Last week, the community convened for the OpenSSF Tech Talk, spotlighting GUAC (Graph for Understanding Artifact Composition). GUAC helps in understanding SBOM (Software Bill of Materials) and open source software (OSS) security by ingesting various data types and enabling analysis of them. The purpose of GUAC is to help people understand how one piece of software affects another so you can act as needed. For example, GUAC can help you find the most used critical components in a software supply chain ecosystem, determine weaknesses in overall security posture, and prevent software supply chain compromises before they occur.
This Tech Talk provided perspectives on GUAC’s benefits and applications, and we addressed common questions from both maintainers and consumers. If you missed it, you can watch the on-demand recording and download the presentation deck to catch up on valuable insights into enhancing software supply chain security.
OpenSSF GUAC Tech Talk Highlights
Moderated by David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation, the Tech Talk began with an introduction to the agenda and the guest experts. Rose Judge, Senior Open Source Engineer at Broadcom, guided us through the intricacies of SBOM and OSS security. Her insights helped attendees understand how SBOM provides a clear inventory of software components, enhancing transparency and security in software development.
On the maintainer side, Brandon Lum, Open Source Security Engineer at Google, and Parth Patel, CPO/Co-Founder of Kusari, shared their experiences. They discussed the challenges faced before the introduction of GUAC, detailed its innovative features, and explored the future trajectory of the tool. Their discussion provided a comprehensive overview of GUAC’s capabilities and its potential impact on the open source community.
Later in the session, Umang Jain, Director of Technical Program Management for Platform Engineering at Guidewire Software, offered the end-user perspective. He elaborated on how Guidewire’s platform leverages GUAC, outlining the benefits and improvements it has brought to their operations. His discussion highlighted the practical applications of GUAC and its significance in real-world scenarios.
The Tech Talk concluded with an engaging panel discussion and audience Q&A session. This interactive segment delved into why people care about GUAC, the origins of the project, and its various use cases. Attendees posed questions that explored the broader implications of GUAC and its role in enhancing open source security. The Q&A session was a valuable opportunity for attendees to gain deeper insights into GUAC and its impact on the tech landscape.
GUAC Tech Talk Questions & Answers Included:Â
Q: How easy is it to integrate a new signal, similar to deps.dev, into GUAC? Where should one get started?
A: With the pluggable framework in GUAC, it should be simple to get started on integrating a new signal, which involves writing a parser for the signal (and optionally a collector). A good place to start is to look at existing parsers and implement your own.
Q: Would the community be open to extensions that access proprietary data, which might require a paid subscription to access?
A: Yes, that was one of the motivations to create the pluggable model. The supply chain effort is a huge space and the more we can integrate with metadata from open source or other products the better. These extensions around proprietary formats would live in a separate contrib repository (with separate owners) and will be 100% optional and not be required to run GUAC.
Q: What are the most common misconceptions about GUAC that you encounter?
A: Teams starting their journey could misinterpret GUAC to be a simple data storage application or a visualization tool and miss out on all the other features it provides. Teams also might end up assuming that GUAC also supports Policy Enforcement entering into territory of tools like OPA, Kverno etc.Â
Q: I am keen to contribute to the GUAC project. Can you elaborate on the current areas where community contributions are most needed? Are there specific components or features that are prioritized in your roadmap?
A: As we move towards v1.0 for GUAC we want to ensure that GUAC is ready to be used in a more stable/production-type environment. In that regard, we are adding more end-to-end integration tests and refining critical components. From a community perspective, we currently have a REST API but want to provide more functionality to the users based on community feedback. If there are missing queries or functionality you would like to see please create an issue and help us implement. Before the v1.0 release, we want to ensure that the users can consume the data using a GraphQL or REST API.
Watch the OpenSSF GUAC Tech Talk On Demand & Participate!Â
During the Tech Talk, we also discussed:Â
- What is the best way to start with GUAC for someone new to OSS Security?
- What are the use cases for GUAC?
- What can you tell us about the community you work with?
- How does GUAC handle the metadata of raw data provenance used to train ML models, as well as the metadata of the final ML model artifacts? Can it correlate all of it – data, code, and model?
- Are there plans to introduce a UI/frontend (aside from GUAC Visualizer) under the GUAC umbrella that might be similar to OWASP Dependency-Track? While technical security practitioners and developers could query GUAC via CLI or API with ease, less or non-technical users (e.g., GRC, Legal, etc.) might find it more intimidating.
- How does GUAC deal with dynamic dependencies where the operating system provides them, and you won’t know the version of the dependency without looking at the environment it runs in?
- What are the challenges around SBOM, and how does GUAC overcome those challenges?
Watch the video to hear the experts discuss these questions. For more insights, check the recording of their talk. To download the session slides and access the full recording, please visit Proactive Supply Chain Security with GUAC.
What would you like to hear next? Get in touch with us if you’d like to participate in future Tech Talks.