GUAC v0.12.0 is now available. Version 0.12.0 brings new a certifier for endoflife.date, an OCI container registries, along with improvements to the OSV certifier. Note that we also released version 0.12.1 to address a GitHub workflow issue with publishing the SBOM.
End-of-Life certifier
A new certifier, contributed by Robbie Cronin, collects end-of-life information from the endoflife.date service. endoflife.date provides a central source information for information about when applications, libraries, and distributions reach the end of their support period. Unsupported versions don’t receive vulnerability fixes, so keeping your dependencies up-to-date is an important part of securing your software supply chain.
endoflife.date — both the web tooling and the data — are open source. You can contribute if you have additional information to add.
OCI collector
GUAC now supports collecting artifacts from a user-specified container registry.
Using the guacone collect registry <RegistryURI> command, you can pull SBOMs and attestations into GUAC registries compatible with the Open Container Initiative Distribution Specification.
This was also primarily contributed by Robbie Cronin.
Other improvements
Lukas Hoehl contributed an enhancement to the OSV certifier.
When using the --add-vuln-metadata flag, GUAC adds vulnerability severity to a VulnerabilityMetadata node, allowing for improved vulnerability assessment and analysis within GUAC.
Information from CertifyLegal nodes is now included in the output of guacone query known package.
With the --add-depsdev-on-ingest, you can now query deps.dev when ingesting an SBOM.
In addition, this release contains other bug fixes and dependency updates. The v0.12.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.