V OpenVet / docs
/ landscape

Landscape

How OpenVet relates to existing supply-chain auditing and dependency-security tools in the broader landscape.

Supply-chain security tooling and products have taken off in the past few years. There is a variety of tools, standards and commercial enterprise offerings. This section locates OpenVet relative to other systems readers may know, covering what each tool or product does and how OpenVet relates to it.

By relationship to OpenVet #

Auditing tools. These tools allow you to audit software, publish those audits in some ways, and ingest those audits.

Provenance attestation. These tools do not help with auditing code, but they provide attestations that help you answer where a specific artifact comes from. These are useful to establish the provenance of binary assets, but they make no claim over if the artifact is free of malware, only where it came from.

Dependency scanners. These tools help you assess the risk of dependencies based on heuristics, and surface known vulnerabilities.

Curated software package repositories. These are software repositories, often commercial, that provide a curated set of dependencies. Often they come with build provenance attestations, and sometimes with some human review of the published versions.

Take-aways #

OpenVet focusses on helping you audit software, publish those audits, ingest those audits and evaluate requirements on them. As such, it is an auditing tool, and competes directly with the other tools listed.

OpenVet differs in the data model it uses, the trust model it uses, the cryptographic guarantees it provides, the distribution model, and in the ecosystems it works with.

Auditing is meaningful on source-based packages. Auditing binary packages cannot be done in any meaningful way. Where you need to use binary packages, provenance attestation can help you. Audits of packages with binary assets generally cannot express whether the binary asset is safe, but can verify the provenance. The downside is that it requires the maintainer to use provenance attestation.

Dependency scanners looking for known vulnerabilities are reactive, rather than proactive. OpenVet is intended as a replacement for them, by re-publishing known vulnerabilities in the Audit data model. Dependency scanners that evaluate risk based on heuristics can be used alongside OpenVet for dependencies that you have not audited. They don’t replace actually reading the code, and usually cannot make statements about the quality and correctness of the code, but they are a stop-gap solution.

Curated software package repositories can be used alongside OpenVet. OpenVet focuses on auditing dependencies your code uses directly, not external systems it interacts with.

cargo-vet Mozilla's tool for sharing audits of Rust crates. The closest existing analogue to OpenVet. cargo-crev Per-actor signed reviews distributed via user-owned git repositories, with a transitive web of trust between reviewers. Sigstore Keyless signing of software artefacts and attestations, with OIDC-bound identities and a public transparency log. in-toto Framework for cryptographically attesting to the integrity of software supply-chain steps; its Attestation Framework underlies SLSA, Sigstore attestations, and GitHub's artifact attestations. cargo-auditable Cargo subcommand that embeds the build's dependency list inside the compiled binary, so lockfile information can be recovered from the artefact after the fact. SLSA Supply-chain Levels for Software Artifacts: an industry-consensus framework of incrementally adoptable levels for build-process and source-process security, with attestations in in-toto format. Sonatype Commercial enterprise supplier of supply-chain security tooling: policy-driven SCA (Lifecycle), repository management (Nexus), dependency firewalling, and the OSS Index vulnerability database. Operates Maven Central. Chainguard Commercial supplier of rebuilt-from-source container images and language libraries with Sigstore-signed build provenance. Bitnami Long-running curated catalogue of pre-built open-source application stacks, container images, and Helm charts; a Broadcom offering with a paid security-hardened tier. Project Lightwell Red Hat's announced initiative to scan, backport, test, sign, and deliver patched versions of upstream open-source artefacts to enterprise customers on their pinned versions. OpenSSF Package Analysis OSSF project that monitors public package registries and runs each new release in a sandbox to observe its behaviour, surfacing signals about potentially malicious packages. Socket Commercial supply-chain security product that analyses packages across major open-source ecosystems for attack indicators, surfacing risk signals via GitHub PR comments, CLI, and API. Trivy Open-source security scanner from Aqua Security covering container images, filesystems, VM images, and Kubernetes, with scanners for known vulnerabilities, IaC misconfigurations, secrets, licences, and SBOM generation. AboutCode FOSS umbrella organisation of tools for software composition analysis, licence compliance, and vulnerability tracking, sharing PURL and SPDX primitives across a stack of scanners, databases, and a system-of-record.