The Graph for Understanding Artifact Composition (GUAC) has joined the Open Source Security Foundation (OpenSSF) as an incubating project. GUAC provides a tool and underlying API to analyse and visualise software bill of materials (SBOM), along with threat intelligence feeds to determine whether vulnerabilities impact an application.
Since InfoQ covered the initial release of GUAC, the project has grown to 50 contributors, 300 community members and more than 1,100 GitHub stars. The press release describes it as "establishing itself as the tool for knowing your software supply chain". The project was created by Kusari, Google, Purdue University and Citi, and is supported by financial services and technology companies, including Yahoo!, Microsoft, Red Hat, Guidewire, and ClearAlpha Technologies.
SBOMs have become a hot topic since their inclusion in US Executive Order 14028, ‘Improving the Nation’s Cybersecurity’, with competing standards emerging in the SPDX and CycloneDX formats. GUAC supports both and can transform them into data nodes and relationships, providing insights into software and dependencies. GUAC can also ingest and transform Supply-chain Levels for Software Artifacts (SLSA) attestations to provide a view into the provenance and integrity of software components. Our interview with Tracy Miranda provides further background on Secure Supply Chains, SBOMs and SLSA.
The visibility provided by GUAC has a number of applications with end users:
First, establishing connections and compliance, which includes determining ownership within an organisation and locating evidence that apps meet policy. This might also include finding missing SBOMs or SLSA attestations and visualising SBOM diffs to show changes between versions.
"The value we see with GUAC is its flexibility and plugin architecture leading up to helping the users achieve compliance at different levels."
Anoop Gopalakrishnan, VP of engineering, Guidewire Software
The second application with users is focused on unveiling gaps in the understanding of the software supply chain. Starting with identifying the most used critical components and finding exposure to risky dependencies, which provides the opportunity to prevent compromises before they happen. Also tracking if all binaries in production can be traced back to a securely managed repository (which might show its diligence with an OpenSSF Scorecard).
"GUAC allows us to ingest a large number of SBOMs and also provides an interface to visualize the current state of images & packages used at Yahoo in real time."
Hemil Kadakia, Sr. Mgr. Software Dev Engineering, Paranoids, Yahoo
The final application to users is detecting and responding to threats. GUAC can indicate the blast radius of a bad package or vulnerability and provide information that informs a patch plan towards remediation. It can also track a suspicious event back to when it was introduced.
"GUAC’s ability to trace risks back to their source aligns with our proactive risk awareness goals, enabling companies to spot and tackle potential issues early on."
Sean Terretta, CTO, ClearAlpha
GUAC is the first project to formally undergo the ‘significant barrier’ of due diligence required for incubating status in the OpenSSF project lifecycle following a well-trodden path from adjacent Linux Foundation projects such as the Cloud Native Computing Foundation (CNCF).