Skip to main content

Emporous for Software Artifact Management: A Universal Data Aggregation Framework

Contributed by Andrew Block, Distinguished Architect, Global Services Office of Technology at Red Hat, Jenn Power, Senior Product Security Engineer, Product Security, Red Hat, and Alex Flom, Senior Product Security Engineer, Product Security, Red Hat

The Continuous Delivery Foundation (CDF) announced the addition of Emporous—a new sub-project to the Ortelius project. Emporous joins with the goal of revolutionizing how organizations manage their software supply chain assets.

Ortelius has been instrumental in helping organizations manage their DevOps and security intelligence. Ortelius collects and aggregates pipeline data, such as SBOMs, CVE and supply chain inventory from various sources. In doing so, Ortelius provides valuable insights into the relationships and dependencies between different software components and “logial” applications showing an organization’s overall security profile. 

Emporous is an open source toolkit that enables software artifact management based on a universal data aggregation framework. Emporous is based on the Universal Object Reference (UOR) conceptual model, which was originally developed by Red Hat open source contributors, and enables dynamic schema registration and decentralized content-addressable reference of a wide spectrum of software artifacts. UOR is designed to help organizations effortlessly store, organize, and search metadata related to software artifacts, along with the artifacts themselves. It accomplishes this by allowing artifacts to describe themselves universally without the need for additional processing or unpacking. Emporous implements this idea with a focus on security and ease of use.

“Emporous will be incorporated to enhance metadata search capabilities and provide a single repository to store any type of artifact from containers to jar files.” 

Steve Taylor, Sr. Ortelius Contributor

Emporous Integration

The integration of Emporous into Ortelius will supercharge Ortelius’s command over software assets in the following areas:

Enhanced metadata search capabilities: Leveraging authenticated metadata (attestations) managed by Emporous, Ortelius users can quickly locate and access relevant information about artifacts and the software artifacts themselves by filtering by known identities, streamlining their software development process.

Single API for various resources: Ortelius will now be able to store not only metadata but also the artifacts themselves together, providing a more comprehensive solution for software supply chain management.

Streamlined management of software dependencies and relationships: With both metadata and artifacts in one place, organizations can more efficiently manage their software ecosystems, reducing complexity and improving security.

Brings new perspective, knowledge, and expertise: Recognizing the importance of the Emporous community’s knowledge and experience, the Ortelius governance board has approved an expansion of two seats to include representatives from Emporous. This collaboration will help steer both projects forward and ensure their continued success.

The integration of Emporous into Ortelius will significantly enhance the security and compliance aspects of software supply chain management. By tracking security data associated with any attribute, organizations can better meet their compliance and security needs. Furthermore, the collaboration will enable security and operational teams to enforce supply chain policies and procedures through easy, automated mechanisms. We encourage the community to get involved, contribute, and help shape the future of software supply chain security.

Learn more: