The industry is collectively aware of the importance of supply chain security. Recent events include a sharp increase in software supply chain attacks, a catastrophic severity and breadth Log4j vulnerability, and even an Executive Order on Cybersecurity.
In light of this, Google is looking for contributors to the GUAC open source project (pronounced like the dip). Though still in its infancy, GUAC, or the Graph for Understanding Artifact Composition, has the potential to revolutionise how the software industry views software supply chains. GUAC fills a gap left by the expanding ecosystem-wide initiatives to produce software build, security, and dependency metadata.
In keeping with Google’s mission to organise and make the world’s information universally accessible and useful, GUAC is designed to democratise access to this security information by making it freely available and helpful for all organisations, not just those with enterprise-scale security and IT funding.
Organizations now have more readily available access to the following thanks to community collaboration in organisations like OpenSSF, SLSA, SPDX, CycloneDX, and others: (with SPDX-SBOM-Generator, Syft, kubernetes bom tool)
• verified statements about the creation of software (e.g. SLSA with SLSA3 Github Actions Builder, Google Cloud Build)
• Vulnerability databases, such as OSV.dev and the Global Security Database (GSD), that compile data from various ecosystems and make vulnerabilities easier to find and address.
Although these data are valuable on their own, it is challenging to combine and synthesise the data for a more complete picture. The documents are dispersed across various databases and producers, connected to various ecosystem components, and are difficult to aggregate in order to provide higher-level answers regarding the software assets of an organisation.
We collaborated with Kusari, Purdue University, and Citi to develop GUAC, a free tool that collects information on software security from numerous sources, in an effort to address this problem. The project’s proof of concept, which enables you to query a small dataset of software metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards, is something we’re excited to share.
GUAC definition
Software security metadata is collected into a high-fidelity graph database by Graph for Understanding Artifact Composition (GUAC), which normalises entity identities and maps common relationships between them. Higher-level organisational outcomes like audit, policy, risk management, and even developer assistance can be driven by querying this graph.
The “aggregation and synthesis” layer of the software supply chain transparency logical model is where GUAC conceptually fits in:
GUAC’s four primary functional areas are as follows:
- Collection GUAC can be set up to connect to numerous sources of metadata on software security. Some sources may be first-party (like an organization’s internal repositories), some may be proprietary third-party, and some may be open and public (like OSV) (e.g., from data vendors).
- Ingestion GUAC imports data on artefacts, projects, resources, vulnerabilities, repositories, and even developers from its upstream data sources.
- Collation
Raw metadata from various upstream sources is ingested by GUAC, which then assembles it into a coherent graph by normalising entity identifiers, exploring the dependency tree, and reifying implicit entity relationships, such as project developer; vulnerability software version; artefact source repository, and so on. - Query
An assembled graph can be queried for metadata that is related to or associated with the graph’s entities. When an artefact is searched for, its SBOM, provenance, build chain, project scorecard, vulnerabilities, recent lifecycle events, and transitive dependencies may all be returned.
An organization’s CISO or compliance officer wants to be able to analyse the risk facing the company.
The Open Source Security Foundation, an open source organisation, seeks to identify crucial libraries for upkeep and security. Richer and more reliable intelligence about the dependencies in their projects is needed by developers.
The good news is that attestations and metadata are increasingly found in the upstream supply chain, enhancing it and enabling higher-level reasoning and insights. The bad news is that gathering this information into a unified view across all of their software assets is currently challenging or impossible for software users, operators, and administrators.
Tracing a component’s relationship to every other component in the portfolio is necessary to comprehend something complex like the blast radius of a vulnerability. This process may involve thousands of metadata documents from numerous sources.
The number of documents within the open source ecosystem could exceed millions.
Software security metadata is collected, synthesised, and made meaningful and usable at scale by GUAC. We will be able to respond to inquiries at three critical stages of software supply chain security with the help of GUAC:
o Proactive, What are the most frequently used critical components in my software supply chain ecosystem, for example?
Where in my overall security posture are the gaps?
How can I stop supply chain breaches in their tracks?
Where am I vulnerable to dangerous dependencies?
o Operational Is there proof that the application I’m about to deploy complies with organisation policy, for example?
Do all binaries in production have a secure management repository as their origin?
o Reactive, for instance, Which components of the inventory of my company are impacted by new vulnerability X?
There has been a suspicious project lifecycle event. Where does risk first enter my company?
A project that is open source is being retired. What impact do I feel?
Get Active
We are eager to increase participation and contributions to GUAC, an open source project on Github (read the contributor guide to get started). With a proof of concept that can ingest SLSA, SBOM, and Scorecard documents and support basic queries and exploration of software metadata, the project is still in its early stages. The following work will concentrate on expanding the capabilities currently available and adding new document types for ingestion. We appreciate assistance and code or documentation contributions.
We have put together a group of “Technical Advisory Members” to help advise the project because it will be consuming documents from numerous sources and formats. These members represent a variety of organisations and businesses, including SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and many others. You can indicate your interest in participating as a contributor or advisor who represents end users’ needs or the sources of metadata that GUAC uses in the pertinent GitHub issue.
The project will be presented by the GUAC team at Kubecon NA 2022 the following week. If you’re going to be there, stop by our session and chat with us. We’d be happy to do so in person or online.