I noted last month that the artifact management market is up for grabs. In a hot market, you’re going to see some interesting and not-entirely-logical attacks. And if I could creatively paraphrase a famous saying, it’s hard to get someone to understand something when their company’s success depends on them not understanding it.
I’m thinking about a curious criticism that one of our competitors, JFrog, leveled at us in a recent blog. They said they spotted some “red flags” about Cloudsmith, the first and most damning being that we are “packaging [a] competitor’s open source as an enterprise solution,” thereby “[s]elling a paid ‘security’ solution that’s little more than a thin UI layer over someone else’s open-source tool.” (They’re talking about our use of Trivy's open source security scanner and the underlying Trivy DB as one source of software package vulnerability data.)
They stick to this point pretty persistently, saying we are “charging you for an open-source solution,” stating accusingly that we “rely on open source software as [our] SCA solution,” arguing that “open-source tools are generic by nature,” and even concluding that “if Trivy becomes unsupported or compromised, Cloudsmith’s entire SCA capability could suffer, leaving users vulnerable.”
JFrog has it wrong on several counts here.
For starters, pretty much every enterprise tool in the last few decades, including many JFrog tools, is built on foundations of open-source software (OSS). Does this mean we’re all “charging” customers for “packaging” OSS as an “enterprise solution” in some nefarious way? Like most OSS, Trivy DB is “generic by nature,” which leaves room for developers and software vendors to build custom capabilities on top of it. Which is exactly what Cloudsmith has done. If Cloudsmith is wrong for using “generic” OSS, then we’re all wrong.
In accusing Cloudsmith of using a “competitor’s” OSS, they’re referring to Aqua Security. They’re confused on several key points.
First, they’re failing to acknowledge the distinction between the role of a primary OSS maintainer and a commercial vendor. Aqua Security, the company, is the primary maintainer of the Trivy OSS project. It is also the vendor behind Aqua Enterprise, a commercial product that is built around Trivy.
Second, they’ve tellingly assumed that Cloudsmith considers Aqua Security to be a competitor. We very much don’t. We regard Aqua as a complementary solution; we support integration between Cloudsmith and Aqua Security; and we see Cloudsmith as the data plane & control plane for software supply chain security, so customers can process metadata and execute policies based on vulnerabilities identified by Cloudsmith’s scanning process, or sourced from third-party vulnerability data from the likes of Aqua Enterprise or others, or a combination.
Third, any software can “become unsupported.” But that actually tends to be a much bigger risk with commercial software than with OSS. Trivy is published under an Apache 2.0 license. Even if the maintainers stop publishing future versions as open source, the community could fork an older version. We don’t think this will happen, but if it does, Cloudsmith relies on multiple data sources, and we can easily change our mix from time to time. There are numerous other providers of data similar to Trivy’s.
So why is JFrog attacking Cloudsmith so stridently for relying on OSS, like virtually every commercial software company does, and specifically for relying on Trivy? I can only speculate, but JFrog sees its own security product, Xray, as an important revenue source, and they seem to regard Aqua Security, along with other similar companies, as competitors to Xray.
To state the obvious point: of course we embrace open source. I wrote last year about Cloudsmith’s support for OSS projects, and we Cloudsmithers all believe deeply in the power of software reuse via OSS. I’m old enough to remember when reuse was essentially an unsolved problem in software; we never could have envisioned back in the 1990s how OSS would fundamentally change that. The core functionality of our platform helps enterprises everywhere to efficiently and securely manage the thousands of OSS artifacts and dependencies that make up such a large part of any company’s software supply chain.
And to state another obvious point: we’re not just serving up generic OSS and then somehow convincing customers to pay us for it. It’s what Cloudsmith has built on top of OSS that we’re really charging for. Things like our unmatched global cloud-scale infrastructure, our 24x7 service levels, our policy-as-code enterprise policy manager (EPM) that evaluates every package using your company’s risk criteria, our ability to proxy and cache public upstream registries at unmatched performance levels, our artifact synchronization process that performs scanning and metadata enrichment before a package even hits your repository and gets served to CI/CD pipelines or developer IDEs, our stellar customer support, and much more.
Yes, we rely on OSS, and we think that’s a significant strength from which customers benefit.
