Congratulations to the entire team at Software Heritage, who put in the long hours to get this published.
Having a cryptographically repeatable way to identify software is a significant advancement in understanding what is running in your ecosystem. Having that intrinsic, repeatable identifier is crucial.
At Spice Labs, we’ve been heads down bringing this capability to life so that you can truly know and understand what constitutes your ecosystem of record using Omnibor.
We’ve all heard of the growing interest in Software Bill of Materials (SBOMs) and emerging regulations to maintain them. Remember: the reason for SBOMs is to have a documented understanding of what makes up the software in your organization at any given time.
But even with automation, that largely has you only looking forward. SBOMs are a “what” — and miss the critical “when.”
With Spice Labs technology, you can see what you are building today. You can see what you deployed yesterday, last week, or last year. You can trace the history using cryptographically repeatable hashes.
Using the Omnibor standard, Spice Labs tooling can generate hashes for what is running now, generate historical hashes based on software repositories, and generate hashes of tomorrow’s builds as you continue to build and leverage software to deliver business capabilities. In addition, we create similar hashes for containers, so that you have a forensically reportable way of knowing, proving, and analyzing what is running in your cloud or data center.
These hashes are arranged in a mathematical structure called an Artifact Dependency Graph (ADG).
We maintain the largest known database of open-source hashes. This includes the entire history of Maven Central, Ubuntu and Debian repositories, and many more data sources. Our Spice Labs Artifact Dependencies (SaLAD) database has already exceeded 3.85 billion nodes — and keeps growing.
When you combine your organization’s Artifact Dependency Graphs, the Spice Labs SaLAD database, and additional secure metadata, you get a cryptographically secured ecosystem of record.
This gives you superpowers. You can instantly understand exactly what was running during incidents. You can immediately trace vulnerable components — for example, everywhere Log4Shell is still running. You can maintain a dynamic inventory of running software components at any point in time.
And you can do all of this without manual CMDB updates, without endless log parsing, and without guesswork. Fully automated. Fully auditable.
Spice Labs is bringing all of this to life today. Reach out for a demo — or join us as a design partner to bring this transformational knowledge to your organization.
At RSAC? Connect with me on LinkedIn, Mastodon, or Bluesky — and let’s talk!
—
JT Perry
Chief Customer Officer
https://spicelabs.io