GUAC – A Google Open Source Project to secure software supply chain

Google launched the Graph for the Understanding Artifact Composition (GUAC) project, to secure the software supply chain.

Google this week launched a new project named Graph for Understanding Artifact Composition (GUAC) which aims at securing the software supply chain. The IT giant is seeking contributors to the new project.

“GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata.” reads the post published by Google.

“GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

Software supply chain attacks could have devastating consequences, they are more sophisticated to arrange from an attacker’s point of view, but are very stealthy and can allow targeting a wide audience.

Log4Shell and Solarwind attacks have demonstrated the effect of software supply chain attacks.

GUAC aggregates metadata from different sources, including databases of vulnerabilities, SLSA (Supply chain Levels for Software Artifacts), and software bills of materials (SBOM).

GUAC aggregates software security metadata into a high-fidelity graph database that can be queried to drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

The analysis of the results of such queries can allow organizations to audit processes related to the software supply chain and analyze the cyber risk.

According to the IT giant, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model:

GUAC has four major areas of functionality, including metadata collection from a variety of sources, ingestion of data (on artifacts, resources, vulnerabilities, and more), data collation into a coherent graph, and user query for metadata attached to entities within the graph.

The project is still in its early stages, the PoC released by Google can ingest SLSA, SBOM, and Scorecard documents and support simple queries and exploration of software metadata. In the future, the company plans to add new document types for ingestion.

A proof of concept (PoC) of the project is available on GitHub.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GUAC)

[adrotate banner=”5″]

[adrotate banner=”13″]