A new, European based not‐for‐profit platform for collaboration across the technology and data supply chains. Its key objective is to bring stakeholders of all sizes together, to discuss, share knowledge, develop new insights, policy recommendations and establish shared public benefit infrastructure. In practical terms, it wants to help optimise and automate the resilience, security and regulatory compliance of the various links in the hardware, software and data supply chains — and increase end‐to‐end responsiveness towards and propagation of necessary improvements, such as security fixes.
Legislation like the Cyber Resilience Act means a shift in paradigm for the global software industry. Manufacturers will have to apply stringent rules within 36 months after its entry into force. Most of these suppliers currently do not have a clue what is about to hit them. Moreover, even though there may be willingness to act in a timely manner, due to cascading dependencies the issue is almost never possible to solve locally — without collaboration with the rest of the software supply chain you won’t get far. The CodeSupply Institute is set up to be the nexus of this transition, and provide practical tools and services to strenghten the ecosystem.
Using state of the art technologies — notably functional package management and CI/CD — we can step away from ad hoc/manual processes and create a hermetic, complete overview of all software components used. A valid Software Bill of Materials can be automatically generated at any point in time, but more importantly near‐instant deployment of (security or service) updates is available at no cost.
Where possible, we should benefit from the mature collaboration through not‐for‐profit FOSS umbrellas (e.g. Apache Foundation, Python Foundation, Rust Foundation, etc). These not only already bring together the immediate stakeholders and their developer community, they can take care of handling the compliance criteria and infrastructure for shared components. By making commodity components compliant upstream, downstream users are relieved of that responsibility and can focus on their own ‘value add’.
Automatically derive SBOMs with the help of reproducible functional package management.
With the open source tool Genealogos you can generate a compliance-ready CycloneDX Software Bill of Materials (SBOM) for any package available in the largest collection of curated software on the planet — the nixpkgs repository — or in fact from any nix flake. What is even better: this is reproducible and deterministic. This means that when the software works for you, your SBoM is up to date and you can automatically keep so with no additional effort.
More: Genealogos
Perform automated forensic comparative analysis on software and firmware.
In quite some legacy situations, there will only be binary/compiled artifacts available. Using the world class open source scanning tools from ScanCode combined with the unique collection of software source code of a.o. Software Heritage, and applying additional binary analysis tools, we can heuristically match these to a large body of code with a high degree of certainty. This can assist vendors in determining the presence of known vulnerable software components in binaries.
More: AboutCode.org
Making the grunt work of manual forensic analysis less of a burden.
Obviously, automated comparative analysis is not going to be available with ones own unique or proprietary components, as well as vendored code. In such cases manual inspection will still be necessary. There are various excellent open source tools available for that exact purpose, such as the venerable Binary Analysis Next Generation (BANG), Distro2SBOM and CRAVEX. We also support knowledge sharing and demand bundling for the creation of new tools.
More: BANG
CodeSupply Institute is not about re-inventing the wheel. We want to make sure that regulatory compliance is a low-cost commodity, and a collaborative effort — not a competitive issue
Contact us to discuss possibilities.
Contact us
If you have any questions or remarks about our work or this website, you can send us email through contact [@thisdomain].
If you would like to send us physical mail, our postal address is:
CodeSupply Institute
