GUAC – A Google Open Source Project to secure software supply chain

Google launched the Graph for the Understanding Artifact Composition (GUAC) project, to secure the software supply chain.

Google this week launched a new project named Graph for Understanding Artifact Composition (GUAC) which aims at securing the software supply chain. The IT giant is seeking contributors to the new project.

“GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata.” reads the post published by Google.

“GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

Software supply chain attacks could have devastating consequences, they are more sophisticated to arrange from an attacker’s point of view, but are very stealthy and can allow targeting a wide audience.

Log4Shell and Solarwind attacks have demonstrated the effect of software supply chain attacks.

GUAC aggregates metadata from different sources, including databases of vulnerabilities, SLSA (Supply chain Levels for Software Artifacts), and software bills of materials (SBOM).

GUAC aggregates software security metadata into a high-fidelity graph database that can be queried to drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

The analysis of the results of such queries can allow organizations to audit processes related to the software supply chain and analyze the cyber risk.

According to the IT giant, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model:

GUAC has four major areas of functionality, including metadata collection from a variety of sources, ingestion of data (on artifacts, resources, vulnerabilities, and more), data collation into a coherent graph, and user query for metadata attached to entities within the graph.

The project is still in its early stages, the PoC released by Google can ingest SLSA, SBOM, and Scorecard documents and support simple queries and exploration of software metadata. In the future, the company plans to add new document types for ingestion.

A proof of concept (PoC) of the project is available on GitHub.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GUAC)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.