Google Summer of Code 2026 application

[GMishx]

Hello all!

SW360 as an org is planning to apply for Google Summer of Code this year. In preparation to do so, we are creating this discussion to gather ideas for the GSoC-2026 projects.

Since 2022, there are some changes made by Google in the program. You can read more about it on their website. But as a summary,

• Three sized projects are acceptable by program:
  • Small sized projects (~90 hour)
  • Medium sized projects (~175 hours)
  • Large projects (~350 hours)
• The program is open to 18 years and older people.
  • No longer limited to college students only.
• Flexible time lines between 12 and 22 weeks.

Also, starting this year, 2026, Google has strong advice about the usage of Generative AI in the GSoC program. Please check them at:

• For Mentoring Orgs: Usage of AI tooling in Google Summer of Code 2026 (for Mentoring Orgs)
• For Contributors: Guidance for GSoC Contributors using AI tooling in GSoC 2026 doc

Based on the suggestions from Google, SW360 has following guidelines for GSoC contributors:

• Usage of AI in proposal writing: The proposal writing is a core part of the GSoC program and it should never be offloaded to the AI completely. This is the place where you would most probably meet the organization for the first time and show your creativity, so use this space wisely.
  • Generative AI usage is allowed, but to do tasks like formatting, rearranging, etc.
  • Usage of Generative AI is strictly prohibited for creating the proposal idea itself (includes the end goal, the approach) and proposal will be penalized if such usage found.
• Usage of AI in coding: We have seen in previous contributions that people do not install SW360 at all while they are working on their contributions. If you cannot see the tool, if you cannot test your changes, how can you validate the changes you have done are correct. It then becomes the responsibility of the maintainer to do a thorough testing, always, which takes more time than for the person contributing the changes. AI also does not know everything. Even if you are using coding agents to help you, but you cannot provide them the right input, their output will only be garbage.
  • For you first few PR, we require you to provide evidence of SW360 installation by providing information like API version, SW360 version, screenshot/example output from the changes.
  • Taking help from AI is fine, but completely relying on it is not good for the project and for you.
  • Take suggestions from the AI, but always understand changes before pushing them. If you cannot understand the code generated, do not push it.
  • If you are pushing the code, you are responsible for it, it does not matter a human wrote it or an AI. Thus, take your contributions seriously. We like to work with humans more than machines.
  • If the code changes are not clear and without any human explanation, the maintainers hold the rights to close the PR without further explanation.
• Acceptance criteria: Last year SW360 did not had any acceptance criteria to make it easy for everyone to apply. However, this lead to number of proposals which became impossible to manage. Thus, starting this year, we want to add following to the list of criteria for your proposal to be considered:
  • There should be at least one contribution with significant enough changes (simple typo fix for example do not qualify).
  • If you could not have created a PR, you should at least had communicated with one of the Org member and they should vouch for you.

Please feel free to drop any questions here (or start a new discussion) you have regarding the program, you want to submit a proposal idea, you want to be mentor in the program, etc.

While submitting a project idea, please tag it to be "Medium" or "Large" sized and who you'll prefer working on it "student" or "professional".
Some resources from Google:

• https://google.github.io/gsocguides/mentor/defining-a-project-ideas-list
• https://google.github.io/gsocguides/mentor/making-your-ideas-page
• https://google.github.io/gsocguides/student/
• https://opensource.googleblog.com/2024/10/celebrating-20-years-google-summer-of-code-nurturing-next-generation-contributors.html

You can also check the detailed documentation of previous students from FOSSology GSoC-2024.

Here is the list of the people who would be volunteering as mentors & org-admins for GSoC-2026.

• @EttingerK (OrgAdmin)
• @GMishx (OrgAdmin)

Want to mentor this GSoC-2025 ? Please contact OrgAdmins.

[GMishx]

Idea!

Title: Sample project idea 1

Goal: Example Automate the process of model training using pipelining.

Detailed explanation about the project idea. What is expected, if there is already any workflow, etc to be added here.

Bellow are rating out of 3.

Category	Rating
Low Hanging Fruit	**
Risk/Exploratory	*
Fun/Peripheral	**
Core Development	*
Project Infrastructure	**
Project size	Large
Preferred contributor	Student/professional
Skills needed	Python, ML And Data

Contact: @GMishx

[GMishx]

Idea!

Title: Creating Components as a separate service in SW360

Goal: Idea is to create a Components as a service that can then be used by multiple Org to reuse common component repository

Decompose SW360 backend and extract out the Component and related modules like Releases, Packages. This new service should be capable of running with its own DB and as a standalone service.

Category	Rating
Low Hanging Fruit	*
Risk/Exploratory	**
Fun/Peripheral	**
Core Development	*
Project Infrastructure	***
Project size	Large
Preferred contributor	Student/professional
Skills needed	Java, Spring, Microservices

Contact : @GMishx @bibhuti230185 @amritkv @rudra-superrr

[prynswho]

i am interested in this , im a working professinal and experinced in spring java and microservices though i work in fintech primarily but i feel like i can provide some great inputs

[ajinkyapatil008]

I am interested in working on this idea, I have knowledge and and a little experience in microservice architecture with spring as I am a working professional since July 2025 (I am May 2025 college passout).

[harsitagarwalla187]

hi @GMishx, Is there any update regarding this project.

[ManojK2030]

i have strong hands on experience in Microservices, SpringBoot, I'm Interested to contribute on this Idea.

[allanahmalate]

I have some experience with Spring Boot and microservices from a college course. I'm interested in contributing on this idea!

[GMishx]

Idea!

Title: SBOM Validator

Goal: Design and implement an SBOM Validator that ensures uploaded SBOMs meet organizational and regulatory requirements by validating completeness, consistency, and structure

The SBOM Validator processes SBOMs generated by different tools and provided in various standard formats (such as SPDX and CycloneDX). It validates that all mandated fields are present and correctly populated according to defined policies and compliance requirements.

The validator may optionally convert incoming SBOMs into a standardized internal representation. When enabled, this internal format is used to simplify validation logic, ensure consistent behaviour across SBOM sources, and reduce format-specific handling. When not enabled, validation can be performed directly against the original SBOM structure.

During processing, the validator consolidates duplicate or overlapping packages and components, resolving inconsistencies such as multiple representations of the same dependency. Additionally, the validator supports SBOM enrichment by augmenting existing data with derived or externally sourced information, such as normalized package identifiers or additional metadata.

Before final import, users are provided with a clear graphical and navigable visualization of the parsed and consolidated SBOM data instead of boaring flat list view, allowing them to review structure, metadata, and detected issues.

In a summary:

• Validate SBOMs from multiple formats (e.g., SPDX, CycloneDX) and generators for completeness and correctness
• Ensure all mandated and policy-required fields are present and properly populated
• Optionally normalize uploaded SBOMs into a standardized internal format to simplify validation and ensure consistent processing
• Provide a graphical visualization of SBOM data prior to import for user review

Category	Rating
Low Hanging Fruit	-
Risk/Exploratory	*
Fun/Peripheral	***
Core Development	*
Project Infrastructure	**
Project size	Large
Preferred contributor	Student/professional
Skills needed	Java, Spring

Contact : @amritkv

[amritkv]

Hey @manhuu14 !
For your queries :

2. We need to decide between React Flow and D3.js. Both of these has their own benefits which can be beneficial for us.
3. This is an additional feature and not a necessary one.

[manhuu14]

Hi @amritkv, Thank You for the clarification.

[MrButtCode]

Hi @amritkv @GMishx
I’ve been into Issue #2298 (CycloneDX importer silently dropping the group field, causing name collisions like @sentry/browser merging into browser).

I traced the logic to createComponent() in CycloneDxBOMImporter.java and confirmed the omission. To figure out the cleanest architectural fix, I checked components.thrift to see if SW360 had a dedicated namespace or packageGroup field we could map this to. Since the current schema only uses group fields for user/owner permissions, it seems the most viable approach for now is string concatenation (group/name).

I have a patch running locally that prepends the group. I also added a guard clause to handle edge cases where certain SBOM generators (like some versions of cdxgen) might already embed the scope in the name field, preventing double-prefixing. The importer unit tests are passing locally.

Before I open a Draft PR for this, does the team have a standard protocol for documenting migration concerns when we change how component names are ingested?

[vasvigarg]

Hi @GMishx, @amritkv,

Following up on our earlier alignment regarding the dependency hierarchy as a precursor to the SBOM Validator, I’ve successfully implemented the recursive mapping logic for CycloneDX.

I’ve just raised a PR #3816 for Issue #3815

The implementation transitions from the previous flattened import to a recursive construction of the releaseRelationNetwork. I have verified the logic with 6 comprehensive unit tests in CycloneDxBOMImporterDependenciesTest.java (covering multi-level nesting and edge cases), all of which are passing.

Now that this structural foundation is in place, I’m moving ahead with drafting my formal proposal for the SBOM Validator project. I look forward to your review and any feedback on the PR!

[vasvigarg]

Hi @GMishx @Kaushl2208,

I've been following both the SW360 and FOSSology GSoC 2026 idea threads closely and noticed that the SBOM Validator (SW360) and the Improve CycloneDX Support (FOSSology) ideas are closely aligned, one focuses on validating and importing SBOMs including CycloneDX and the other on improving CycloneDX export quality. Since both orgs share maintainers and are part of the same compliance ecosystem, I wanted to ask: is it advisable to write proposals for both orgs?

[GMishx]

Idea!

Title: CLIXML visualizer for release attachments

Goal: The idea here is to provide a clearance report visualizer for the CLIXML coming from FOSSology

Currently, SW360 users must download separate CLIXML files or log into FOSSology to understand the clearance status of a release. This feature would allow SW360 to parse the CLIXML report directly within the browser. The key features to this idea can be pointed out as follows:

• CLIXML Parser and UI Renderer in SW360
• If FOSSology can provide item ID in the report, provide a hyperlink to file directly. Next to every file listed in the SW360 preview, provide a "View in FOSSology" icon.
• Compare the CLIXML of the current release with the previous version. Highlight New Licenses or Changed Copyrights in red/green within the UI. This helps the user focus only on what has changed in the latest code drop.

Category	Rating
Low Hanging Fruit	*
Risk/Exploratory	*
Fun/Peripheral	***
Core Development	**
Project Infrastructure	**
Project size	Medium
Preferred contributor	Student/professional
Skills needed	Java, XML, NextJS

Contact : @amritkv @rudra-superrr @deo002

[Rohan-Saxena644]

Hello @amritkv @rudra-superrr @deo002
I am a 2nd year student wanting to contribute to open source for the first time. I know Next.js on an intermediate level and I have learned Java, though I am a bit on the beginner side in Spring. I have set up SW360 locally via Docker and got it running. I am very interested in the CLIXML Visualizer idea and would like to contribute to this project. I have understood that the work involves parsing the CLIXML files, converting them into structured JSON, exposing the data through a REST API, and then building the visualization and diff view in Next.js. I took a look at the fossology module in the backend folder — am I starting at the right place? Also is there a sample CLIXML file I can use for local testing?

[Rohan-Saxena644]

Update: I have begun contributing to the codebase as well. I have submitted PR 1542 to the frontend repository while I continue to research the backend Fossology module. Would love your guidance on the right entry point for the CLIXML parser before I dig deeper.
eclipse-sw360/sw360-frontend#1542

[agastya-kataria]

Hi @amritkv @rudra-superrr @deo002,

I’m focusing my proposal on this CLIXML Visualizer idea.

I pulled the current main checkout and traced the existing attachment / license-info path before finalizing the proposal shape. So far I’ve verified the flow through:

org.eclipse.sw360.attachments.AttachmentHandler
org.eclipse.sw360.licenseinfo.LicenseInfoHandler
org.eclipse.sw360.licenseinfo.parsers.CLIParser
org.eclipse.sw360.fossology.FossologyHandler#attachReportToRelease
ReleaseController / the existing REST license-info retrieval path

I also found CLIXML_core-js.xml used as a COMPONENT_LICENSE_INFO_XML attachment in ProjectSpecTest, which makes me think the existing license-info attachment pipeline is already the right area to build on.

My current MVP is:

• parse a CLIXML attachment into structured backend output,
• reuse the existing license-info attachment flow where possible,
• then wire the viewer into the correct UI repo/path after confirming where that frontend currently lives, since this checkout does not contain a TSX / Next.js frontend.

One alignment question: would you prefer CLIXML support to extend the existing CLIParser / CombinedCLIParser path if possible, or should it live in a separate parser/module from the start? Also, is the intended viewer UI in a separate repository?

I’m keeping the proposal backend-first until that UI placement is confirmed.

[agastya-kataria]

Quick update: I compared the current CLI parser path against the CLIXML signal available in the repository and opened #3983 to clarify the compatibility boundary. At the moment this looks like a real parser-contract question rather than something I can honestly treat as a pure viewer/UI task, so I’m scoping the proposal backend-first around that clarification.

[Rohan-Saxena644]

Hi @amritkv @rudra-superrr @deo002, I have submitted my proposal for the CLIXML Visualizer for Release Attachments project. I have also contributed four pull requests to both repositories during the application period — #1542, #1549, #1554 (sw360-frontend) and #3999 (sw360 backend). Looking forward to your feedback!

[GMishx]

Idea!

Title: Integration of SW360 and LicenseDB

Goal: To establish LicenseDB as the sole source for all license and obligation data within SW360, streamlining data management and ensuring consistency.

Currently, SW360 relies on a fragmented approach for managing license and obligation information. Licenses can be imported from external sources like OSADL or SPDX, or created manually. Obligations, which define the requirements associated with each license, can only be created manually within SW360. This decentralized system can lead to inconsistencies, manual overhead, and difficulty in maintaining a single, accurate view of license compliance.

This project aims to change how SW360 manages this data by integrating it directly with LicenseDB. The successful completion of this project will involve:

1. Disabling Redundant Data Entry Methods: All existing functionalities within SW360 that allow for manual license creation or direct import from OSADL/SPDX will be disabled if LicenseDB integration is configured.
2. Integration: Develop a robust integration layer to enable SW360 to fetch license and obligation data directly from LicenseDB. This will likely involve:
3. OAuth Integration: Implementing Machine-to-Machine OAuth flow between SW360 and LicenseDB.
4. Data Translation/Mapping: Creating mechanisms to translate and map data structures from LicenseDB's format to SW360's internal data model for licenses and obligations.
5. Data Persistence: Ensuring that the fetched data is correctly saved and updated within SW360's database for ongoing use and reference.
6. Adapting Existing Workflows: Review and modify existing SW360 CLIXML report based workflows. These workflows currently uses licenses and obligations from the attachments. They must be updated to leverage the new LicenseDB integration, ensuring they now fetch and sync data from LicenseDB rather than using it from the attachments alone.

Checkout LicenseDB at: https://github.com/fossology/LicenseDb

Category	Rating
Low Hanging Fruit	*
Risk/Exploratory	*
Fun/Peripheral	**
Core Development	***
Project Infrastructure	**
Project size	Medium
Preferred contributor	Student/professional
Skills needed	Java, Spring, REST API

Contact : @GMishx @deo002

[Bharatpathania7]

Hi everyone,

I’m Bharat, a Java/Spring backend developer interested in contributing to SW360 for GSoC 2026.

I’ve started reading the documentation and exploring the repository structure, and I’ve forked and cloned the project locally.

I’d like to start contributing and would appreciate guidance on beginner-friendly issues.

Looking forward to working with you all.

[ADITYA-CODE-SOURCE]

Hello sir @GMishx (https://github.com/GMishx) @deo002 (https://github.com/deo002),
I'm interested in working on the Integration of SW360 and LicenseDB project.
I have been actively working on this implementation and have already submitted several PRs:

• feat(license): add LicenseDB connection configuration properties #3738 - Main LicenseDB integration (open)
• feat(client): add LicenseDB sync methods to SW360LicenseClient #3768 - REST client methods for LicenseDB (open)
• feat(importer): Add LicenseDB as source option in LicsImporter #3770 - LicsImporter LicenseDB support (open)
• feat(cli): Add CLI commands for LicenseDB sync operations #3772 - CLI framework for sync (open)

I've created related issues: #3685, #3766, #3767, #3769, #3771
The implementation includes:

• LicenseDB configuration properties
• REST client with OAuth2 client_credentials
• License import endpoints
• CLI sync commands
• LicsImporter integration

Technical Questions:

1. OAuth2 M2M Implementation: Should we use Client Credentials flow with LicenseDB's JWT auth? Is it acceptable to use environment variables with mock testing for GSoC scope?
2. Offline Mode: What's expected when LicenseDB is unavailable - fail completely or operate from local cache?
3. Architecture: Should new code use Spring Boot components or existing Thrift approach?
4. Data Migration: Should we do strict replacement of old imports or gradual/hybrid approach during transition?

Looking forward to your guidance to align my approach with project expectations!

Thank you!

[NIKHIL-SOON]

Hi @GMishx and @deo002,

I am Nikhil Moolya, a B.Tech CS (AI) student. I am very interested in the LicenseDB Integration project.

I recently built a full-stack finance application (Spendly) using Java and Spring Boot that handles complex data mapping and REST APIs, which I believe aligns perfectly with the requirements for this integration.

I have already successfully installed SW360 via Docker and am currently exploring the backend-licenses-core module to understand the current license ingestion flow. I'm looking forward to contributing and will be sharing a draft proposal soon!

[ManojK2030]

Hi everyone,
i'm a a Java/Spring backend developer interested in contributing to SW360 for GSoC 2026.
I’ve started reading the documentation and exploring the repository structure, and I’ve forked and cloned the project locally.
I’d like to start contributing and would appreciate guidance on beginner-friendly issues.

Looking forward to working with you all.

[prags0208-cyber]

Hi @GMishx and @deo002
My name is Pragathi, and I am a former Software Engineer at Bank of America currently pursuing my MS in Cybersecurity. I am very interested in working on the Integration of SW360 and LicenseDB project for GSoC 2026.

I have already successfully spun up the LicenseDb Go service locally using Docker Compose, injected a test user via the PostgreSQL container, and tested the authenticated API flow via Swagger. I have attached a screenshot of the /api/v1/users/profile response showing my injected admin user as proof of local setup.

After reviewing the recent architectural questions in this thread, I am structuring my proposal around a few key design decisions to ensure the integration is resilient and future-proof:

Bypassing Thrift: To align with the concurrent GSoC initiative to remove Apache Thrift, all new LicenseDB integration logic will be built using pure Spring @service beans and standard REST clients, entirely avoiding the legacy IPC layer.

On-the-fly Ingestion (Read-Through Cache): I plan to implement a synchronized read-through cache in SW360's CouchDB. When SW360 encounters an unrecognized license during an SBOM or CLIXML upload, it will trigger an on-the-fly fetch to LicenseDB, instantly mapping and caching the data. This fail-open strategy ensures continuous, automated compliance without manual data entry, while keeping the system operational even if the external API is temporarily unavailable.

Given the upcoming application deadline, I am finalizing my proposal document based on these architectural decisions. What is the preferred method for sharing my draft with you for a quick review before final submission to the GSoC portal?

Looking forward to contributing!

[GMishx]

Idea!

Title: Remove Apache Thrift and Migrate to Direct Spring Service Calls

Goal: Eliminate Apache Thrift dependency from SW360 and replace inter-service communication with direct Spring Bean injection and REST APIs

SW360 currently uses Thrift for backend service communication (ThriftClients, *Service.Iface). This adds complexity, requires .thrift IDL files, and creates tight binary coupling. Migrate to Spring-managed services with direct injection for in-process calls and REST for external integrations.

Current state vs Expected state

Currently: Client -> REST Module -> Thrift Client -> Thrift call -> Backend Module (Thrift) -> Repository -> DB
Expected: Client -> REST Module -> Service call (gRPC/etc) -> Backend Module -> Repository -> DB

Aspect	Current State	Expected State
Service Layer	Thrift IDL (.thrift files) generates interfaces	Plain Java interfaces with Spring @service
IPC Mechanism	ThriftClients + THttpClient + TCompactProtocol	Using Inter service APIs over HTTP/gRPC/etc
External API	Thrift servlets (Sw360ThriftServlet)	REST controllers (existing resource-server)
Dependencies	libthrift, Thrift compiler toolchain	Removed—pure Spring Boot
Code Generation	Required for model classes	POJOs, no generation step

Category	Rating
Low Hanging Fruit	**
Risk/Exploratory	**
Fun/Peripheral	**
Core Development	***
Project Infrastructure	***
Project size	Large
Preferred contributor	Student/professional
Skills needed	Java, Spring, Microservices

Contact : @GMishx @bibhuti230185 @amritkv @rudra-superrr

[Aman-Cool]

Hi @GMishx @bibhuti230185 @amritkv @rudra-superrr,

I'm very interested in the "Remove Apache Thrift and Migrate to Direct Spring Service Calls" project.

I've already made contributions to SW360:

• PR fix(components): correct clearing state priority in autosetReleaseCle… #3809
• PR Fix/clearing request thrift client leak #3849
• PR fix(rest): prevent silent data loss in obligation update #3614
• PR fix(projects): prevent data corruption and crashes in attachment usage inheritance #3773
• PR fix(cyclonedx): use full createRelease overload to preserve metadata #3695 (Approved)
• PR fix: report errors instead of unconditional SUCCESS in CycloneDX SBOM… #3718 (Approved)
• PR fix(rest): delete clearing request only after project deletion succeeds #3788 (Approved)
• PR fix(licenseinfo): accumulate all obligations per license in DOCX reports #3748 (Approved)
• PR fix(projects): fix NPE and Thrift client leak in attachment usage inh… #3760

I have experience with Java, Spring, Microservices, and REST APIs. I'm comfortable with large-scale refactoring and understand this is a significant architectural change.

I'd like to discuss:

1. Preferred migration strategy (big bang vs incremental)
2. Backward compatibility requirements
3. Testing approach for such a large change

Looking forward to working on this!

[Harsh-Dev9]

Hi @GMishx @bibhuti230185 @amritkv @rudra-superrr,

I'm very interested in the "Remove Apache Thrift and Migrate to Direct Spring Service Calls" project.I have experience with Java, Spring, Microservices, and REST APIs. I'm comfortable with large-scale refactoring.

[umeshgupta05]

Hi @GMishx @bibhuti230185 @amritkv @rudra-superrr,

I’m very interested in the “Remove Apache Thrift and Migrate to Direct Spring Service Calls” project.

I understand that this involves removing Thrift-based IPC, eliminating IDL/code generation overhead, and transitioning fully to Spring-managed services and REST APIs. This is a significant architectural refactor that simplifies service communication and reduces coupling within the backend.

I have strong experience with Java, Spring Boot, REST APIs, and backend system design, and I’m comfortable working with large codebases and core infrastructure changes.

I’d like to understand the current dependency footprint of Thrift across modules and any external integrations that may rely on it.

Looking forward to contributing and discussing this further.

[mast3RGG]

Hi @GMishx @bibhuti230185 @amritkv @rudra-superrr,
Hi everyone, I'm Alin. I've been looking over the "Remove Apache Thrift" project and spent some time today digging through the backend code.

Honestly , the ChangeLogController (and most of the others too) is pretty overloaded with logic that shouldn't be there. There’s a lot of manual data shifting and try-catches that make it hard to follow , I’m thinking of starting a POC where I move all that logic into a proper Spring Service layer and use @service beans instead of the Thrift handlers.

Also, we could really use a @RestControllerAdvice to handle errors globally , it would save us from all that boilerplate code that's now in almost every method. My idea is to test this out on the ChangeLog module first because from what i analyzed it s simple and if it works well , I can apply the same pattern to the rest of the services like Projects or Components. I think this would make the whole backend way more "Spring-native" and finally get rid of the Thrift overhead which is not necessary nowadays.

Would love to hear what you guys think about this or if I should focus on a different area first.

[GMishx]

Idea!

Title: Archival of Components and Projects

Goal: Creation of an archival and restore functionality to remove unnecessary Projects and Components from SW360 server

As an SW360 instance grows over years of use, the database becomes cluttered with "stale" projects and deprecated component versions that are no longer in active use. This feature introduces an Archival Workflow. The archival workflow should allow complete removal of a Project or Component or Release from the SW360 server (with entire metadata like changelogs, attachments, etc.) into a single compressed package (e.g., a ZIP or TAR containing JSON metadata), and purges them from the active database. At the same time, there should be a Workflow to restore these archived projects/components/releases individually for the purpose of audit, reuse, etc. This archival process will allow usage of cold storage backups and improve upon the performance of application by reducing index size, speeds up UI responsiveness, and saves significant disk space.

Feature points to consider:

• Comprehensive Data Bundling (The "Snapshot")
• Database Cleanup & Performance Optimization
• Seamless Re-Import & Restoration
• Archival Metadata Registry

Category	Rating
Low Hanging Fruit	*
Risk/Exploratory	***
Fun/Peripheral	**
Core Development	*
Project Infrastructure	***
Project size	Large
Preferred contributor	Student/professional
Skills needed	Java, CouchDB/No SQL

Contact : @GMishx @amritkv @rudra-superrr

[taanvi2205]

Hi @GMishx, @amritkv , @rudra-superrr i’m interested in this topic but I have a doubt-

The archival workflow should allow complete removal of a Project or Component or Release from the SW360 server

If we completely remove the archived data from SW360 server, where will we store it for restoration if needed? Do we have to we integrate with cloud storage or maybe as couchDB attachments?

[GMishx]

Hey @taanvi2205 , we have already clarified this in our dev call, but I am documenting it here as well:
The idea of archival is to bind all the related data about the entity (Release/Component/Project) such as the meta data and the attachments, should be exported in an external file/format (for example a tar of .json and all attachments). In the most preferred way, this method should allow me to extract 100s of entities at once.
This data is now preserved in this archive and not required in the DB anymore and thus should be removed from there to improve the performance. Then it is upto the server admin where they store this archive.
When the admin wants, the retrieval functionality should be able to recreate the data from this archive back in the Database. Since the functionality did not provide ways to upload to S3, for example, it should not provide way to retrieve from there as well. Admin should provide the file and the entities they want to restore (some ids, names, etc. or all) since the archive can contain 100s of entities, one might not want to restore all, but only a subset.

Hope this provides more clarification.

[taanvi2205]

@GMishx, Thanks for the clarification!

[GMishx]

Idea!

Title: Project 360 view

Goal: To empower product owners and compliance teams with a single, trusted source of compliance truth

Project 360° View delivers a holistic compliance dashboard for both parent and child projects, offering complete visibility into software usage, security risks, and license obligations.

It consolidates vulnerability data across the entire project hierarchy, clearly highlighting severity levels, affected components, and overall compliance impact.
All license and obligation information is aggregated to identify notice, disclosure, and copyleft requirements, ensuring legal and regulatory adherence.

The view also presents approved and pending releases, along with clearing request and legal approval status, giving product owners a clear picture of release readiness.
Additionally, all compliance-relevant changes since the last release—including newly introduced components, license changes, new vulnerabilities, and removed items—are tracked and visualized.

By unifying security, legal, and release data into a single interface, Project 360° View enables faster audits, reduces compliance risk, and supports confident, data-driven release decisions.

• Provide a good overview of the project to the product owners.
• Project 360° View provides a hierarchical compliance view of parent and child projects, ensuring full traceability of software usage.
  • It consolidates vulnerability data across the project hierarchy, highlighting severity, affected components, and compliance impact.
  • License information and obligation data are aggregated to identify notice, disclosure, and copyleft requirements.
  • The page presents approved and pending releases, including clearing request and legal approval status.
  • Compliance-relevant changes since the last release—new components, licenses, vulnerabilities, and removals—are clearly tracked.
  • This enables faster, audit-ready compliance verification and release approval decisions.

Category	Rating
Low Hanging Fruit	**
Risk/Exploratory	**
Fun/Peripheral	**
Core Development	*
Project Infrastructure	*
Project size	Medium
Preferred contributor	Student/professional
Skills needed	Java, Rest API, NextJS

Contact: @amritkv @rudra-superrr @deo002

[krystiankapusta]

Hi maintainers,

I am Krystian, and I’m from Poland. I recently completed my Bachelor’s degree in Computer Science, and I’m currently pursuing a Master’s degree in Computer Science with a specialization in Cybersecurity.

I’m very interested in contributing to SW360 as part of GSoC 2026, and Project 360 view is the idea that caught my attention the most. It seems like a great match for my full-stack background and my interest in building clear, maintainable systems that improve visibility into complex software environments.

My experience includes Java, Spring Boot, React, TypeScript, REST APIs, PostgreSQL, Docker, and full-stack application development. Through internships and personal projects, I’ve worked on web applications, API integration, databases, debugging, testing, and maintainability improvements.

I’m currently starting to explore SW360 more deeply, and over the next few days I plan to go through the documentation, understand the project structure better, and look for ways to contribute. I’d really appreciate any guidance on good starting points or beginner-friendly contributions related to this project.

Thanks,
Krystian

[mvchnccc-oss]

Hi, I'm Mohamed, a GSoC 2026 aspirant. I'm facing an 'unauthorized' issue with CouchDB in the Docker setup while the DB is actually accessible manually. I've sent the details to the mailing list. Any help would be appreciated!

@GMishx , @amritkv

[sujalkalauni]

Hey @mvchnccc-oss, I had the same issue. Your CouchDB is set up correctly — the databases are there. The unauthorized error is coming from the OAuth layer, not CouchDB itself.
The fix is to run addUnsafeDefaultClient.sh inside the SW360 container. This creates the OAuth client and admin user that the API needs to authenticate requests.
docker exec -it sw360 bash
bash /app/sw360/scripts/addUnsafeDefaultClient.sh
After that, use the token endpoint to get an access token before hitting the API. Hope that helps.

[ImalshaSathsarani]

Hello @amritkv @rudra-superrr @deo002

I’m a 3rd-year Software Engineering student interested in contributing to the Project 360 View for GSoC 2026.

I have experience with Next.js, TypeScript, and Java, and I enjoy working on full-stack applications.

I’m currently exploring the SW360 codebase and REST APIs to better understand how the 360 View integrates project metadata, licenses, and security information into a unified dashboard.

Looking forward to contributing and learning from the community!

[devlopharsh]

Hii there @amritkv @rudra-superrr @deo002 ,

My name is Harsh Kumar(devlopharsh) and i am an undergrad student pursuing degree in Computer Science .

It is really being a great opportunity for me to know about open source contribution more and deep through SW-360 that how things work in OSS environment, methodologies, Ideas, Solving Problem, etc . And it is really a good or even i say the best and most iconic time period of my learning .

However , i don't want to stop my journey here , therefore i have to contribute to the Project of Project 360 view . This would really be a great opportunity for me to learn and explore technologies like REST , Spring Boot , NEXTjs , etc. I have a prior experience in building scale appliocation using REST apis and other related technologies needed in the project .

For the better understanding of the codebase , i have a couple of contribution and in the REST feild of the backend project as well as in the frontend part of the SW360 software . The list is given below :

• fix(rest) : JWT validation in API token flow does not enforce exp/iat/nbf claims, and validator is rebuilt per request. Merged
• bug[CORS]: CORS filter is never registered (abstract filter only imported), so CORS headers are not applied. Merged
• [Code Unification (fix: shifting of html tables to tanstack tables) Issue open
• fix(UI) : Consistency in UI Icons of Actions Column Merged
• bug: Cypress E2E tests for release updates and project linking are missing assertions (TODOs) Issue open
• feat : Refactor oversized REST controller into smaller capability-focused controllers and services Issue Open
• Add batch release summary API to eliminate repeated GET /releases/{id} calls from frontend screens[Issue open]

these are some of the issues currently going and being solved or are in the process . I have also submitted the proposal for the same project . I hope that you will consider me for the same .

Thank you : )

[GMishx]

Idea!

Title: Customize Copy Project

Goal: Idea is to allow users to provide fields they want to carry over while using the "Copy Project" feature

Currently when a user wants to use duplicate/copy projects to create, lets say a new version, they do not have a choice of fields to be carried over. SW360 copies all and everything to the new Project and the user has to manually make sure everything is up-to-date.

This new feature will allow users to pick and choose the fields they want to carry over into the new Project and leave the rest. To implement this feature, the changes would have to be done at both front-end and back-end side.

Category	Rating
Low Hanging Fruit	***
Risk/Exploratory	*
Fun/Peripheral	*
Core Development	***
Project Infrastructure	*
Project size	Small
Preferred contributor	Student
Skills needed	Java, Spring, NextJS

Contact : @GMishx @deo002

[sujalkalauni]

Hi @GMishx @deo002, I'm Sujal, a 2nd year CS student from Noida, India. My stack is Java, Spring Boot and databases.
I know I'm joining late but I'm committed to catching up quickly and making meaningful contributions before the deadline.
I'm interested in working on the Customize Copy Project idea for GSoC 2026. Looking forward to contributing!

[prabhatxmishra]

Hello @GMishx @deo002 ,

My name is Prabhat Mishra and I am interested in applying for GSoC 2026 with SW360.

I am currently exploring the "Customize Copy Project" idea and reviewing the SW360 documentation and repositories. I am setting up the project locally using the Docker setup to understand the current implementation of the Copy Project feature.

My background is in Java and backend development, and I’m particularly interested in working on the backend logic and API changes required for this feature.

Could you please suggest:
• where the current Copy Project logic is implemented in the codebase
• any beginner-friendly issues I could start with while preparing a proposal

Looking forward to contributing.

[srivastavauddeshya98-lang]

Hello @GMishx @deo002,

I’m Uddeshya, a CS student working with Java and backend systems.

Over the past few days, I explored the SW360 codebase and traced the flow from ProjectServlet → ProjectHandler → ProjectDatabaseHandler to understand how project-related operations are handled. This helped me see how project duplication currently relies on implicit behavior, especially in areas involving package and release relationships.

I’m interested in working on the “Customize Copy Project” idea and am currently trying to understand how the existing duplication flow can be extended to support selective copying in a clean and modular way.

I would really appreciate any pointers on where I should focus next, or if there are specific parts of the codebase or smaller issues I should start contributing to.

Looking forward to contributing.

[Ishita-Gupta-110405]

Idea!

Title: Customize Copy Project

Goal: Idea is to allow users to provide fields they want to carry over while using the "Copy Project" feature

Currently when a user wants to use duplicate/copy projects to create, lets say a new version, they do not have a choice of fields to be carried over. SW360 copies all and everything to the new Project and the user has to manually make sure everything is up-to-date.

This new feature will allow users to pick and choose the fields they want to carry over into the new Project and leave the rest. To implement this feature, the changes would have to be done at both front-end and back-end side.

Category Rating
Low Hanging Fruit ***
Risk/Exploratory *
Fun/Peripheral *
Core Development ***
Project Infrastructure *
Project size Small
Preferred contributor Student
Skills needed Java, Spring, NextJS
Contact : @GMishx @deo002

Hi @GMishx @deo002 , I am Ishita, a 3rd year IT student from Karnataka, India. Really excited to apply and work on this part of the customisation of the project for GSoC 26. I have knowledge about java and springboot and would like to contribute in both backend and frontend as well. I have already started looking at the original working model and would like the guidance on where selective field should be implemented in the backend.

[dhruvjamwal]

Idea!

Title: Customize Copy Project

Goal: Idea is to allow users to provide fields they want to carry over while using the "Copy Project" feature

Currently when a user wants to use duplicate/copy projects to create, lets say a new version, they do not have a choice of fields to be carried over. SW360 copies all and everything to the new Project and the user has to manually make sure everything is up-to-date.

This new feature will allow users to pick and choose the fields they want to carry over into the new Project and leave the rest. To implement this feature, the changes would have to be done at both front-end and back-end side.

Category Rating
Low Hanging Fruit ***
Risk/Exploratory *
Fun/Peripheral *
Core Development ***
Project Infrastructure *
Project size Small
Preferred contributor Student
Skills needed Java, Spring, NextJS
Contact : @GMishx @deo002

Hello Mentors @GMishx @deo002,
I am auditing the ProjectController and Sw360ProjectService on my local environment (Java 21/Tomcat 11).
I have identified the specific block in the controller -attached screenshot where the duplication is triggered. Currently, projectService.createProject receives a monolithic sw360Project object, followed by an automatic call to copyLinkedObligationsForClonedProject.

Technical Approach:
I propose modifying this entry point to accept a ProjectFieldFilter payload from the NextJS frontend. By intercepting the sw360Project object before these service calls, we can selectively nullify attributes (like External IDs or specific Relationships) based on user checkboxes, ensuring a 'Clean Copy' that reduces manual data cleanup.
I am ready to start on a small PR to enhance the logging in this duplication flow to assist with the development of this feature!

[GMishx]

Idea!

Title: Provide alternative Component link

Goal: Provide a data structure to deprecate a Component and provide link to new Component

Depending on how Admins are using the SW360 instance, they want to manage the Component naming/grouping in a different way. There can also be scenarios where an OSS project decided to rename themselves over period. In such cases, you might want to mark a Component as deprecated and provide an alternative to be used instead.

All this information still needs to be preserved and documented in SW360 but needs to be machine readable as well. When using automation to generate SBOM and import in SW360 like with capycli, adding all such customization makes them tool specific and someone using different tool might not understand this.

The main idea of this project is to provide such fields in the Component DataStructure where user can mark a Component (and all its Releases) as deprecated. At the same time, make it easy to provide link to alternatives to be used. Such information, when provided over REST API, can be used by frontend to display information like bellow. At the same time allow tools to use this information to make smart decisions. As an add-on, SW360 can be allowed to completely disallow changes in deprecated Components and use the alternative instead to create new Releases.

Category	Rating
Low Hanging Fruit	*
Risk/Exploratory	*
Fun/Peripheral	**
Core Development	**
Project Infrastructure	*
Project size	Small
Preferred contributor	Student
Skills needed	Java, Jackson, NextJS (is a plus)

Contact: @amritkv

[hasanravda]

I am interested in working on this idea, as I have expertise in microservices architecture with spring
@amritkv

[paudel-milan]

"Hey @amritkv and @hasanravda, I've been looking into this issue and I'd love to help out.
I’m particularly interested in the automation side of this -making sure tools like "capycli" can actually find when a component is deprecated so they can pull the right data automatically. I've already started digging into the backend code to see how we can best add the successor_id and status fields to the Component model.

@hasanravda, since you mentioned your Spring/Microservices background, maybe we could team up? I'm happy to focus on the API/Data model changes or work on the UI banners if that's easier.
What’s the best way to get started?

[KLP-codebase]

Hey, @GMishx @amritkv i know it quite late, but i would too love to help out in this, as a undergrad in Computer Science and Engineering,i think this is a great opportunity for me to develop and improve and i am currently working on my java, spring boot skills

[sneha4175]

Hi @GMishx @amritkv @bibhuti230185 @rudra-superrr,

I'm Sneha Khoreja, currently pursuing a Master's in Applied Computer Science and exploring potential GSoC 2026 contributions to SW360.

I’ve been going through the repository and the project ideas listed here, particularly the “Remove Apache Thrift and Migrate to Direct Spring Service Calls” proposal.

My background is mainly in Java/Spring microservices. Over the past couple of years I’ve worked on backend systems built with Spring Boot, Hibernate, Docker, and Kafka, including projects involving service discovery and inter-service communication patterns.

While reading through the idea, a few implementation questions came up:

1)For the Thrift removal, is the expectation to migrate incrementally (module/service by module) or move toward a single larger refactor?

2)Are there specific modules in SW360 where Thrift usage is more isolated and could serve as a good starting point for the migration?

3)During the transition, should the goal be to maintain temporary compatibility with existing Thrift interfaces, or is a clean replacement acceptable for the initial scope?

At the moment I’m setting up SW360 locally and reviewing how Thrift is currently used across the backend modules so I can identify a reasonable starting point for a first contribution.

I’m also interested in the “Creating Components as a separate service” idea, since it involves service decomposition and standalone deployment.

If there are particular areas of the codebase that would be useful to explore first, I’d appreciate the direction.

GitHub: https://github.com/sneha4175

Thanks.

Sneha

[omkarhole]

Hi maintainers @GMishx @amritkv @rudra-superrr @deo002,

I’m Omkar, a Computer Science student interested in applying for GSoC 2026 with SW360.

After exploring the ideas listed here, I’m particularly interested in working on Project 360° View and Customize Copy Project, as they involve both backend APIs and frontend development.

My experience includes JavaScript, React, Next.js, Node.js, REST APIs, and database work. I’m currently exploring the SW360 repository and setting up the project locally to better understand the architecture.

I would love to start contributing and would appreciate guidance on beginner-friendly issues or areas I should explore first while preparing my proposal.

Looking forward to contributing to SW360!

[Nishanth-BK]

Greetings @GMishx @amritkv @rudra-superrr @deo002!
I am Nishanth, a Computer Science student interested in contributing to SW360 for GSoC 2026.
I have experience with Java, Spring Boot and REST APIs. I have set up the project locally and am exploring the "Customize Copy Project" idea as it relates with my experience in designing and developing Spring applications. I would love guidance on getting towards contributing!

[marie660]

Hello @GMishx, @amritkv, @rudra-superrr and @deo002!
My name is Marie-Agathe, and I am a Level 3 Computer Engineering undergraduate at Institut Saint Jean. I am very interested in the 'Customize Copy Project' for GSoC 2026.

I have a strong interest in backend development with Spring Boot, and I want to use this GSoC season to move away from building simple prototypes and learn how to contribute to a professional, large-scale codebase. This 'Small' project seems like a great place for me to start learning the SW360 architecture correctly.

My first goal is to set up the environment locally via Docker to see the tool in action. While I work on that, are there any specific Java files or 'Good First Issues' related to the 'Copy' logic that you recommend I study first?

Excited to be part of the community!

[byte-muneeb]

Hi everyone! My name is Muneeb Ahmed Siddiqui (@byte-muneeb). I am a full-stack developer (React/NextJS & Spring Boot) and I have just officially submitted my GSoC 2026 proposal for the Customize Copy Project idea!

I've read the 2026 guidelines regarding installation and contributions. I am currently setting up my local development environment using Docker to provide the required proof of installation. @GMishx @deo002, while I work on that, are there any specific 'good first issues' you recommend I look into to satisfy the contribution criteria?

[mahmoud-40]

Hi @GMishx, @bibhuti230185, @amritkv, and @rudra-superrr,

I’m Mahmoud, a software engineering student from Egypt with professional experience building Java/Spring Boot microservices. I'm currently preparing my GSoC 2026 proposal to extract the SW360 Components module into a standalone service.

To familiarize myself with the codebase, I recently submitted PR #3956 (resolving Issue #3955 in licenses-core).

As I begin outlining my proposal, I’d appreciate your guidance to ensure I'm heading in the right direction:

• Expectations: Are there any specific details, milestones, or technical focuses you expect to see in a strong proposal for this specific idea?
• Resources: Are there any specific parts of the documentation or areas of the current monolithic codebase I should study first as a reference?

I’ll share an initial draft with you very soon for early feedback. Thanks for your time and mentorship!

[sanjanadubariya2]

Subject: Draft Proposal: Eliminating Apache Thrift for Spring Native Services

"Hello SW360 Mentors @GMishx @deo002,

I am Sanjana Dubariya, a 3rd-year IT student. I’ve been exploring the SW360 backend and am very interested in the project to Remove Apache Thrift and Migrate to Direct Spring Service Calls.

I have a strong background in Java/Spring Boot and C++, and I’ve already successfully set up the SW360 development environment using Docker and WSL.

I’ve drafted a proposal focused on:

Moving from Thrift IDL to clean POJOs with Lombok.

Transitioning to Direct @Autowired injection for in-process calls.

Expanding the REST Resource Server to replace Thrift servlets.

I would love to get some initial feedback on this direction before I finalize my PDF for the GSoC portal. You can view my draft [Link to a Google Doc or GitHub Gist].

Looking forward to contributing!
Best,
Sanjana"

[Subhash79-Soni]

Hi @GMishx @deo002
I am Subhash Chandra Soni, a B.Tech CS student. I have been looking into the GSoC 2026 ideas for SW360, and I am very interested in the "Remove Apache Thrift and Migrate to Direct Spring Service Calls" project.
I have a strong background in Java and Spring Boot backend development. Replacing Thrift dependencies with pure Spring @service and @Autowired injection fits well with my skills. I am currently setting up the SW360 development environment on my machine.
To get started and show my understanding of the codebase, could you please direct me to a "Good First Issue" related to the backend or Spring controllers? I want to make a meaningful contribution before I draft my proposal.
I look forward to your guidance!

[mvchnccc-oss]

Thanks a lot, that makes sense now 🙏 I was focusing on CouchDB, didn’t realize the issue was from the OAuth layer. I’ll run the script inside the container and try getting the access token before calling the API. Really appreciate your help 🤍

…

On Thu, 26 Mar 2026 at 10:55 PM Sujal Kalauni ***@***.***> wrote: Hey @mvchnccc-oss <https://github.com/mvchnccc-oss>, I had the same issue. Your CouchDB is set up correctly — the databases are there. The unauthorized error is coming from the OAuth layer, not CouchDB itself. The fix is to run addUnsafeDefaultClient.sh inside the SW360 container. This creates the OAuth client and admin user that the API needs to authenticate requests. docker exec -it sw360 bash bash /app/sw360/scripts/addUnsafeDefaultClient.sh After that, use the token endpoint to get an access token before hitting the API. Hope that helps. — Reply to this email directly, view it on GitHub <#3631?email_source=notifications&email_token=BVMPQ2FTQJHLQTLRAQ2V4334SWKLBA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNRTGMZDQNZRUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#discussioncomment-16332871>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVMPQ2A2MYQJHUU76G3BNUL4SWKLBAVCNFSM6AAAAACTFF3V42VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTMMZTGI4DOMI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[SushmithaB-06]

Hi @GMishx and mentors,

I have started setting up SW360 locally and explored the codebase structure.

Due to system constraints, the full Docker setup is taking time, but I am actively studying the backend modules and would like to start contributing.

I am particularly interested in the "Customize Copy Project" idea.

Could you please suggest beginner-friendly issues or areas to start contributing?

Looking forward to contributing!

Thanks,
Sushmitha

[sujalkalauni]

Hi @GMishx, just wanted to let you know I've submitted my final GSoC proposal. PR #3915 has the full backend implementation — happy to address any review comments or questions before the deadline. Thanks for the feedback so far. The link : https://docs.google.com/document/d/1cLfGo4z-SagQF2sAX3CLD2I8y4oAnxhova-f5erGUN8/edit?tab=t.0