GUAC Blog

Version 0.4.5 of the experimental GUAC Visualizer is now available. The GUAC Visualizer is an experimental utility that can be used to interact with GUAC services. It acts as a way to visualize the software supply chain graph and explore the supply chain.

The main change in version 0.4.5 is the addition of a new window that displays known information about a package. This package information box, contributed by Shafee Ahmed, gives you quick access to information about a package’s vulnerabilities, SBOM source, and SLSA attestations.

This release also includes an update of the GraphQL schema to work with recent GUAC releases, plus a few other minor fixes and dependency updates. See the GitHub release page for a full list of changes. It includes first-time contributions to the GUAC Visualizer from:

• Kris Borchers
• Ben Cotton
• @haosanzi
• Parth Patel

If you paid close attention to the GUAC Visualizer, you might have noticed that the previous release was version 0.3.1. What happened between then? Several changes in the build pipeline were necessary due to changes in the tools we use. Versions 0.4.0 through 0.4.4 were part of the diagnosis and remediation of build pipeline issues. As part of this work, we’ve now created a CI build workflow that runs a build on all pull requests. This is a common practice and will help us catch some issues earlier. We’d love your help with GUAC Visualizer. See the “help wanted” or “good first issue” tags in GitHub for suggestions.

GUAC v0.8.6 is now available. It fixes one bug from the just-released version 0.8.5, which includes a few improvements. The command line vulnerability query now searches for hasSBOM nodes on artifacts. In addition, the CycloneDX parser now captures version for image artifacts. Finally, the Docker compose files provided in the release now include the ClearlyDefined certifier that was added in GUAC 0.8.0.

This release also contains several bug fixes. The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.

Join the GUAC community Thursday at 1PM Eastern (1700 UTC) for the September Community Meeting.

Topics include:

• Demo of some example guac scripts: guactober & license_check
• New guac-visualizer release
• Hacktoberfest participation: guac-docs and guac-visualizer

If you have your own topics to discuss or cool GUAC insights, join us and share with the community!

Zoom link and meeting notes are on the OpenSSF Calendar.

If you can’t make it, the recording will be posted to our YouTube channel.

Join members of the GUAC Community for another episode of Cloud Native Live on Tuesday, September 24. In a previous episode of Cloud Native Live, we showed how GUAC can be used to locate and remediate vulnerabilities. But fully understanding the software supply chain is more than just finding vulnerabilities.

In this session, you’ll learn about other insights that GUAC can help you discover from licenses to dependencies participating in Hacktoberfest. Plus, you’ll see how GUAC can be used as an Kubernetes admission controller.

Join us for another fun session to taco’bout GUAC! RSVP on the event page or catch the recording on the CNCF YouTube channel.

GUAC v0.8.4 is now available. This is a bugfix release. Astute readers will notice that there was no announcement for version 0.8.3. Shortly after 0.8.3 was released, we received reports that the rate limit was not working correctly with the deps.dev service. Version 0.8.4 fixes this on top of the other changes in the 0.8.3 release.

This release includes several fixes to SBOM parsing, including adding a documentRef attribute into client operations that reference hasSBOM and supporting the presence of multiple package URLs in SPDX SBOM externalRefs. It also has database fixes to add a connection timeout and to enable successful altas migration when ENT auto migration was used to create the initial database.

The GitHub release page has a complete list of changes in this release. Want to contribute to GUAC? You can join our community.

If you’ll be at Open Source Summit Europe in Vienna next week, be sure to catch these sessions.

I am a panelist on the “Improving the Software Supply Chain” along with Tom Hennen from Google, Arnaud Le Hors from IBM, and Aeva Black from CISA. We’ll be discussing various projects under the OpenSSF and CNCF umbrellas, including GUAC, SLSA, and S2C2F. We’ll discuss what those names mean and how the open source communities behind them help improve software supply chain security. Join us on Tuesday at 11:00 CEST in room 2.15.

As you roam the expo hall, stop by the OpenSSF booth between 1:30 and 2:30 PM Monday through Wednesday. I’ll be there to chat and give GUAC demos. Stick around after Open Source Summit for the OpenSSF Community Day. I hope to see you there!

Software is only useful when people can use it. We know GUAC is capable of addressing many problems people have securing their software supply chain, so we want to make sure it’s as usable as possible. To do that, we want to talk to you. We’d like to have a short call with you if you:

• Have read the GUAC landing page
• Are NOT a current power user of GUAC
• Tried to go through some of the GUAC demos (optional)

We want to learn what you’re doing today to secure your software supply chain, what your pain points are, and how GUAC could help you address them.

If you’re willing to have a chat with us, email ben@kusari.dev.

If you’ve already tried GUAC and have feedback, please let us know.

Securing the software supply chain is paramount for the Guidewire Cloud Platform (GWCP). More than 540 insurers in 40 countries use GWCP and other Guidewire solutions to run insurance suite applications. GWCP uses GUAC to stay ahead of threats.

Anoop Gopalakrishnan, VP of Engineering at Guidewire, said:

To us, the biggest value is GUAC’s open nature and the community behind it. The advantage we see with GUAC is its flexibility and plugin architecture, which helps users achieve SLSA compliance at difference levels.

Read the case study to learn more about how Guidewire Software uses GUAC.

GUAC v0.8.2 is now available. This release contains improvements to queries and database migrations.

The ClearlyDefined certifier now batches queries in order to speed performance. Calls to ClearlyDefined, OSV, and deps.dev are now rate-limited. The limits follow the service provider’s guidance. Rate limiting ensures that GUAC users get full responses and prevents GUAC from overloading information providers.

Version 0.8.2 also includes an image for Atlas migrations. This will enable seamless migrations to the Ent database layer when the schema changes across versions. Users upgrading persistent installations of version 0.7.0 and earlier will still need to run the migration script prior to upgrading to version 0.8.0 and later.

The GitHub release page has a complete list of changes in this release.

The schedule for our regular GUAC Time office hours is changing. In order to simplify the schedule, we’ll start hosting GUAC Time at 11 AM Eastern on alternating Fridays. The new schedule begins this coming Friday (30 August). The OpenSSF calendar has the updated information.

We’re making this change so that it’s easier for everyone to remember when the office hours are. We chose 11 AM Eastern becuase it keeps the meeting from being too early for community members on the west coast of the Americas and too late for those in Europe.

GUAC Time is an informal “office hours” setting where you can drop in to talk about what you’re working on, ask questions, or have any other GUAC conversations. Everyone is welcome to join, including and especially those who are new to GUAC or the software supply chain security space more generally. We hope you’ll join us!