Introduction to the Ortelius Supply Chain Catalog

Why Use Ortelius

Ortelius is an open source, supply chain evidence catalog for publishing, versioning and sharing microservices and other Components such as DB objects and file objects. Ortelius centralizes everything you need to know about a component-driven architecture including Component level ownership, SBOMs, vulnerabilities, dependency relationships, key values, deployment metadata, consuming applications and versions. Ortelius harvests information from the DevOps pipeline centralizing supply chain data across tools and teams.

Supply Chain Catalog

Ortelius visualizes ‘logical’ application versions in a cloud-native architecture providing a clear view of the software supply chain and their consumers. With this Component level information, Ortelius can easily aggregate metadata up to the ’logical’ application producing application level SBOMs, CVEs, audit reports, deployment inventory and status.

Ortelius is particularly suited for a microservice architecture where hundreds of artifacts and repos are used, and a central view of the entire supply chain from a usage, security, and inventory perspective is required. When you outgrow your excel spreadsheet, its time to consider Ortelius.

Decoupled Environments are Complex

Migrating to decoupled, cloud-native architecture breaks the way we assemble and configure software. With a decoupled implementation, we no longer build a complete software solution, or Application Version. Instead we manage many moving parts that communicate at run-time based on APIs. The loss of the ‘Application Version’ disrupts the core of software delivery. It impacts most of our standard software practices including the generation of application security level reports. After all, everything is based on an Application Version from tracking changes request, determining differences, tracking relationships and supporting users. Without a method of tracking the logical Application, IT teams struggle to confirm that the software they deliver to end users is safe.

Ortelius is not a ‘microservice registry’ or ‘API Gateway." Instead, Ortelius interacts with the DevOps pipeline to automatically gather supply chain metadata. Tracking microservices and Components in this way facilitates their sharing and reuse across teams. Ortelius serves as an internal market place for finding, tracking and versioning microservices and relating them to the Applications that consume them. The publishing catalog is based on a Domain structure to support a Domain Driven Design.

Versioning - Ortelius Secret Sauce

Ortelius versions both Components and ’logical’ Applications. When versioning Components, Ortelius provides insights needed to determine if the service is safe for consumption including:

  • Software Bill of Material
  • Common Vulnerabilities and Exposures (CVE)
  • Swagger Details
  • Readme and Licensing
  • Consuming Applications
  • Ownership
  • Git repo
  • Git Commit (Tag and branch)
  • CI/CD Build Number
  • Container SHA
  • Docker Registry
  • Key Values
  • Deployment Script (Helm Chart, Ansible Playbook, etc.)
  • Any Attributes (DB Name for example)

Application Versions are based on a collection of Component Versions. If a new version of a Component is built or registered, Ortelius auto increments the Component version and the consuming Application version. Dashboards are provided for each new Application version showing:

  • A full map of all the microservices, or Components, the Application version is consuming.
  • An Application Level SBOM, based on all Component SBOMs
  • An Application Level CVE
  • The specific changes that created the new Application version (your new diff report)
  • The audit history
  • Log history
  • Where it is running
  • Trends (Deployment time, success failure rates)

This level of information can also be viewed from the Component level showing similar information to the Application, but instead showing the Applications that are dependent on the microservice (Component).

Other Core Features

Domain-Driven-Design: First and most important is the Ortelius Domain structure for cataloging and sharing microservices. This feature organizes your microservice in a method that encourages reuse and sharing across development teams.

Dependency maps: Shows you the ’logical’ view of your application and which microservices, or Components, it consumes. Once you begin sharing microservices, you need to track who is using the microservice. An Application is a logical collection of Components that make up an entire software solution.

Application Level SBOMs and CVE: Ortelius aggregates all Component level data up to the logical Application Version making it easy to provide security reporting on a complete software system, even when it is decoupled.

Blast Radius: Know your service impact before you ever deploy. Ortelius can provide predictive insights showing what Applications will be impacted by an updated service. Ortelius provides this data in clear maps of dependent Applications and services.

Improved incident response: Ortelius makes it easy to find the owner of microservice or common Component, and contact them through PagerDuty, HipChat, Discord, Slack, email or phone.

Integrates into your CD pipeline: Ortelius is automated via your CD Pipeline to continuously version your decoupled architecture with changes, including where they are deployed.

Last modified December 6, 2022: Fixed supply chain image (c32a3b9)