Google and JFrog Announce Grafeas: A Unified Language for Artifact Metadata

Today, Google and JFrog announce Grafeas, a first of its kind open source API that enables comprehensive auditing and governance for your software supply chain. Grafeas standardizes how you store, query and retrieve metadata attached to software artifacts. In particular, it provides rich auditing capabilities and acts as a central source of truth for organizations, especially those that must track the development of many software artifacts used and created by many different teams. Grafeas is available on GitHub and will be integrated into Google Cloud Platform (GCP) and JFrog Xray.

All Companies Develop Software

Staying relevant in today’s reality means reaching out to your audience where they’re used to getting their information and services, and that’s online. So, regardless of the industry you’re in, even if it’s not directly associated with software, your company must develop software to have a technical edge and stay competitive.

We all need information on the software artifacts we use and create, however, the type of information we need is different depending on our role in the company. For example, security experts use information regarding security vulnerabilities. Legal consultants use information regarding software licenses. Dev managers use testing coverage and code quality information. DevOps engineers use configuration, environment and auditing information.

A Multitude of Metadata

Software has become more collaborative (1), allowing developers to share code with each other as a community. In fact, much of the code used in applications today comes from open-source and third-party components. On the one hand, this helps companies accelerate their development process, but on the other hand, it introduces many risks (2) that force us to work harder to release our software with confidence. These risks include security vulnerabilities, OSS license constraints, known bugs, performance issues and more.

Today, to gain trust in the open-source components that we use, we create manual processes and use different tools across the software supply chain. This becomes even more complicated when we want to cross-reference information from these different systems to gain a broader picture of our products and services. Since every data provider “speaks” its own language, and models and identifies components and metadata pieces differently, it’s almost impossible to achieve full risk visibility.

Public + Private Metadata = Added Value

Project Grafeas defines an open, unified metadata exchange format and API that will create a uniform and consistent way to produce and consume metadata from software components. Having a standardized API for working with metadata is great because it simplifies your workflow by promoting automation. In other words, It’s easier to automate processes that add and extract metadata from components created with different technologies if all those components present their metadata in a standard format, and you can extract that metadata using a standard API. But that’s only the beginning. When you start adding your own private metadata using the same standards, you open up new opportunities for automated auditing and governance of software components you are using, whether they are open source components or proprietary components created in-house. Here are a couple of use cases that demonstrate what you could do with public and private metadata using a standardized format and API.

DevOps Engineer
Let’s say that you’re a DevOps engineer and your company policy requires that high severity security vulnerabilities can only be deployed to production with specific approval from your security team. This decision requires public metadata (publicly known security vulnerabilities) together with private metadata (the security team’s approval) in the scope of a specific service/application. If you had one consolidated system that you could easily query to get this data, this decision could be automated making everything much easier.

Dev Team Lead
You’re a dev team lead, and you want to verify that the quality of code that’s developed and maintained by your team meets specific standards. You might even want to enforce a policy that the public version of your service/product can only be released if these standards are met. This decision requires public metadata, such as checking your components for any known issues, popularity, and how well they are maintained. Private metadata including internal issues (bugs/performance issues/quality issues/etc.), test coverage information, code review comments and tech debts, is also required. This data is spread across several systems, but the only way you can get the complete picture is by combining it all together.

How JFrog Xray Upgrades Your Metadata Experience

As Grafeas evolves to support this kind of metadata, Xray’s support for Grafeas will make these use cases a daily reality. Xray allows you to combine the publicly available metadata and your private metadata together to get a complete picture. Since Xray is connected to your JFrog Artifactory repositories, it recursively indexes your binaries, builds component graphs from them, automatically providing you with public metadata related to them, and allowing you to incorporate metadata from other systems or add your custom metadata.

As more and more companies embrace Grafeas, supporting and complying with its API, it will become ever-easier for Xray to create new partnerships and integrate technologies, further enriching the metadata about the binaries you use in your software.

Here are just some of the exciting things the Xray-Grafeas integration enables:

• On-premises access to all the metadata in Grafeas
• Contributing metadata about your open source components to Grafeas
• A whole new world of metadata that can be used to define policies for Watches to trigger alerts in JFrog Xray
• Setting runtime Kubernetes governance policies when deploying containers through Kritis based on both public metadata built into open source components, and private metadata provided through Xray
• Quick and easy integration of any new data source that complies with the Grafeas API

JFrog Xray Will Grow With Grafeas

Software development has become an increasingly collaborative process. Developers need to share their code and use third-party components, and one of the key enablers to collaboration is the metadata attached to software binaries. However, the combination of many metadata types issued by multiple providers along the software supply chain, compounded by an abundance of consumers, creates unmanageable complexity in the collaborative process. The Grafeas API will revolutionize how we work with binary components. It will enable thorough auditing and governance capabilities by creating structure and order in the metadata jungle of binary software components. By fully supporting the Grafeas API, Xray acts as a portal to Grafeas providing your software supply chain with an unprecedented abundance of metadata that can be easily be put to use in automated auditing and governance processes. In November 2017, JFrog will release a new version of Xray that fully supports the Grafeas API in its current state, and as Grafeas grows and evolves, so too will Xray’s support for Grafeas.

Here is how you can learn more about and contribute to Grafeas:

• Read more about Grafeas in this sister post published by Google
• Register for the JFrog-Google webinar
• Try Grafeas now by joining the Grafeas GitHub project 
• See grafeas.io for documentation and examples