GUAC Update: December 2024
Ben Cotton
06 Dec 2024
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
New contributors
Thanks to the following people for making their first contributions in November (the people listed here may have contributed to other parts of the project previously):
Releases
With KubeCon and the US Thanksgiving holiday, activity slowed in November. We still had a release for GUAC, though. This release fixed a batch query where a nil query would return all values in the DB.
Full details for each release are below:
Note: We do not typically publish blog posts for bugfix releases.
Events
If you couldn’t make it to KubeCon in Salt Lake City, you can watch the recordings of Parth Patel and Mihai Maruseac presenting “Papers, Please - Scrutinizing AI model creation” at Cloud Native Rejekts.
GUAC also received a shout out in three different keynote talks:
- Open Source Security is Not a Spectator Sport — Justin Cappos and Santiago Torres Arias
- A Developer’s Guide to Securing Your Software Supply Chain — Toddy Mladenov
- Cloud Native’s Next Decade: Stable, Secure, and…Ready for Disruption? — Nikhita Raghunath
You may have also seen NetGoalie’s article GUAC for Security Leaders: Strengthening Software Transparency and Supply Chain Security or Casey Fahey’s post on GUAC’s open source journey.
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack to participate in the conversation.
Tags: guac-update | community | events | releases
guac-visualizer 0.4.10 released
GUAC Maintainers
04 Dec 2024
Version 0.4.10 of the experimental GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.
The two main changes in version 0.4.10 were both contributed by Martin W. Kirst. First, the Visualizer now displays the version of GUAC in use, as well as the Visualizer version. Additionally, the container image is reduced from 1.69 GB to 1.07 GB.
GUAC Visualizer also contains updates to the GraphQL schema for the latest GUAC updates. In addition, there are updates to the documentation and security improvements to the GitHub workflows. See the GitHub release page for a full list of changes. It includes first-time contributions to the GUAC Visualizer from:
We’d love your help with GUAC Visualizer. See the “help wanted” or “good first issue” tags in GitHub for suggestions.
You may notice that the previous GUAC Visualizer release was 0.4.5. The “missing” release numbers are due to re-runs of the release workflow to diagnose and fix issues introduced by the security improvements.
Tags: releases | guac-visualizer
November 2024 Community Meeting
Ben Cotton
20 Nov 2024
Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the November Community Meeting.
Topics include:
- Recap of KubeCon
- Ingesting trivy SBOMReports into GUAC
- A look at work-in-progress contributions for additional vulnerability metadata and a registry collector
- Update on a GUAC refactor plan
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC Update: November 2024
Ben Cotton
01 Nov 2024
Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
New contributors
Thanks to the following people for making their first contributions in October (the people listed here may have contributed to other parts of the project previously):
- Abhiraj Adhikary: guac-docs#169
- Robbie Cronin: several contributions to GUAC and guac-docs
- Martin W. Kirst: guac#2207
- Rishikeshav Ravichandran: guac-docs#157
Releases
We had several releases for GUAC in October. These releases include performance improvements in certifiers, as well as the addition of batch queries for certain nodes. Version 0.8.9 introduced a compatibility-breaking change to the CLI as well.
Full details for each release are below:
- GUAC v0.8.9
- GUAC v0.9.0 (blog post)
- GUAC v0.9.1
- GUAC v0.10.0 (blog post)
- GUAC v0.10.1
- GUAC v0.10.2
- GUAC v0.11.0 (blog post)
- GUAC v0.11.0
Note: We do not typically publish blog posts for bugfix releases.
Events
If you couldn’t make it to SOSS Fusion in Atlanta, you can watch the recordings:
- GUAC maintainer Mihai Maruseac presented “End-to-End Secure ML Development”
- GUAC maintainer Jeff Mendoza presented “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories
And be sure to check out these upcoming events:
- Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
- GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
- KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
- Open Source Security on Tap party hosted by Kusari, ActiveState, and ControlPlane
- Join several GUAC maintainers and contributors at the Kusari booth (Q37)
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.
Tags: guac-update | community | events | releases
GUAC v0.11.0 released
GUAC Maintainers
28 Oct 2024
GUAC v0.11.0 is now available, with improved query capabilities.
You can now perform batch searches for isDependency
, CertifyVuln
, and CertifyLegal
nodes via a package ID.
The following batch searches are now supported in GraphQL:
BatchQueryPkgIDCertifyLegal
—CertifyLegal
nodes (licenses)BatchQueryPkgIDCertifyVuln
—CertifyVuln
nodes (known vulnerabilities)BatchQuerySubjectPkgDependency
—IsDependency
nodes that have the subject package IDBatchQueryDepPkgDependency
—IsDependency
nodes that have the dependency package ID
This new functionality enables easier reporting of common questions. See the v0.11.0 release page for full details of this release.
Tags: releases
Finding software licenses with GUAC
Ben Cotton
18 Oct 2024
Licenses are the foundation of open source software. They grant the permissions that we rely on to use, inspect, and modify code. But software licenses can also place obligations on you. This is why it’s important to know what licenses exist in your dependency graph.
GUAC records the license information provided in your software bills of materials (SBOMs) into a CertifyLegal
node.
That information isn’t always complete, though, so GUAC augments with information from deps.dev and ClearlyDefined.
This gives you a lot of information to work with.
For example: you can find packages where ClearlyDefined’s scan yields a different set of licenses than what the project reports.
To start, you can use a GraphQL query to return all packages and source locations with a CertifyLegal
node:
{
CertifyLegal(certifyLegalSpec: {}) {
discoveredLicense
declaredLicense
subject {
... on Package {
namespaces {
namespace names{
name
}
}
}
... on Source {
namespaces {
namespace names{
name
}
}
}
}
}
}
But what do you do with the output? I wrote a short Python script that gets data from your GUAC server with the query above. It then looks for packages and sources where the declared and discovered license strings don’t match. Because this can be a long list (the demo data returns hundreds of results), you can also write the output to a CSV file.
This script is a simple demo. It does not account for trivial differences. It also doesn’t try to make sense of the practical impact of license combinations. You can see, though, how you can quickly write your own script to find out the answer to your own questions.
The power of GUAC is the way it enriches your SBOMs. It collects additional information to make searches like this possible. If you do something interesting with this, we’d love to hear about it. Let us know in Slack or at an upcoming community meeting. The community page has all the details.
Tags: guac-does-that
October 2024 Community Meeting
Ben Cotton
16 Oct 2024
Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the October Community Meeting.
Topics include:
- Maintainer decisions about supported GUAC backends
- A look at the stats of our demo pages and how we might change them
If you have your own topics to discuss or cool GUAC insights, join us and share with the community!
Zoom link and meeting notes are on the OpenSSF Calendar.
If you can’t make it, the recording will be posted to our YouTube channel.
GUAC v0.10.0 released
GUAC Maintainers
11 Oct 2024
GUAC v0.10.0 is now available.
Version 0.10.0 contains several fixes, one of which makes a minor change to GraphQL queries.
Previously, a certifier query could hit PostreSQL’s limit of 65535 parameters.
Now the queryPackagesListForScan
query is split into two:
a listing of non-GUAC-type package IDs that require rescanning and a second query that gives the certifier a list of packages to scan.
This release also contains a fix from Robbie Cronin for query failures in the key-value backend when a CertifyLegal node is empty.
See the v0.10.0 release page for full details.
Tags: releases
GUAC v0.9.0 released
GUAC Maintainers
04 Oct 2024
GUAC v0.9.0 is now available. This release includes a compatibility-breaking change in the CLI introduced in v0.8.9.
Version 0.9.0 improves performance of certifiers by not re-querying recently-updated packages.
The new last-scan
option takes a numeric value in hours and will exclude packages that were updated within that time frame.
The last-scan
defaults to 4.
Using a value of 0 will force the certifier to re-query all packages.
Version 0.8.9 introduced a compatibility-breaking change to the vulnerability query command line.
Commands now take the form guacone query vuln <type> <input>
where type is one of “artifact”, “purl”, or “uri” and input is a corresponding string.
This enable support for searching for vulnerabilities via artifact.
In addition, the new releases include several smaller bug fixes. See the v0.8.9 and v0.9.0 release pages for full details.
Tags: releases
GUAC Update: October 2024
Ben Cotton
04 Oct 2024
Welcome to the inaugural GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.
New contributors
Thanks to the following people for making their first contributions in September (the people listed here may have contributed to other parts of the project previously):
- Anirudh Edpuganti: guac-docs#149
- Ben Cotton: several contributions to GUAC Visualizer
- Parth Patel: several contributions to GUAC Visualizer
Releases
We had several releases for GUAC and GUAC Visualizer in September. Enhancements and bug fixes abound. For GUAC, these releases include network retries for certifiers, improvements to SBOM parsing, and adding the ClearlyDefined certifier to the compose files. The GUAC Visualizer release adds a new information window that includes quick facts on vulnerabilities, SBOMs, and SLSA.
Full details for each release are below:
- GUAC v0.8.3
- GUAC v0.8.4 (blog post)
- GUAC v0.8.5
- GUAC v0.8.6 (blog post)
- GUAC v0.8.7 (blog post)
- GUAC v0.8.8
- GUAC Visualizer v0.4.5 (blog post)
Note: We will not typically publish blog posts in the future for bugfix releases.
Events
Tell your friends: GUAC is participating in Hacktoberfest this year. If you’re looking for other projects to participate in, GUAC can help
In case you missed it, check out the episode of Cloud Native Live where Soham Arora, Parth Patel, and Ben Cotton presented several GUAC use cases beyond security.
And be sure to check out these upcoming events:
- SOSS Fusion in Atlanta, GA on October 22–23, 2024:
- GUAC maintainer Mihai Maruseac will be presenting “End-to-End Secure ML Development”
- GUAC maintainer Jeff Mendoza will be presenting “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories” with Stephen Augustus
- SECTOR in Toronto, ON on October 22–24, 2024:
- GUAC maintainer Parth Patel will present GUAC in the Arsenal
- Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
- GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
- KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
- Join several GUAC maintainers and contributors at the Kusari booth (Q37)
Coming up
Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.
Tags: guac-update | community | events | releases