By Parth Patel (Kusari), Brandon Lum (Google), Santiago Torres-Arias (Purdue University)
The GUAC project is proud to announce the release of GUAC 1.0. GUAC — which stands for “Graph for Understanding Artifact Composition” is an OpenSSF incubating project that brings understanding and insights to the software supply chain. Started by Kusari, Google, and Purdue University, GUAC has contributions from over 400 people representing more than 90 organizations including Microsoft and Red Hat. GUAC 1.0 brings stability to the core functionality, along with additional features still in an experimental state. See the GUAC blog post for details.
Taming the SBOM monster
Regulatory and purchasing pressure has driven the industry to put more emphasis on creating software bills of materials (SBOMs) — a standardized listing of the components that go into a piece of software. But with each new release — or each build of an internal application — comes a new SBOM. With tens or hundreds of microservices, even a mid-sized organization can quickly be overwhelmed with SBOMs. When you add in retention requirements, the scale balloons quickly. We have created an SBOM monster.
While organizations have started producing more SBOMs (and requiring SBOMs from their suppliers), they’ve found that their overall security posture hasn’t changed. SBOMs don’t always contain transitive dependencies, they don’t tell the organization what vulnerabilities exist (and which ones aren’t actually an issue), and they look at a single application at a single point in time. SBOMs are a solid foundation for understanding an organization’s software supply chain, but they’re not enough on their own.
Dipping into GUAC
GUAC’s value comes from its ability to aggregate and enrich SBOMs to give a fuller view across the entire application portfolio. GUAC collects and stores SBOMs from file systems, object storage, image repositories, and code repositories. After ingesting the SBOM, GUAC parses it into a graph database, which allows the user to evaluate relationships between software packages, binaries, and container images. GUAC also enriches the graph by querying trusted services for additional information about packages. It adds vulnerability data, licenses, additional dependencies, end-of-life information, OpenSSF Scorecard scores, and more. GUAC is designed to be easily extensible, so users can add new sources of information relevant to their needs.
With an enriched view of a team or organization’s entire ecosystem, it becomes possible to answer real-world questions. For example: “how do I patch a newly-announced vulnerability?” GUAC’s patch plan feature shows how to address a vulnerability across “frontiers.” These frontiers represent what can be patched to resolve the vulnerability, starting from the lowest level possible, i.e. the package itself. If you don’t have access to fix this package directly, you could look in the next frontier and so on.
Using the graph API, users can write custom queries for questions that aren’t supported out of the box. For example, Ben Cotton wrote a short Python script that checks for differences between the declared and detected licenses in software packages in the graph. This ability to ask questions about the supply chain and take quick action to resolve issues.
Looking forward
The problem will only continue to grow. Regulations like Europe’s Cyber Resilience Act (CRA) and customer requirements like Citi’s Requirements for Suppliers will place more demands on organizations to not only produce SBOMs, but to have a fuller understanding of their software supply chain. This makes tools like GUAC all the more important.
The GUAC community isn’t stopping with the 1.0 release. If you are interested in better managing your SBOMs and software supply chain metadata, come join our community.
About the Authors
Parth Patel is co-founder and Chief Product Officer at Kusari, where he focuses on bringing transparency and security to the forefront of all projects. He is an engineering leader with more than 15 years of cybersecurity, DevOps, software development, and automation experience. Parth is an active member within the open-source community, serving as a co-creator and lead maintainer on the GUAC project, and a maintainer for the CNCF in-toto attestations, CNCF in-toto golang, and FRSCA projects.
Brandon Lum is a seasoned technologist with a passion for designing and implementing security systems. His experience spans cutting-edge research at IBM Research, where he focused on zero trust workload identity, kernel attack surface reduction, and image encryption/signing, to security hardening and offensive security at KPMG and as part of the PPP CTF team. At Google, he is a lead of the Software Supply Chain Integrity (SSCI) observability initiative, where he spearheads the aggregation and synthesis of Google’s extensive software supply chain metadata, including SBOM, SLSA, and VEX, at scale. Beyond Google, Brandon is an influential figure in the open-source and security standards communities. He serves as Co-chair Emeritus of the CNCF Security TAG and maintains key security projects like SPDX, OpenVEX, GUAC, and SPIFFE/SPIRE.
Santiago Torres-Arias is an assistant professor at Purdue University, where researches secure systems, applied cryptography and software supply chain security. Santiago is the team lead of in-toto, a framework to secure the SDLC, as well as PolyPasswordHasher, a password storage mechanism, and is a GUAC maintainer.