GUAC Blog

Software is only useful when people can use it. We know GUAC is capable of addressing many problems people have securing their software supply chain, so we want to make sure it’s as usable as possible. To do that, we want to talk to you. We’d like to have a short call with you if you:

• Have read the GUAC landing page
• Are NOT a current power user of GUAC
• Tried to go through some of the GUAC demos (optional)

We want to learn what you’re doing today to secure your software supply chain, what your pain points are, and how GUAC could help you address them.

If you’re willing to have a chat with us, email ben@kusari.dev.

If you’ve already tried GUAC and have feedback, please let us know.

Securing the software supply chain is paramount for the Guidewire Cloud Platform (GWCP). More than 540 insurers in 40 countries use GWCP and other Guidewire solutions to run insurance suite applications. GWCP uses GUAC to stay ahead of threats.

Anoop Gopalakrishnan, VP of Engineering at Guidewire, said:

To us, the biggest value is GUAC’s open nature and the community behind it. The advantage we see with GUAC is its flexibility and plugin architecture, which helps users achieve SLSA compliance at difference levels.

Read the case study to learn more about how Guidewire Software uses GUAC.

GUAC v0.8.2 is now available. This release contains improvements to queries and database migrations.

The ClearlyDefined certifier now batches queries in order to speed performance. Calls to ClearlyDefined, OSV, and deps.dev are now rate-limited. The limits follow the service provider’s guidance. Rate limiting ensures that GUAC users get full responses and prevents GUAC from overloading information providers.

Version 0.8.2 also includes an image for Atlas migrations. This will enable seamless migrations to the Ent database layer when the schema changes across versions. Users upgrading persistent installations of version 0.7.0 and earlier will still need to run the migration script prior to upgrading to version 0.8.0 and later.

The GitHub release page has a complete list of changes in this release.

The schedule for our regular GUAC Time office hours is changing. In order to simplify the schedule, we’ll start hosting GUAC Time at 11 AM Eastern on alternating Fridays. The new schedule begins this coming Friday (30 August). The OpenSSF calendar has the updated information.

We’re making this change so that it’s easier for everyone to remember when the office hours are. We chose 11 AM Eastern becuase it keeps the meeting from being too early for community members on the west coast of the Americas and too late for those in Europe.

GUAC Time is an informal “office hours” setting where you can drop in to talk about what you’re working on, ask questions, or have any other GUAC conversations. Everyone is welcome to join, including and especially those who are new to GUAC or the software supply chain security space more generally. We hope you’ll join us!

GUAC v0.8.1 is now available. This release contains a compatibility-breaking change to the database schemea. It also includes several bug fixes and enhancements.

v0.8.1 makes a change in the update dependency schema to require dependencies be specified on a version, not just a package name. This will break persistent installations of version 0.7.0 and earlier. To upgrade to version v0.8.1, run the migration script prior to upgrading GUAC.

GUAC now returns hasSBOM and hasSLSA identifiers at ingenstion time. This simplifies running subsequent queries or as a starting point for GUAC analysis.

This release also fixes bugs in some deps.dev queries and CycloneDX SBOM parsing. For a full list of changes, see the GitHub release page.

Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the August Community Meeting.

Topics include:

• Demo of the new ClearlyDefined integration
• Discussion of a user journey survey
• An update on a breaking change for re-ingesting SBOMs
• Your expectations for ingestion time
• Demo SBOM latest and vulnerability retrieval via REST API
• end-to-end test updates

If you have your own topics to discuss or cool GUAC insights, join us and share with the community!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Calling all docs writers: we need you! Good documentation makes all of the difference when trying out a new piece of software. Supply chain security is important, so anything we can do to make GUAC easier to use helps us all.

What we’re looking for

We’ve made a start on GUAC’s documentation, but we’re not documentation experts. You are. We need your help to make the docs useful to people trying out GUAC or using it in production.

I opened some issues in the guac-docs repo to help get the process started. This is not an exhaustive list, of course. In fact, the issues that we haven’t identified are the most valuable area for your expertise.

We’d love to have you stick around the community long-term, but you don’t need to sign up for a long-term commitment. One-time fixes of any size are welcome. After all, incremental improvement is still improvement.

About our docs

GUAC’s documentation published to docs.guac.sh from the guacsec/guac-docs repo on GitHub. The docs themselves are written in Markdown and rendered with Jekyll and the Just the Docs theme. Contributions to the GUAC documentation is governed by the OpenSSF Code of Conduct.

If you see something on the main GUAC website, we’re happy to accept those reports and contributions, too. See the guacsec/guac-landing repo on GitHub.

Join the community!

If you see a place you want to contribute, join right in! If you have questions, the GUAC Community is happy to help. Join us in #guac on the OpenSSF Slack.

GUAC v0.8.0, which was released last week, includes the addition of a new data source for GUAC users: license data from ClearlyDefined. While GUAC previously supported reading license information from software bills of materials (SBOMs), adding support for ClearlyDefined represents a big step forward. ClearlyDefined provides a vetted and accurate representation of license information for a given release of software.

Software licenses aren’t strictly a security concern, but they’re a key fact about your dependencies. Full software supply chain observability includes knowing the licenses in your supply chain, which helps you ensure you’re following license terms and your organizational requirements.

How GUAC uses ClearlyDefined

GUAC maintainer Parth Patel decided to implement ClearlyDefined support as a certifier instead of a collector in order to ensure GUAC re-runs the query. GUAC certifiers run on a scheduled basis to capture up-to-date information that may have changed since the last run. License data is always incomplete because developers are always shipping new software releases, so this regular query ensures GUAC captures new license information. If you choose, you can also have GUAC query ClearlyDefined when you ingest a new SBOM, although this does slow down the ingestion process.

GUAC is a tool for giving the information you need to make decisions, not to make decisions for you. As a result, GUAC does not try to guess which response is accurate if the information in the SBOM and the information from ClearlyDefined conflict. Both result in the creation of a CertifyLegal node in the graph, so you can decide which is more trustworthy on a case-by-case basis.

Internally, GUAC uses package URLs (pURLs) to identify specific software package releases. However, ClearlyDefined uses a scheme they call “coordinates”. Part of implementing support in GUAC meant developing a library to convert pURLS to coordinates. Working with the ClearlyDefined community, Parth was able to develop a reference for mapping between the two systems. In a great example of cross-community collaboration, ClearlyDefined added comprehensive documentation for coordinates based on Parth’s work.

One note of caution: ClearlyDefined’s API does not currently support batched queries. As a result, processing large dependency graphs may take longer due to rate limiting. Issue #1168 is open to add batched queries.

About ClearlyDefined

Started at Microsoft, ClearlyDefined is now an incubating project within the Open Source Initiative (OSI). ClearlyDefined provides a centralized, curated source of information about software licenses. The community takes public contributions and evaluates them in an open manner, resulting in a trusted source of information. In addition, ClearlyDefined’s harvester services automatically search for license information when the ClearlyDefined service receives a request it can’t answer. This helps fill the gap in information when a software producer does not include license information in an SBOM.

How you can help

If you have a use case that’s well-served by this new feature, we’d love to hear about it. If you have a use case that isn’t well-served, we want to know that, too. Let us know in a GitHub issue, on Slack, or in one of our regular meetings. See the Community page for more information. We also welcome your contribution of new features to help expand GUAC’s capabilities.

The ClearlyDefined project is looking for contributions to code and license information. See their “Get involved” documentation for more information.

GUAC v0.8.0 is now available. This release brings support for license information, node deletion, and many other improvements. You can now run vulnerability scans immediately on SBOM ingestion with the --add-vuln-on-ingest flag instead of waiting for the OSV certifier to run. To better represent the real world, the isDependency relationship now only exists on package versions instead of the package name. For a full list of changes, see the release page on GitHub.

License information support

GUAC v0.8.0 adds support for parsing license information provided in CycloneDX SBOMs. The new release also includes a new experimental ClearlyDefined certifier. GUAC will query the ClearlyDefined license data store to discover license information for packages, even when the SBOM does not include that information.

Although licenses don’t directly impact security, they are an important part of understanding your software supply chain. We’re excited to expand GUAC’s capabilities in this area.

Node deletion

GUAC v0.8.0 adds support for deleting the following evidence nodes: certifyVuln, hasSBOM, and hasSLSA. This is helpful when SBOMs were ingested by accident or as part of a short-term demo. Delete is supported in both the key value and the ENT backends. If there are other nodes that you have a use case for deleting, please file an issue to let us know.

Join the community

Thanks to the 10 contributors who made this release possible, including new contributor Collin Berman. We’d love to have your contribution. If you have uses cases GUAC should support, or want to contribute to our code or documentation, join us!

The GUAC mailing lists are moving from Google Groups to the OpenSSF list server. Join GUAC@lists.openssf.org to continue receiving updates and participating in the conversation. This list is open for all community discussion of GUAC. The Google Groups list will enter read-only mode after the July 18 GUAC Community Meeting.

The GUAC maintainer list is also moving. Use GUAC-maintainers@lists.openssf.org to report security issues or other confidential concerns to the maintainers.

We look forward to chatting with you on the mailing list and in #GUAC on the OpenSSF Slack.

The GUAC maintainers are happy to announce the release of GUAC v0.7.0. This release includes several pagination features in order to improve the performance of large result sets from queries. Also new in v0.7.0, the collector supports reading from a directory inside an Amazon S3 bucket, in addition to the previously supported single file and whole-bucket reads. We’ve improved the parsing of CycloneDX files to improve how transitive dependencies are represented. And building off of the persistent backend added in v0.6.0, the new release adds support for automatic schema migrations.

As always, we thank the community members who contributed to this release. We’d love to have you join the GUAC community. See the Contributor Guide for how to get started, and register for an upcoming program below.

• June 6 | 10am Pacific, 1pm Eastern - Proactive Supply Chain Security with GUAC
• June 11 | 9am Pacific, 12pm Eastern - GUAC 101: Dip into the Delicious World of Software Supply Chain Security
• June 20 | 10am Pacific, 1pm Eastern - GUAC Community Meeting

In the interests of a transparent open source community, the weekly GUAC Maintainer meetings are now public. Join us on Mondays at 11 AM Eastern. The meeting is open to interested community members, but is primarily for maintainer discussion. For general questions and discussion, join us in #guac on the OpenSSF Slack.

Join us for two upcoming webinars to learn more about GUAC.

• OpenSSF Tech Talk — 6 Jun at 1 PM Eastern (1700 UTC)
• CNCF Live — 11 Jun at noon Eastern (1600 UTC)

The GUAC community maintainers, contributors and collaborators are thrilled to announce – GUAC is persistent! Following a year-long effort of significant collaboration and development, GUAC has standardized on and fully supports the popular open source database system, PostgreSQL, for its persistent backend storage.

Read the full post

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

Read the full post

Last week, on October 11th, we finally found out more information on the high-severity CVE that affected numerous versions of cURL. Everyone was waiting in dreaded anticipation to determine if they were affected or not!

GUAC allows you to be proactive in responding to threats without waiting for the CVEs to be released, reducing the MTTR significantly! In our latest combined blog with Brandon Lum and Mihai Maruseac, we discuss this in greater detail and provide insight.

Read the full post on Kusari

As we work to meet the goals of persistence in GUAC, we are running a series of analyses and comparisons among the many different graph database options. GUAC has a few critically important requirements for the backend, including: efficient ingestion of data, performant complex queries, the schema in which the data is stored, and finally optimization of the query based on the specific language.

Read the full post on Kusari

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition. This open-source tool, created in partnership with Google and with valuable input from Purdue University and Citi, is set to change the game in software supply chain analysis.

Read the full post on Kusari

Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the software industry to understand the software supply chain. In collaboration with Kusari, Purdue University, Citi, and community members, we have incorporated feedback from our early testers to improve GUAC and make it more useful for security professionals. This improved version is now available as an API for you to start developing on top of, and integrating into, your systems.

Read the full post on the Google Security Blog

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance. The recent report from Sonatype: State of the Software Supply Chain has shown that supply chain attacks are on the rise (742% average annual increase in the past 3 years). Along with the fact that 6 out of the 7 project vulnerabilities come from transitive dependencies, the industry is in desperate need of having a clear, holistic understanding of the software supply chain.

Supply chain security is at the fore of the industry’s collective consciousness. We’ve recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity.

Read the full post on the Google Security Blog