When it comes to identifying potential security risks, examining the software bill of materials is one of the first steps tech leaders should take, according to Ed Warnicke, distinguished engineer at Cisco Systems Inc.

With this essential list, companies using third-party software and distributed open-source software can simplify their security vetting process. To help supply chain challenges, OmniBOR was created — a Universal Bill of Receipts that constructs Artifact Dependency Graphs with zero developer involvement.

“I very firmly believe if you don’t like the outcome, you should change the rules,” said Warnicke (pictured). “What you have in any piece of software is you have software artifacts, so I give you a Docker container or an executable, and each of those software artifacts themselves were built from other software artifacts, and each of those gets built by other software artifacts like source code files.”

Warnicke spoke with theCUBE industry analysts Rob Strechay and John Furrier at Open Source Summit NA, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how OmniBOR helps tackle supply change issues, how open source affects supply chains and how artificial intelligence will impact open source.

‘A precision X-ray of your software’

OmniBOR “turns the problems on their head,” according to Warnicke. When supply chains go through several different channels, all information and data must be consistent between hands. With OmniBOR, developers can capture essential metadata, giving insight into licenses, component inversions and more.

“It gives you the ability to get an absolute precision X-ray of your software all the way down to the source code file,” Warnicke said. “It gives you the ability to prioritize, because it may be the case that I have something with a vulnerable Log4j, but I’m not loading that class, so I’m not actively vulnerable. So if I’ve got 2,000 instances that I need to remediate, and 50 of them have loaded that class, I know which 50 I should address first.”

Every unique artifact should have its own unique identifier, Warnicke argues, and they should all be immutable. If an artifact is changed, the identifier should change too — and that’s exactly what OmniBOR sets out to do and is different than the kind of information found in SBOMs. This is especially important as AI rises in utilization and popularity.

“Labels are key if you’re going to train your AI model,” he said. “And we’ve got very, very simple labeling at an artifact dependency graph. Then you can look at the messier reasoning that comes about the metadata that you construct in the SBOM around it.”

The conversation ended with the pair discussing AI and how it will potentially impact the open-source community. Warnicke expressed concerns about how when he used ChatGPT, a lot of the information he received was fabricated, rendering the chatbot deceitful in its supposed expertise.

“People think that AI is highly confusing, but AI is like … a certain species of person who is extraordinarily eloquent and entirely vacuous,” he explained. “We sometimes mistake the fact that they’re able to speak eloquently for them knowing anything. And that’s the state of AI right now.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Open Source Summit NA:

Photo: SiliconANGLE