November 2024 Community Meeting
Ben Cotton
20 Nov 2024
Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the November Community Meeting.
Topics include:
- Recap of KubeCon
- Ingesting trivy SBOMReports into GUAC
- A look at work-in-progress contributions for additional vulnerability metadata and a registry collector
- Update on a GUAC refactor plan
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: November 2024
Ben Cotton
01 Nov 2024
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
New contributors
Thanks to the following people for making their first contributions in October (the people listed here may have contributed to other parts of the project previously):
- Abhiraj Adhikary: guac-docs#169
- Robbie Cronin: several contributions to GUAC and guac-docs
- Martin W. Kirst: guac#2207
- Rishikeshav Ravichandran: guac-docs#157
Releases
We had several releases for GUAC in October. These releases include performance improvements in certifiers, as well as the addition of batch queries for certain nodes. Version 0.8.9 introduced a compatibility-breaking change to the CLI as well.
Full details for each release are below:
- GUAC v0.8.9
- GUAC v0.9.0 (blog post)
- GUAC v0.9.1
- GUAC v0.10.0 (blog post)
- GUAC v0.10.1
- GUAC v0.10.2
- GUAC v0.11.0 (blog post)
- GUAC v0.11.0
Note: We do not typically publish blog posts for bugfix releases.
Events
If you couldn’t make it to SOSS Fusion in Atlanta, you can watch the recordings:
- GUAC maintainer Mihai Maruseac presented “End-to-End Secure ML Development”
- GUAC maintainer Jeff Mendoza presented “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories
And be sure to check out these upcoming events:
- Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
- GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
- KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
- Open Source Security on Tap party hosted by Kusari, ActiveState, and ControlPlane
- Join several GUAC maintainers and contributors at the Kusari booth (Q37)
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.
Tags: guac-update | community | events | releases
GUAC v0.11.0 released
GUAC Maintainers
28 Oct 2024
GUAC v0.11.0 is now available, with improved query capabilities.
You can now perform batch searches for isDependency
, CertifyVuln
, and CertifyLegal
nodes via a package ID.
The following batch searches are now supported in GraphQL:
BatchQueryPkgIDCertifyLegal
—CertifyLegal
nodes (licenses)BatchQueryPkgIDCertifyVuln
—CertifyVuln
nodes (known vulnerabilities)BatchQuerySubjectPkgDependency
—IsDependency
nodes that have the subject package IDBatchQueryDepPkgDependency
—IsDependency
nodes that have the dependency package ID
This new functionality enables easier reporting of common questions. See the v0.11.0 release page for full details of this release.
Tags: releases
Finding software licenses with GUAC
Ben Cotton
18 Oct 2024
Licenses are the foundation of open source software. They grant the permissions that we rely on to use, inspect, and modify code. But software licenses can also place obligations on you. This is why it’s important to know what licenses exist in your dependency graph.
GUAC records the license information provided in your software bills of materials (SBOMs) into a CertifyLegal
node.
That information isn’t always complete, though, so GUAC augments with information from deps.dev and ClearlyDefined.
This gives you a lot of information to work with.
For example: you can find packages where ClearlyDefined’s scan yields a different set of licenses than what the project reports.
To start, you can use a GraphQL query to return all packages and source locations with a CertifyLegal
node:
{
CertifyLegal(certifyLegalSpec: {}) {
discoveredLicense
declaredLicense
subject {
... on Package {
namespaces {
namespace names{
name
}
}
}
... on Source {
namespaces {
namespace names{
name
}
}
}
}
}
}
But what do you do with the output? I wrote a short Python script that gets data from your GUAC server with the query above. It then looks for packages and sources where the declared and discovered license strings don’t match. Because this can be a long list (the demo data returns hundreds of results), you can also write the output to a CSV file.
This script is a simple demo. It does not account for trivial differences. It also doesn’t try to make sense of the practical impact of license combinations. You can see, though, how you can quickly write your own script to find out the answer to your own questions.
The power of GUAC is the way it enriches your SBOMs. It collects additional information to make searches like this possible. If you do something interesting with this, we’d love to hear about it. Let us know in Slack or at an upcoming community meeting. The community page has all the details.
Tags: guac-does-that
October 2024 Community Meeting
Ben Cotton
16 Oct 2024
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the October Community Meeting.
Topics include:
- Maintainer decisions about supported GUAC backends
- A look at the stats of our demo pages and how we might change them
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC v0.10.0 released
GUAC Maintainers
11 Oct 2024
GUAC v0.10.0 is now available.
Version 0.10.0 contains several fixes, one of which makes a minor change to GraphQL queries.
Previously, a certifier query could hit PostreSQL’s limit of 65535 parameters.
Now the queryPackagesListForScan
query is split into two:
a listing of non-GUAC-type package IDs that require rescanning and a second query that gives the certifier a list of packages to scan.
This release also contains a fix from Robbie Cronin for query failures in the key-value backend when a CertifyLegal node is empty.
See the v0.10.0 release page for full details.
Tags: releases
GUAC Update: October 2024
Ben Cotton
04 Oct 2024
Welcome to the inaugural GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
New contributors
Thanks to the following people for making their first contributions in September (the people listed here may have contributed to other parts of the project previously):
- Anirudh Edpuganti: guac-docs#149
- Ben Cotton: several contributions to GUAC Visualizer
- Parth Patel: several contributions to GUAC Visualizer
Releases
We had several releases for GUAC and GUAC Visualizer in September. Enhancements and bug fixes abound. For GUAC, these releases include network retries for certifiers, improvements to SBOM parsing, and adding the ClearlyDefined certifier to the compose files. The GUAC Visualizer release adds a new information window that includes quick facts on vulnerabilities, SBOMs, and SLSA.
Full details for each release are below:
- GUAC v0.8.3
- GUAC v0.8.4 (blog post)
- GUAC v0.8.5
- GUAC v0.8.6 (blog post)
- GUAC v0.8.7 (blog post)
- GUAC v0.8.8
- GUAC Visualizer v0.4.5 (blog post)
Note: We will not typically publish blog posts in the future for bugfix releases.
Events
Tell your friends: GUAC is participating in Hacktoberfest this year. If you’re looking for other projects to participate in, GUAC can help
In case you missed it, check out the episode of Cloud Native Live where Soham Arora, Parth Patel, and Ben Cotton presented several GUAC use cases beyond security.
And be sure to check out these upcoming events:
- SOSS Fusion in Atlanta, GA on October 22–23, 2024:
- GUAC maintainer Mihai Maruseac will be presenting “End-to-End Secure ML Development”
- GUAC maintainer Jeff Mendoza will be presenting “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories” with Stephen Augustus
- SECTOR in Toronto, ON on October 22–24, 2024:
- GUAC maintainer Parth Patel will present GUAC in the Arsenal
- Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
- GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
- KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
- Join several GUAC maintainers and contributors at the Kusari booth (Q37)
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.
Tags: guac-update | community | events | releases
GUAC v0.9.0 released
GUAC Maintainers
04 Oct 2024
GUAC v0.9.0 is now available. This release includes a compatibility-breaking change in the CLI introduced in v0.8.9.
Version 0.9.0 improves performance of certifiers by not re-querying recently-updated packages.
The new last-scan
option takes a numeric value in hours and will exclude packages that were updated within that time frame.
The last-scan
defaults to 4.
Using a value of 0 will force the certifier to re-query all packages.
Version 0.8.9 introduced a compatibility-breaking change to the vulnerability query command line.
Commands now take the form guacone query vuln <type> <input>
where type is one of “artifact”, “purl”, or “uri” and input is a corresponding string.
This enable support for searching for vulnerabilities via artifact.
In addition, the new releases include several smaller bug fixes. See the v0.8.9 and v0.9.0 release pages for full details.
Tags: releases
Finding Hacktoberfest projects with GUAC
Ben Cotton
26 Sep 2024
It’s almost October, which means Hacktoberfest is just around the corner. The best way to ensure your supply chain is secure and well-maintained is to contribute upstream. Hacktoberfest can be a forcing function to start your upstream contributions. But how do you figure out which Hacktoberfest participants in your dependency graph? Use GUAC!
GUAC uses information from your software bills of materials (SBOMs) and the deps.dev service to build a graph of your software dependencies.
Included in this information is the HasSourceAt
node, which gives the location of the package’s source code.
This is often a GitHub or GitLab repository.
Conveniently, both of these sites are official sites for Hacktoberfest.
Projects hosted on either of those platforms can opt in by adding the “hacktoberfest” topic.
Both GitHub and GitLab offer an API for searching for projects.
So all of the information you need exists, you just have to tie it together.
The GraphQL query to return all packages with a HasSourceAt
node is straightforward:
{
HasSourceAt(hasSourceAtSpec: {}) {
source{
type namespaces{
namespace names{
name }
}
}
}
}
But what do you do with the output? I wrote a short Python script that gets data from your GUAC server with the query above. It then pulls a list of Hacktoberfest projects from GitHub and GitLab. Finally, it prints any of your dependencies that appear in the Hacktoberfest list. In just a minute or two, you can have a list of projects to go work on.
The output for the demo data includes seven projects as of this writing:
Here are the Hacktoberfest projects in your GUAC data:
github.com/grpc/grpc-go
github.com/schollz/progressbar
github.com/gopherjs/gopherjs
github.com/google/go-github
github.com/containerd/containerd
github.com/grpc/grpc-go
github.com/containerd/containerd
Of course, you’re not limited to what’s in this example script. You could modify it to rank based on OpenSSF Scorecard scores, the number of times a dependency appears in the graph, or other factors you can think of. The power of GUAC is the way it enriches your SBOMs. It collects additional information to make searches like this possible. If you do something interesting with this, we’d love to hear about it. Let us know in Slack or at an upcoming community meeting. The community page has all the details. If you want to contribute to GUAC as part of Hacktoberfest, we’re participating.
Tags: guac-does-that
GUAC in Hacktoberfest 2024
Ben Cotton
25 Sep 2024
This year marks the 11th edition of Hacktoberfest, the annual event to celebrate and promote contribution to open source projects. The GUAC project is participating with two of our repos: the GUAC Docs and GUAC Visualizer. You can find specifics about what we’re looking for below, but all contributions are welcome.
To participate, register on the Hacktoberfest website. If you have four pull requests merged to any participating repository in October, you get a digital badge from Hacktoberfest. If you have any pull request merged to a GUAC repo, Kusari will send you some GUAC swag!
See the contributing page on the website and the README files in each repo for information on how to contribute to GUAC. If you have any questions, join us on Slack or in the GUAC Time office hours.
GUAC Docs
The guac-docs repo contains the source for the documentation and demos at docs.guac.sh. We have good demos that show the basics of how GUAC works, but we need more reference material and explanations of how GUAC works. The repo has a good set of issues with suggestions, but we’d welcome any other improvements you can think of. Even if you can’t contribute the documentation, opening an issue in this repo for anything you find confusing or missing would be a big help, too.
GUAC Visualizer
The experimental GUAC Visualizer is a way to visually display and explore the supply chain. This repo isn’t a core focus of the project, but it’s an important part of demos and the onboarding experience. We’d love to have your help improving this tool. GUAC Visualizer is a Next.js application. There are some open issues to work on, or you can bring your own ideas.
GUAC v0.8.7 released
GUAC Maintainers
25 Sep 2024
GUAC v0.8.7 is now available. This release includes a fix for a bug that could lead to a panic when querying for vulnerabilities using an SBOM URI. It also adds logging for the beginning and end of certifier runs. The GitHub release page includes a full list of changes.
Tags: releases
guac-visualizer 0.4.5 released
GUAC Maintainers
24 Sep 2024
Version 0.4.5 of the experimental GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.
The main change in version 0.4.5 is the addition of a new window that displays known information about a package. This package information box, contributed by Shafee Ahmed, gives you quick access to information about a package’s vulnerabilities, SBOM source, and SLSA attestations.
This release also includes an update of the GraphQL schema to work with recent GUAC releases, plus a few other minor fixes and dependency updates. See the GitHub release page for a full list of changes. It includes first-time contributions to the GUAC Visualizer from:
If you paid close attention to the GUAC Visualizer, you might have noticed that the previous release was version 0.3.1. What happened between then? Several changes in the build pipeline were necessary due to changes in the tools we use. Versions 0.4.0 through 0.4.4 were part of the diagnosis and remediation of build pipeline issues. As part of this work, we’ve now created a CI build workflow that runs a build on all pull requests. This is a common practice and will help us catch some issues earlier. We’d love your help with GUAC Visualizer. See the “help wanted” or “good first issue” tags in GitHub for suggestions.
Tags: releases | guac-visualizer
GUAC v0.8.6 released
GUAC Maintainers
19 Sep 2024
GUAC v0.8.6 is now available. It fixes one bug from the just-released version 0.8.5, which includes a few improvements. The command line vulnerability query now searches for hasSBOM nodes on artifacts. In addition, the CycloneDX parser now captures version for image artifacts. Finally, the Docker compose files provided in the release now include the ClearlyDefined certifier that was added in GUAC 0.8.0.
This release also contains several bug fixes. The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.
Tags: releases
September 2024 Community Meeting
Ben Cotton
18 Sep 2024
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the September Community Meeting.
Topics include:
- Demo of some example guac scripts: guactober & license_check
- New guac-visualizer release
- Hacktoberfest participation: guac-docs and guac-visualizer
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC use cases beyond security on CNCF Live
Ben Cotton
17 Sep 2024
Join members of the GUAC Community for another episode of Cloud Native Live on Tuesday, September 24. In a previous episode of Cloud Native Live, we showed how GUAC can be used to locate and remediate vulnerabilities. But fully understanding the software supply chain is more than just finding vulnerabilities.
In this session, you’ll learn about other insights that GUAC can help you discover from licenses to dependencies participating in Hacktoberfest. Plus, you’ll see how GUAC can be used as an Kubernetes admission controller.
Join us for another fun session to taco’bout GUAC! RSVP on the event page or catch the recording on the CNCF YouTube channel.
Tags: events
GUAC at Open Source Summit Europe
Mike Lieberman
11 Sep 2024
If you’ll be at Open Source Summit Europe in Vienna next week, be sure to catch these sessions.
I am a panelist on the “Improving the Software Supply Chain” along with Tom Hennen from Google, Arnaud Le Hors from IBM, and Aeva Black from CISA. We’ll be discussing various projects under the OpenSSF and CNCF umbrellas, including GUAC, SLSA, and S2C2F. We’ll discuss what those names mean and how the open source communities behind them help improve software supply chain security. Join us on Tuesday at 11:00 CEST in room 2.15.
As you roam the expo hall, stop by the OpenSSF booth between 1:30 and 2:30 PM Monday through Wednesday. I’ll be there to chat and give GUAC demos. Stick around after Open Source Summit for the OpenSSF Community Day. I hope to see you there!
Tags: events
GUAC v0.8.4 released
GUAC Maintainers
11 Sep 2024
GUAC v0.8.4 is now available. This is a bugfix release. Astute readers will notice that there was no announcement for version 0.8.3. Shortly after 0.8.3 was released, we received reports that the rate limit was not working correctly with the deps.dev service. Version 0.8.4 fixes this on top of the other changes in the 0.8.3 release.
This release includes several fixes to SBOM parsing, including adding a documentRef attribute into client operations that reference hasSBOM and supporting the presence of multiple package URLs in SPDX SBOM externalRefs. It also has database fixes to add a connection timeout and to enable successful altas migration when ENT auto migration was used to create the initial database.
The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.
Tags: releases
Take us on your GUAC user journey
Abhishek Reddypalle, Brandon Lum, Ben Cotton
05 Sep 2024
Software is only useful when people can use it. We know GUAC is capable of addressing many problems people have securing their software supply chain, so we want to make sure it’s as usable as possible. To do that, we want to talk to you. We’d like to have a short call with you if you:
- Have read the GUAC landing page
- Are NOT a current power user of GUAC
- Tried to go through some of the GUAC demos (optional)
We want to learn what you’re doing today to secure your software supply chain, what your pain points are, and how GUAC could help you address them.
If you’re willing to have a chat with us, email ben@kusari.dev.
If you’ve already tried GUAC and have feedback, please let us know.
How Guidewire Cloud Platform is using and collaborating with GUAC
Ben Cotton
04 Sep 2024
Securing the software supply chain is paramount for the Guidewire Cloud Platform (GWCP). More than 540 insurers in 40 countries use GWCP and other Guidewire solutions to run insurance suite applications. GWCP uses GUAC to stay ahead of threats.
Anoop Gopalakrishnan, VP of Engineering at Guidewire, said:
To us, the biggest value is GUAC’s open nature and the community behind it. The advantage we see with GUAC is its flexibility and plugin architecture, which helps users achieve SLSA compliance at difference levels.
Read the case study to learn more about how Guidewire Software uses GUAC.
Tags: case-study
GUAC v0.8.2 released
GUAC Maintainers
30 Aug 2024
GUAC v0.8.2 is now available. This release contains improvements to queries and database migrations.
The ClearlyDefined certifier now batches queries in order to speed performance. Calls to ClearlyDefined, OSV, and deps.dev are now rate-limited. The limits follow the service provider’s guidance. Rate limiting ensures that GUAC users get full responses and prevents GUAC from overloading information providers.
Version 0.8.2 also includes an image for Atlas migrations. This will enable seamless migrations to the Ent database layer when the schema changes across versions. Users upgrading persistent installations of version 0.7.0 and earlier will still need to run the migration script prior to upgrading to version 0.8.0 and later.
The GitHub release page has a complete list of changes in this release.
Tags: releases
New schedule for GUAC Time office hours
Ben Cotton
26 Aug 2024
The schedule for our regular GUAC Time office hours is changing. In order to simplify the schedule, we’ll start hosting GUAC Time at 11 AM Eastern on alternating Fridays. The new schedule begins this coming Friday (30 August). The OpenSSF calendar has the updated information.
We’re making this change so that it’s easier for everyone to remember when the office hours are. We chose 11 AM Eastern becuase it keeps the meeting from being too early for community members on the west coast of the Americas and too late for those in Europe.
GUAC Time is an informal “office hours” setting where you can drop in to talk about what you’re working on, ask questions, or have any other GUAC conversations. Everyone is welcome to join, including and especially those who are new to GUAC or the software supply chain security space more generally. We hope you’ll join us!
GUAC v0.8.1 released
GUAC Maintainers
19 Aug 2024
GUAC v0.8.1 is now available. This release contains a compatibility-breaking change to the database schemea. It also includes several bug fixes and enhancements.
v0.8.1 makes a change in the update dependency schema to require dependencies be specified on a version, not just a package name. This will break persistent installations of version 0.7.0 and earlier. To upgrade to version v0.8.1, run the migration script prior to upgrading GUAC.
GUAC now returns hasSBOM
and hasSLSA
identifiers at ingenstion time.
This simplifies running subsequent queries or as a starting point for GUAC analysis.
This release also fixes bugs in some deps.dev queries and CycloneDX SBOM parsing. For a full list of changes, see the GitHub release page.
Tags: releases
August 2024 Community Meeting
Ben Cotton
14 Aug 2024
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the August Community Meeting.
Topics include:
- Demo of the new ClearlyDefined integration
- Discussion of a user journey survey
- An update on a breaking change for re-ingesting SBOMs
- Your expectations for ingestion time
- Demo SBOM latest and vulnerability retrieval via REST API
- end-to-end test updates
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
Help GUAC's docs rock!
Ben Cotton
09 Aug 2024
Calling all docs writers: we need you! Good documentation makes all of the difference when trying out a new piece of software. Supply chain security is important, so anything we can do to make GUAC easier to use helps us all.
What we’re looking for
We’ve made a start on GUAC’s documentation, but we’re not documentation experts. You are. We need your help to make the docs useful to people trying out GUAC or using it in production.
I opened some issues in the guac-docs repo to help get the process started. This is not an exhaustive list, of course. In fact, the issues that we haven’t identified are the most valuable area for your expertise.
We’d love to have you stick around the community long-term, but you don’t need to sign up for a long-term commitment. One-time fixes of any size are welcome. After all, incremental improvement is still improvement.
About our docs
GUAC’s documentation published to docs.guac.sh from the guacsec/guac-docs repo on GitHub. The docs themselves are written in Markdown and rendered with Jekyll and the Just the Docs theme. Contributions to the GUAC documentation is governed by the OpenSSF Code of Conduct.
If you see something on the main GUAC website, we’re happy to accept those reports and contributions, too. See the guacsec/guac-landing repo on GitHub.
Join the community!
If you see a place you want to contribute, join right in! If you have questions, the GUAC Community is happy to help. Join us in #guac on the OpenSSF Slack.
Mixing license information into your GUAC
Ben Cotton
01 Aug 2024
GUAC v0.8.0, which was released last week, includes the addition of a new data source for GUAC users: license data from ClearlyDefined. While GUAC previously supported reading license information from software bills of materials (SBOMs), adding support for ClearlyDefined represents a big step forward. ClearlyDefined provides a vetted and accurate representation of license information for a given release of software.
Software licenses aren’t strictly a security concern, but they’re a key fact about your dependencies. Full software supply chain observability includes knowing the licenses in your supply chain, which helps you ensure you’re following license terms and your organizational requirements.
How GUAC uses ClearlyDefined
GUAC maintainer Parth Patel decided to implement ClearlyDefined support as a certifier instead of a collector in order to ensure GUAC re-runs the query. GUAC certifiers run on a scheduled basis to capture up-to-date information that may have changed since the last run. License data is always incomplete because developers are always shipping new software releases, so this regular query ensures GUAC captures new license information. If you choose, you can also have GUAC query ClearlyDefined when you ingest a new SBOM, although this does slow down the ingestion process.
GUAC is a tool for giving the information you need to make decisions, not to make decisions for you. As a result, GUAC does not try to guess which response is accurate if the information in the SBOM and the information from ClearlyDefined conflict. Both result in the creation of a CertifyLegal node in the graph, so you can decide which is more trustworthy on a case-by-case basis.
Internally, GUAC uses package URLs (pURLs) to identify specific software package releases. However, ClearlyDefined uses a scheme they call “coordinates”. Part of implementing support in GUAC meant developing a library to convert pURLS to coordinates. Working with the ClearlyDefined community, Parth was able to develop a reference for mapping between the two systems. In a great example of cross-community collaboration, ClearlyDefined added comprehensive documentation for coordinates based on Parth’s work.
One note of caution: ClearlyDefined’s API does not currently support batched queries. As a result, processing large dependency graphs may take longer due to rate limiting. Issue #1168 is open to add batched queries.
About ClearlyDefined
Started at Microsoft, ClearlyDefined is now an incubating project within the Open Source Initiative (OSI). ClearlyDefined provides a centralized, curated source of information about software licenses. The community takes public contributions and evaluates them in an open manner, resulting in a trusted source of information. In addition, ClearlyDefined’s harvester services automatically search for license information when the ClearlyDefined service receives a request it can’t answer. This helps fill the gap in information when a software producer does not include license information in an SBOM.
How you can help
If you have a use case that’s well-served by this new feature, we’d love to hear about it. If you have a use case that isn’t well-served, we want to know that, too. Let us know in a GitHub issue, on Slack, or in one of our regular meetings. See the Community page for more information. We also welcome your contribution of new features to help expand GUAC’s capabilities.
The ClearlyDefined project is looking for contributions to code and license information. See their “Get involved” documentation for more information.
GUAC v0.8.0 released
GUAC Maintainers
25 Jul 2024
GUAC v0.8.0 is now available.
This release brings support for license information, node deletion, and many other improvements.
You can now run vulnerability scans immediately on SBOM ingestion with the --add-vuln-on-ingest
flag instead of waiting for the OSV certifier to run.
To better represent the real world, the isDependency
relationship now only exists on package versions instead of the package name.
For a full list of changes, see the release page on GitHub.
License information support
GUAC v0.8.0 adds support for parsing license information provided in CycloneDX SBOMs. The new release also includes a new experimental ClearlyDefined certifier. GUAC will query the ClearlyDefined license data store to discover license information for packages, even when the SBOM does not include that information.
Although licenses don’t directly impact security, they are an important part of understanding your software supply chain. We’re excited to expand GUAC’s capabilities in this area.
Node deletion
GUAC v0.8.0 adds support for deleting the following evidence nodes: certifyVuln
, hasSBOM
, and hasSLSA
.
This is helpful when SBOMs were ingested by accident or as part of a short-term demo.
Delete
is supported in both the key value and the ENT backends.
If there are other nodes that you have a use case for deleting, please file an issue to let us know.
Join the community
Thanks to the 10 contributors who made this release possible, including new contributor Collin Berman. We’d love to have your contribution. If you have uses cases GUAC should support, or want to contribute to our code or documentation, join us!
Tags: releases
GUAC mailing lists moving to OpenSSF
Ben Cotton
21 Jun 2024
The GUAC mailing lists are moving from Google Groups to the OpenSSF list server. Join GUAC@lists.openssf.org to continue receiving updates and participating in the conversation. This list is open for all community discussion of GUAC. The Google Groups list will enter read-only mode after the July 18 GUAC Community Meeting.
The GUAC maintainer list is also moving. Use GUAC-maintainers@lists.openssf.org to report security issues or other confidential concerns to the maintainers.
We look forward to chatting with you on the mailing list and in #GUAC on the OpenSSF Slack.
Tags: community
GUAC v0.7.0 released
GUAC Maintainers
04 Jun 2024
The GUAC maintainers are happy to announce the release of GUAC v0.7.0. This release includes several pagination features in order to improve the performance of large result sets from queries. Also new in v0.7.0, the collector supports reading from a directory inside an Amazon S3 bucket, in addition to the previously supported single file and whole-bucket reads. We’ve improved the parsing of CycloneDX files to improve how transitive dependencies are represented. And building off of the persistent backend added in v0.6.0, the new release adds support for automatic schema migrations.
As always, we thank the community members who contributed to this release. We’d love to have you join the GUAC community. See the Contributor Guide for how to get started, and register for an upcoming program below.
- June 6 | 10am Pacific, 1pm Eastern - Proactive Supply Chain Security with GUAC
- June 11 | 9am Pacific, 12pm Eastern - GUAC 101: Dip into the Delicious World of Software Supply Chain Security
- June 20 | 10am Pacific, 1pm Eastern - GUAC Community Meeting
Tags: releases
GUAC maintainer meetings now public
GUAC Maintainers
29 May 2024
In the interests of a transparent open source community, the weekly GUAC Maintainer meetings are now public. Join us on Mondays at 11 AM Eastern. The meeting is open to interested community members, but is primarily for maintainer discussion. For general questions and discussion, join us in #guac on the OpenSSF Slack.
Upcoming OpenSSF and CNCF webinars
Ben Cotton
17 May 2024
Join us for two upcoming webinars to learn more about GUAC.
- OpenSSF Tech Talk — 6 Jun at 1 PM Eastern (1700 UTC)
- CNCF Live — 11 Jun at noon Eastern (1600 UTC)
Tags: events
Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release
GUAC Maintainers
06 May 2024
The GUAC community maintainers, contributors and collaborators are thrilled to announce – GUAC is persistent! Following a year-long effort of significant collaboration and development, GUAC has standardized on and fully supports the popular open source database system, PostgreSQL, for its persistent backend storage.
Tags: releases
Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project
GUAC Maintainers
07 Mar 2024
The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.
Tags: community
Terror of cURL - Preparation is half the battle
Parth Patel, Brandon Lum, Mihai Maruseac
16 Oct 2023
Last week, on October 11th, we finally found out more information on the high-severity CVE that affected numerous versions of cURL. Everyone was waiting in dreaded anticipation to determine if they were affected or not!
GUAC allows you to be proactive in responding to threats without waiting for the CVEs to be released, reducing the MTTR significantly! In our latest combined blog with Brandon Lum and Mihai Maruseac, we discuss this in greater detail and provide insight.
Quest to determine the 'G' in GUAC
Parth Patel
27 Jun 2023
As we work to meet the goals of persistence in GUAC, we are running a series of analyses and comparisons among the many different graph database options. GUAC has a few critically important requirements for the backend, including: efficient ingestion of data, performant complex queries, the schema in which the data is stored, and finally optimization of the query based on the specific language.
Announcement for the GUAC v0.1 beta release
Tim Miller
24 May 2023
Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition. This open-source tool, created in partnership with Google and with valuable input from Purdue University and Citi, is set to change the game in software supply chain analysis.
Tags: releases
Announcing the launch of GUAC v0.1
Brandon Lum, Mihai Maruseac
24 May 2023
Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the software industry to understand the software supply chain. In collaboration with Kusari, Purdue University, Citi, and community members, we have incorporated feedback from our early testers to improve GUAC and make it more useful for security professionals. This improved version is now available as an API for you to start developing on top of, and integrating into, your systems.
Tags: releases
A high fidelity view of software supply chain
20 Oct 2022
Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance. The recent report from Sonatype: State of the Software Supply Chain has shown that supply chain attacks are on the rise (742% average annual increase in the past 3 years). Along with the fact that 6 out of the 7 project vulnerabilities come from transitive dependencies, the industry is in desperate need of having a clear, holistic understanding of the software supply chain.
Announcing GUAC, a great pairing with SLSA (and SBOM)!
Brandon Lum, Mihai Maruseac, Isaac Hepworth
20 Oct 2022
Supply chain security is at the fore of the industry’s collective consciousness. We’ve recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity.