GUAC Blog

GUAC v0.13.0 is now available. This release adds supporting for optionally sending OpenTelemetry metrics. When using the --enable-otel command line switch, the following will publish to a user-specified OpenTelemetry server:

• HTTP GQL server in guacgql
• SQL library underneath the Ent/Postgres backend
• HTTP client for: OSV, ClearlyDefined, GitHub, endoflife.date
• GRPC client for Deps.dev

In addition, this release fixes two bugs related to missing flags in command line tools:

• --add-eol-on-ingest missing from guacone (#2390)
• --use-csub missing from the OCI collector (#2423)

The v0.13.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.

Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the January Community Meeting.

Topics include:

• What to do about 1.0? What should go in it? Should we jump directly to the refactor? We’ll have an update on the conversations about a new architecture for GUAC.
• A look at the pending DataDog certifier (PR #2366)
• Ideas for a 2024 year-in-review post
• Recognition of contributors who advanced up the contributor ladder
• Major releases since the last meeting

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you’re a regular reader, you may have noticed a change in the naming convention: GUAC Update posts are now (and retroactively) titled based on the month they’re about, not the month they publish. We had some feedback that the old pattern was confusing, so this will hopefully make it more clear. If you have other feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Contributor ladder climbs

The GUAC Maintainers approved several advancements up the contributor ladder in recognition of the hard work done by our community members:

• Robbie Cronin was granted Reviewer status for the CLI and Collectors areas.
• Nathan Naveen was granted Reviewer status for the CLI area.
• Ben Cotton was granted Owner status for the Docs area.

Thanks to these contributors and everyone else who participate in the GUAC community.

Releases

We closed the year strong in GUAC, with several releases. The highlight is GUAC v0.12.0, which added a certifier that records end-of-life information from endoflife.date and a collector for OCI container registries. In addition, the GUAC Visualizer has a much smaller container image and also displays the version of GUAC it is connected to.

• GUAC
  • v0.12.0 (blog post)
  • v0.12.1
  • v0.12.2
  • v0.12.3
• GUAC Visualizer
  • v0.4.10 (blog post)

Events

Several members of the GUAC community will be speaking at FOSDEM in Brussels:

• Brandon Lum and Marco Deicas will present A retrospective on Google’s SBOM implementation
• Jeff Mendoza and Qing Tomlinson will present Discover Dependency License Information Using SBOMs and ClearlyDefined
• Michael Lieberman will present The Breadth and Depth of SBOMs

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours to participate in the conversation.

GUAC v0.12.0 is now available. Version 0.12.0 brings new a certifier for endoflife.date, an OCI container registries, along with improvements to the OSV certifier. Note that we also released version 0.12.1 to address a GitHub workflow issue with publishing the SBOM.

End-of-Life certifier

A new certifier, contributed by Robbie Cronin, collects end-of-life information from the endoflife.date service. endoflife.date provides a central source information for information about when applications, libraries, and distributions reach the end of their support period. Unsupported versions don’t receive vulnerability fixes, so keeping your dependencies up-to-date is an important part of securing your software supply chain.

endoflife.date — both the web tooling and the data — are open source. You can contribute if you have additional information to add.

OCI collector

GUAC now supports collecting artifacts from a user-specified container registry. Using the guacone collect registry <RegistryURI> command, you can pull SBOMs and attestations into GUAC registries compatible with the Open Container Initiative Distribution Specification. This was also primarily contributed by Robbie Cronin.

Other improvements

Lukas Hoehl contributed an enhancement to the OSV certifier. When using the --add-vuln-metadata flag, GUAC adds vulnerability severity to a VulnerabilityMetadata node, allowing for improved vulnerability assessment and analysis within GUAC.

Information from CertifyLegal nodes is now included in the output of guacone query known package.

With the --add-depsdev-on-ingest, you can now query deps.dev when ingesting an SBOM.

In addition, this release contains other bug fixes and dependency updates. The v0.12.0 release page has full details of this release. If you’re interesting in joining our community or contributing, we’d love to have you be a part of the next release.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

New contributors

Thanks to the following people for making their first contributions in November (the people listed here may have contributed to other parts of the project previously):

• Anirudh Edpuganti: guac#2307

Releases

With KubeCon and the US Thanksgiving holiday, activity slowed in November. We still had a release for GUAC, though. This release fixed a batch query where a nil query would return all values in the DB.

Full details for each release are below:

• GUAC v0.11.0

Note: We do not typically publish blog posts for bugfix releases.

Events

If you couldn’t make it to KubeCon in Salt Lake City, you can watch the recordings of Parth Patel and Mihai Maruseac presenting “Papers, Please - Scrutinizing AI model creation” at Cloud Native Rejekts.

GUAC also received a shout out in three different keynote talks:

• Open Source Security is Not a Spectator Sport — Justin Cappos and Santiago Torres Arias
• A Developer’s Guide to Securing Your Software Supply Chain — Toddy Mladenov
• Cloud Native’s Next Decade: Stable, Secure, and…Ready for Disruption? — Nikhita Raghunath

You may have also seen NetGoalie’s article GUAC for Security Leaders: Strengthening Software Transparency and Supply Chain Security or Casey Fahey’s post on GUAC’s open source journey.

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack to participate in the conversation.

Version 0.4.10 of the experimental GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.

The two main changes in version 0.4.10 were both contributed by Martin W. Kirst. First, the Visualizer now displays the version of GUAC in use, as well as the Visualizer version. Additionally, the container image is reduced from 1.69 GB to 1.07 GB.

GUAC Visualizer also contains updates to the GraphQL schema for the latest GUAC updates. In addition, there are updates to the documentation and security improvements to the GitHub workflows. See the GitHub release page for a full list of changes. It includes first-time contributions to the GUAC Visualizer from:

• @SmashedFrenzy16
• Martin W. Kirst

We’d love your help with GUAC Visualizer. See the “help wanted” or “good first issue” tags in GitHub for suggestions.

You may notice that the previous GUAC Visualizer release was 0.4.5. The “missing” release numbers are due to re-runs of the release workflow to diagnose and fix issues introduced by the security improvements.

Join the GUAC community Thursday at 1PM Eastern (1800 UTC) for the November Community Meeting.

Topics include:

• Recap of KubeCon
• Ingesting trivy SBOMReports into GUAC
• A look at work-in-progress contributions for additional vulnerability metadata and a registry collector
• Update on a GUAC refactor plan

If you have your own topics to discuss or cool GUAC insights, join us and share with the community!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

New contributors

Thanks to the following people for making their first contributions in October (the people listed here may have contributed to other parts of the project previously):

• Abhiraj Adhikary: guac-docs#169
• Robbie Cronin: several contributions to GUAC and guac-docs
• Martin W. Kirst: guac#2207
• Rishikeshav Ravichandran: guac-docs#157

Releases

We had several releases for GUAC in October. These releases include performance improvements in certifiers, as well as the addition of batch queries for certain nodes. Version 0.8.9 introduced a compatibility-breaking change to the CLI as well.

Full details for each release are below:

• GUAC v0.8.9
• GUAC v0.9.0 (blog post)
• GUAC v0.9.1
• GUAC v0.10.0 (blog post)
• GUAC v0.10.1
• GUAC v0.10.2
• GUAC v0.11.0 (blog post)
• GUAC v0.11.0

Note: We do not typically publish blog posts for bugfix releases.

Events

If you couldn’t make it to SOSS Fusion in Atlanta, you can watch the recordings:

• GUAC maintainer Mihai Maruseac presented “End-to-End Secure ML Development”
• GUAC maintainer Jeff Mendoza presented “Scorecard at Scale: Old and New Possibilities for Lifting Security on All Repositories

And be sure to check out these upcoming events:

• Cloud Native Rejekts in Salt Lake City, UT on November 11, 2024:
  • GUAC maintainer Parth Patel will present “Papers, Please - Scrutinizing AI model creation”
• KubeCon & CloudNativeCon in Salt Lake City, UT on November 12–15, 2024:
  • Open Source Security on Tap party hosted by Kusari, ActiveState, and ControlPlane
  • Join several GUAC maintainers and contributors at the Kusari booth (Q37)

Coming up

Be sure to join us in the weekly Maintainer Meetings, monthly Community Meeting, or on Slack and office hours, to participate in the conversation.

GUAC v0.11.0 is now available, with improved query capabilities. You can now perform batch searches for isDependency, CertifyVuln, and CertifyLegal nodes via a package ID. The following batch searches are now supported in GraphQL:

• BatchQueryPkgIDCertifyLegal — CertifyLegal nodes (licenses)
• BatchQueryPkgIDCertifyVuln — CertifyVuln nodes (known vulnerabilities)
• BatchQuerySubjectPkgDependency — IsDependency nodes that have the subject package ID
• BatchQueryDepPkgDependency — IsDependency nodes that have the dependency package ID

This new functionality enables easier reporting of common questions. See the v0.11.0 release page for full details of this release.

Licenses are the foundation of open source software. They grant the permissions that we rely on to use, inspect, and modify code. But software licenses can also place obligations on you. This is why it’s important to know what licenses exist in your dependency graph.

GUAC records the license information provided in your software bills of materials (SBOMs) into a CertifyLegal node. That information isn’t always complete, though, so GUAC augments with information from deps.dev and ClearlyDefined. This gives you a lot of information to work with. For example: you can find packages where ClearlyDefined’s scan yields a different set of licenses than what the project reports.

To start, you can use a GraphQL query to return all packages and source locations with a CertifyLegal node:

{
  CertifyLegal(certifyLegalSpec: {}) {
    discoveredLicense
    declaredLicense
    subject {
      ... on Package {
        namespaces {
          namespace names{
            name
          }
        }
      }
      ... on Source {
        namespaces {
          namespace names{
            name
          }
        }
      }
    }
  }
}

But what do you do with the output? I wrote a short Python script that gets data from your GUAC server with the query above. It then looks for packages and sources where the declared and discovered license strings don’t match. Because this can be a long list (the demo data returns hundreds of results), you can also write the output to a CSV file.

This script is a simple demo. It does not account for trivial differences. It also doesn’t try to make sense of the practical impact of license combinations. You can see, though, how you can quickly write your own script to find out the answer to your own questions.

The power of GUAC is the way it enriches your SBOMs. It collects additional information to make searches like this possible. If you do something interesting with this, we’d love to hear about it. Let us know in Slack or at an upcoming community meeting. The community page has all the details.