Google open source project aims to boost supply chain security
Software supply chain security is at the top of a lot of agendas at the moment, more so since the Log4j vulnerability was discovered and since the US Executive Order on cybersecurity.
Google is seeking contributors to a new open source project called GUAC (Graph for Understanding Artifact Composition), which although in its early stages yet is poised to change how the industry understands software supply chains.
The aim of GUAC is to democratize the availability of software build, security, and dependency metadata information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.
Although organizations currently have access to software bills of materials, vulnerability databases and other sources of information, it's difficult to combine and synthesize these to get a more comprehensive view.
Google has teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. GUAC has four key functions:
- Collection -- GUAC can be configured to connect to a variety of sources of software security metadata. Some sources may be open and public (e.g., OSV); some may be first-party (e.g., an organization’s internal repositories); some may be proprietary third-party (e.g., from data vendors).
- Ingestion -- From its upstream data sources GUAC imports data on artifacts, projects, resources, vulnerabilities, repositories, and even developers.
- Collation -- Having ingested raw metadata from disparate upstream sources, GUAC assembles it into a coherent graph by normalizing entity identifiers, traversing the dependency tree, and reifying implicit entity relationships.
- Query -- Against an assembled graph users may query for metadata attached to, or related to, entities within the graph. Querying for a given artifact may return its SBOM, provenance, build chain, project scorecard, vulnerabilities, and recent lifecycle events -- and those for its transitive dependencies.
You can find out more about the project and get involved over on GitHub, the GUAC team will also be showcasing the project at Kubecon NA 2022 next week.
Image credit: Grand Warszawski / Shutterstock