This post originally appeared on guac.sh and has been revised for OpenSSF.
By GUAC Maintainers
GUAC v0.8.0 is now available. This release brings support for license information, node deletion, and many other improvements. You can now run vulnerability scans immediately on SBOM ingestion with the --add-vuln-on-ingest flag instead of waiting for the OSV certifier to run. To better represent the real world, the isDependency relationship now only exists on package versions instead of the package name. For a full list of changes, see the release page on GitHub.
License information support
GUAC v0.8.0 adds support for parsing license information provided in CycloneDX SBOMs. The new release also includes a new experimental ClearlyDefined certifier. GUAC will query the ClearlyDefined license data store to discover license information for packages, even when the SBOM does not include that information.
Although licenses don’t directly impact security, they are an important part of understanding your software supply chain. We’re excited to expand GUAC’s capabilities in this area.
Node deletion
GUAC v0.8.0 adds support for deleting the following evidence nodes: certifyVuln, hasSBOM, and hasSLSA. This is helpful when SBOMs were ingested by accident or as part of a short-term demo. Delete is supported in both the key value and the ENT backends. If there are other nodes that you have a use case for deleting, please file an issue to let us know.
Join the community
Thanks to the 10 contributors who made this release possible, including new contributor Collin Berman. We’d love to have your contribution. If you have uses cases GUAC should support, or want to contribute to our code or documentation, join us!