![]() The good news is, increasingly one finds the upstream supply chain already enriched with attestations and metadata to power higher-level reasoning and insights. Developers need richer and more trustworthy intelligence about the dependencies in their projects. An open source organization like the Open Source Security Foundation wants to identify critical libraries to maintain and secure. Querying for a given artifact may return its SBOM, provenance, build chain, project scorecard, vulnerabilities, and recent lifecycle events - and those for its transitive dependencies.Ī CISO or compliance officer in an organization wants to be able to reason about the risk of their organization. Having ingested raw metadata from disparate upstream sources, GUAC assembles it into a coherent graph by normalizing entity identifiers, traversing the dependency tree, and reifying implicit entity relationships, e.g., project → developer vulnerability → software version artifact → source repo, and so on.Īgainst an assembled graph one may query for metadata attached to, or related to, entities within the graph. Some sources may be open and public (e.g., OSV) some may be first-party (e.g., an organization’s internal repositories) some may be proprietary third-party (e.g., from data vendors).įrom its upstream data sources GUAC imports data on artifacts, projects, resources, vulnerabilities, repositories, and even developers. GUAC can be configured to connect to a variety of sources of software security metadata. GUAC has four major areas of functionality: Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.Ĭonceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database-normalizing entity identities and mapping standard relationships between them. We’re excited to share the project’s proof of concept, which lets you query a small dataset of software metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards. To help address this issue we’ve teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization’s software assets. These data are useful on their own, but it’s difficult to combine and synthesize the information for a more comprehensive view. OSV.dev, Global Security Database (GSD)). vulnerability databases that aggregate information across ecosystems and make vulnerabilities more discoverable and actionable (e.g.SLSA with SLSA3 Github Actions Builder, Google Cloud Build) signed attestations about how software was built (e.g.Software Bills of Materials (SBOMs) (with SPDX-SBOM-Generator, Syft, kubernetes bom tool).Thanks to community collaboration in groups such as OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations increasingly have ready access to: True to Google’s mission to organize and make the world’s information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata. GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. It is against this background that Google is seeking contributors to a new open source project called GUAC (pronounced like the dip). We’ve recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity. Supply chain security is at the fore of the industry’s collective consciousness. Posted by Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team
0 Comments
Leave a Reply. |