Dummy/tree/demo/case_001_vulnerability => adds a vulnerable dependency
• B) https://ort-server.occtet.eu/organizations/4 simulatiing a dummy organization
• C) https://ort-server.occtet.eu/organizations/4/products/2/repositories/3/runs/7/reports showing the report-section
• D) https://ort-server.occtet.eu/organizations/4/products/2/repositories/3/runs/7/sbom showing the sbom-section

Part 3 - Manufacturer

• A) the simulation uses the SBOM provided in 2 D) as input to simulate a delivery from a supplier
  Hint: The delivery of Software/Binaries is actively ignored for simplification.
• B) the simulation uses an instance of Eclipse sw360 for tracking all Software Components and the SBOM is imported
• C) Potential extensions:
  • the simulation uses an instance of Eclipse disuko as SBOM portal

Hint: You can vary the simulation by using a local OWASP DependencyTrack-installation as Vulnerability Monitoring Dashboard for incoming supplier SBOMs. A project is created and the CycloneDX SBOM is uploaded. The analysis provides transparency about all dependencies and findings.

Concrete example used for:

• A) see 2 D)
• B) https://sw360.heliocastro.info/projects/detail/4ea0e02ac73e22fd991d15154d006e0b
• C) WIP