CAST Teams up with Software Heritage to Bring Transparency to Open-Source Code
Software Heritage is an initiative by the French Institute for Research in Computer Science and Automation, aiming to build a universal library of all source code. The project is sponsored by tech giants such as Intel, Google and Microsoft and already contains more than 5.6 billion source files, including source code from GitHub, GitLab and the now-defunct Google Code Archive (the research giant ended its own code library project in 2016).
The aim of the CAST-Software Heritage collaboration is to create a “Provenance Index” on code collected in the Software Heritage archive. This would allow users of CAST products to have their code analysed for its components and the origin of each component.
The service also flags “At-risk” components and offers suggestions on what to do, helping users avoid potential legal and compliance issues, as well as software crashes – such as ones resulting from lines of open-source code being taken offline by the original author.
Software Heritage’s Provenance Index will be based on an integration between CAST’s SaaS platform, Highlight, which inspects code for bugs and vulnerabilities, and the Software Heritage curator, which aims to collect all publically available source code and its development history.
The Highlight platform does not actually ingest any of the user's source code during the process. Instead, an agent scans the code and uploads an encrypted file to the CAST Highlight portal. Highlight can run on AWS or Azure, as well as on a private cloud.