Skip to content

SBOM Management at Mercedes-Benz

By Dr. Christian Wege, Dr. David Schumm of Mercedes-Benz Group AG
Time: 11:30 Room: S4

Abstract

The FOSS Disclosure Portal of Mercedes-Benz is a custom-built solution to automate and digitize the process for disclosure of the Free & Open Source Software (FOSS) components, which are included in products and applications.
With the FOSS Disclosure Portal we aim at a more efficient, transparent and digital software supply chain regarding open source: With the FOSS Disclosure Portal we enable our internal and external software suppliers to deliver us information on used open source via a technical interface (API) in an ISO standardized exchange format as Software Bill of Material (SBOM/SPDX).
Based on these SBOM deliveries, the system supports the responsible project owners through automated compliance checks and quality checks on a central inventory. This way we enable checking license conformance much easier and faster, identified issues are directly resolved with the collaboration of the software supplier.
In this talk, we discuss the role and benefits of Software Bill of Materials (SBOM) for Free & Open Source Software from a license compliance perspective of an automotive OEM. After an introduction of basic concepts of SBOM, we sketch the FOSS SBOM consumption process and its relation to software composition analysis. The talk concludes with some of the identified FOSS SBOM challenges.

Biography

Dr. Christian Wege leads the IT team of the FOSS Center of Competence, which is the Open Source Program Office of Mercedes-Benz. Before this, he has worked on FOSS strategy topics at Mercedes-Benz Group for more than ten years and has been one of the initiators to propose FOSS as IT Joint Priority. Every day he strives to make the voice of the developer heard in the creation of the FOSS governance processes.

Dr. David Schumm is member of the FOSS IT team and co-creating the FOSS Disclosure Portal in the Product Owner role, together with a virtual team of colleagues from Legal & Compliance, Research & Development, IT and software subsidiaries. Before this position, he has made a journey to Mercedes’ former startup incubator Lab1886, also working as Product Owner of a software product. Prior, he has been working in the central Enterprise Architecture process office of Daimler AG.