GUAC Blog

Welcome to the inaugural GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

New contributors

Thanks to the following people for making their first contributions in September (the people listed here may have contributed to other parts of the project previously):

• Anirudh Edpuganti: guac-docs#149
• Ben Cotton: several contributions to GUAC Visualizer
• Parth Patel: several contributions to GUAC Visualizer

Releases

We had several releases for GUAC and GUAC Visualizer in September. Enhancements and bug fixes abound. For GUAC, these releases include network retries for certifiers, improvements to SBOM parsing, and adding the ClearlyDefined certifier to the compose files. The GUAC Visualizer release adds a new information window that includes quick facts on vulnerabilities, SBOMs, and SLSA.

Full details for each release are below:

• GUAC v0.8.3
• GUAC v0.8.4 (blog post)
• GUAC v0.8.5
• GUAC v0.8.6 (blog post)
• GUAC v0.8.7 (blog post)
• GUAC v0.8.8
• GUAC Visualizer v0.4.5 (blog post)

Note: We will not typically publish blog posts in the future for bugfix releases.

Events

Tell your friends: GUAC is participating in Hacktoberfest this year. If you’re looking for other projects to participate in, GUAC can help

In case you missed it, check out the episode of Cloud Native Live where Soham Arora, Parth Patel, and Ben Cotton presented several GUAC use cases beyond security.

And be sure to check out these upcoming events:

• SOSS Fusion in Atlanta, GA on October 22–23, 2024:
  • GUAC maintainer Mihai Maruseac will be presenting “End-to-End Secure ML Development”
  • GUAC maintainer Jeff Mendoza will be presenting “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories” with Stephen Augustus
• SECTOR in Toronto, ON on October 22–24, 2024:
  • GUAC maintainer Parth Patel will present GUAC in the Arsenal
• Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
  • GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
• KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
  • Join several GUAC maintainers and contributors at the Kusari booth (Q37)

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.

It’s almost October, which means Hacktoberfest is just around the corner. The best way to ensure your supply chain is secure and well-maintained is to contribute upstream. Hacktoberfest can be a forcing function to start your upstream contributions. But how do you figure out which Hacktoberfest participants in your dependency graph? Use GUAC!

GUAC uses information from your software bills of materials (SBOMs) and the deps.dev service to build a graph of your software dependencies. Included in this information is the HasSourceAt node, which gives the location of the package’s source code. This is often a GitHub or GitLab repository. Conveniently, both of these sites are official sites for Hacktoberfest. Projects hosted on either of those platforms can opt in by adding the “hacktoberfest” topic. Both GitHub and GitLab offer an API for searching for projects. So all of the information you need exists, you just have to tie it together.

The GraphQL query to return all packages with a HasSourceAt node is straightforward:

{
  HasSourceAt(hasSourceAtSpec: {}) { 
      source{
        type namespaces{
          namespace names{
            name } 
        }
      }
  }
}

But what do you do with the output? I wrote a short Python script that gets data from your GUAC server with the query above. It then pulls a list of Hacktoberfest projects from GitHub and GitLab. Finally, it prints any of your dependencies that appear in the Hacktoberfest list. In just a minute or two, you can have a list of projects to go work on.

The output for the demo data includes seven projects as of this writing:

Here are the Hacktoberfest projects in your GUAC data:
github.com/grpc/grpc-go
github.com/schollz/progressbar
github.com/gopherjs/gopherjs
github.com/google/go-github
github.com/containerd/containerd
github.com/grpc/grpc-go
github.com/containerd/containerd

Of course, you’re not limited to what’s in this example script. You could modify it to rank based on OpenSSF Scorecard scores, the number of times a dependency appears in the graph, or other factors you can think of. The power of GUAC is the way it enriches your SBOMs. It collects additional information to make searches like this possible. If you do something interesting with this, we’d love to hear about it. Let us know in Slack or at an upcoming community meeting. The community page has all the details. If you want to contribute to GUAC as part of Hacktoberfest, we’re participating.

GUAC v0.8.7 is now available. This release includes a fix for a bug that could lead to a panic when querying for vulnerabilities using an SBOM URI. It also adds logging for the beginning and end of certifier runs. The GitHub release page includes a full list of changes.

This year marks the 11th edition of Hacktoberfest, the annual event to celebrate and promote contribution to open source projects. The GUAC project is participating with two of our repos: the GUAC Docs and GUAC Visualizer. You can find specifics about what we’re looking for below, but all contributions are welcome.

To participate, register on the Hacktoberfest website. If you have four pull requests merged to any participating repository in October, you get a digital badge from Hacktoberfest. If you have any pull request merged to a GUAC repo, Kusari will send you some GUAC swag!

See the contributing page on the website and the README files in each repo for information on how to contribute to GUAC. If you have any questions, join us on Slack or in the GUAC Time office hours.

GUAC Docs

The guac-docs repo contains the source for the documentation and demos at docs.guac.sh. We have good demos that show the basics of how GUAC works, but we need more reference material and explanations of how GUAC works. The repo has a good set of issues with suggestions, but we’d welcome any other improvements you can think of. Even if you can’t contribute the documentation, opening an issue in this repo for anything you find confusing or missing would be a big help, too.

GUAC Visualizer

The experimental GUAC Visualizer is a way to visually display and explore the supply chain. This repo isn’t a core focus of the project, but it’s an important part of demos and the onboarding experience. We’d love to have your help improving this tool. GUAC Visualizer is a Next.js application. There are some open issues to work on, or you can bring your own ideas.

Version 0.4.5 of the experimental GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.

The main change in version 0.4.5 is the addition of a new window that displays known information about a package. This package information box, contributed by Shafee Ahmed, gives you quick access to information about a package’s vulnerabilities, SBOM source, and SLSA attestations.

This release also includes an update of the GraphQL schema to work with recent GUAC releases, plus a few other minor fixes and dependency updates. See the GitHub release page for a full list of changes. It includes first-time contributions to the GUAC Visualizer from:

• Kris Borchers
• Ben Cotton
• @haosanzi
• Parth Patel

If you paid close attention to the GUAC Visualizer, you might have noticed that the previous release was version 0.3.1. What happened between then? Several changes in the build pipeline were necessary due to changes in the tools we use. Versions 0.4.0 through 0.4.4 were part of the diagnosis and remediation of build pipeline issues. As part of this work, we’ve now created a CI build workflow that runs a build on all pull requests. This is a common practice and will help us catch some issues earlier. We’d love your help with GUAC Visualizer. See the “help wanted” or “good first issue” tags in GitHub for suggestions.

GUAC v0.8.6 is now available. It fixes one bug from the just-released version 0.8.5, which includes a few improvements. The command line vulnerability query now searches for hasSBOM nodes on artifacts. In addition, the CycloneDX parser now captures version for image artifacts. Finally, the Docker compose files provided in the release now include the ClearlyDefined certifier that was added in GUAC 0.8.0.

This release also contains several bug fixes. The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.

Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the September Community Meeting.

Topics include:

• Demo of some example guac scripts: guactober & license_check
• New guac-visualizer release
• Hacktoberfest participation: guac-docs and guac-visualizer

If you have your own topics to discuss or cool GUAC insights, join us and share with the community!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Join members of the GUAC Community for another episode of Cloud Native Live on Tuesday, September 24. In a previous episode of Cloud Native Live, we showed how GUAC can be used to locate and remediate vulnerabilities. But fully understanding the software supply chain is more than just finding vulnerabilities.

In this session, you’ll learn about other insights that GUAC can help you discover from licenses to dependencies participating in Hacktoberfest. Plus, you’ll see how GUAC can be used as an Kubernetes admission controller.

Join us for another fun session to taco’bout GUAC! RSVP on the event page or catch the recording on the CNCF YouTube channel.

GUAC v0.8.4 is now available. This is a bugfix release. Astute readers will notice that there was no announcement for version 0.8.3. Shortly after 0.8.3 was released, we received reports that the rate limit was not working correctly with the deps.dev service. Version 0.8.4 fixes this on top of the other changes in the 0.8.3 release.

This release includes several fixes to SBOM parsing, including adding a documentRef attribute into client operations that reference hasSBOM and supporting the presence of multiple package URLs in SPDX SBOM externalRefs. It also has database fixes to add a connection timeout and to enable successful altas migration when ENT auto migration was used to create the initial database.

The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.

If you’ll be at Open Source Summit Europe in Vienna next week, be sure to catch these sessions.

I am a panelist on the “Improving the Software Supply Chain” along with Tom Hennen from Google, Arnaud Le Hors from IBM, and Aeva Black from CISA. We’ll be discussing various projects under the OpenSSF and CNCF umbrellas, including GUAC, SLSA, and S2C2F. We’ll discuss what those names mean and how the open source communities behind them help improve software supply chain security. Join us on Tuesday at 11:00 CEST in room 2.15.

As you roam the expo hall, stop by the OpenSSF booth between 1:30 and 2:30 PM Monday through Wednesday. I’ll be there to chat and give GUAC demos. Stick around after Open Source Summit for the OpenSSF Community Day. I hope to see you there!