GUAC v0.8.0 released
GUAC Maintainers
25 Jul 2024
GUAC v0.8.0 is now available.
This release brings support for license information, node deletion, and many other improvements.
You can now run vulnerability scans immediately on SBOM ingestion with the --add-vuln-on-ingest
flag instead of waiting for the OSV certifier to run.
To better represent the real world, the isDependency
relationship now only exists on package versions instead of the package name.
For a full list of changes, see the release page on GitHub.
License information support
GUAC v0.8.0 adds support for parsing license information provided in CycloneDX SBOMs. The new release also includes a new experimental ClearlyDefined certifier. GUAC will query the ClearlyDefined license data store to discover license information for packages, even when the SBOM does not include that information.
Although licenses don’t directly impact security, they are an important part of understanding your software supply chain. We’re excited to expand GUAC’s capabilities in this area.
Node deletion
GUAC v0.8.0 adds support for deleting the following evidence nodes: certifyVuln
, hasSBOM
, and hasSLSA
.
This is helpful when SBOMs were ingested by accident or as part of a short-term demo.
Delete
is supported in both the key value and the ENT backends.
If there are other nodes that you have a use case for deleting, please file an issue to let us know.
Join the community
Thanks to the 10 contributors who made this release possible, including new contributor Collin Berman. We’d love to have your contribution. If you have uses cases GUAC should support, or want to contribute to our code or documentation, join us!
Tags: releases
GUAC mailing lists moving to OpenSSF
Ben Cotton
21 Jun 2024
The GUAC mailing lists are moving from Google Groups to the OpenSSF list server. Join GUAC@lists.openssf.org to continue receiving updates and participating in the conversation. This list is open for all community discussion of GUAC. The Google Groups list will enter read-only mode after the July 18 GUAC Community Meeting.
The GUAC maintainer list is also moving. Use GUAC-maintainers@lists.openssf.org to report security issues or other confidential concerns to the maintainers.
We look forward to chatting with you on the mailing list and in #GUAC on the OpenSSF Slack.
Tags: community
GUAC v0.7.0 released
GUAC Maintainers
04 Jun 2024
The GUAC maintainers are happy to announce the release of GUAC v0.7.0. This release includes several pagination features in order to improve the performance of large result sets from queries. Also new in v0.7.0, the collector supports reading from a directory inside an Amazon S3 bucket, in addition to the previously supported single file and whole-bucket reads. We’ve improved the parsing of CycloneDX files to improve how transitive dependencies are represented. And building off of the persistent backend added in v0.6.0, the new release adds support for automatic schema migrations.
As always, we thank the community members who contributed to this release. We’d love to have you join the GUAC community. See the Contributor Guide for how to get started, and register for an upcoming program below.
- June 6 | 10am Pacific, 1pm Eastern - Proactive Supply Chain Security with GUAC
- June 11 | 9am Pacific, 12pm Eastern - GUAC 101: Dip into the Delicious World of Software Supply Chain Security
- June 20 | 10am Pacific, 1pm Eastern - GUAC Community Meeting
Tags: releases
GUAC maintainer meetings now public
GUAC Maintainers
29 May 2024
In the interests of a transparent open source community, the weekly GUAC Maintainer meetings are now public. Join us on Mondays at 11 AM Eastern. The meeting is open to interested community members, but is primarily for maintainer discussion. For general questions and discussion, join us in #guac on the OpenSSF Slack.
Upcoming OpenSSF and CNCF webinars
Ben Cotton
17 May 2024
Join us for two upcoming webinars to learn more about GUAC.
- OpenSSF Tech Talk — 6 Jun at 1 PM Eastern (1700 UTC)
- CNCF Live — 11 Jun at noon Eastern (1600 UTC)
Tags: events
Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release
GUAC Maintainers
06 May 2024
The GUAC community maintainers, contributors and collaborators are thrilled to announce – GUAC is persistent! Following a year-long effort of significant collaboration and development, GUAC has standardized on and fully supports the popular open source database system, PostgreSQL, for its persistent backend storage.
Tags: releases
Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project
GUAC Maintainers
07 Mar 2024
The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.
Tags: community
Terror of cURL - Preparation is half the battle
Parth Patel, Brandon Lum, Mihai Maruseac
16 Oct 2023
Last week, on October 11th, we finally found out more information on the high-severity CVE that affected numerous versions of cURL. Everyone was waiting in dreaded anticipation to determine if they were affected or not!
GUAC allows you to be proactive in responding to threats without waiting for the CVEs to be released, reducing the MTTR significantly! In our latest combined blog with Brandon Lum and Mihai Maruseac, we discuss this in greater detail and provide insight.
Quest to determine the 'G' in GUAC
Parth Patel
27 Jun 2023
As we work to meet the goals of persistence in GUAC, we are running a series of analyses and comparisons among the many different graph database options. GUAC has a few critically important requirements for the backend, including: efficient ingestion of data, performant complex queries, the schema in which the data is stored, and finally optimization of the query based on the specific language.
Announcing the launch of GUAC v0.1
Brandon Lum, Mihai Maruseac
24 May 2023
Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the software industry to understand the software supply chain. In collaboration with Kusari, Purdue University, Citi, and community members, we have incorporated feedback from our early testers to improve GUAC and make it more useful for security professionals. This improved version is now available as an API for you to start developing on top of, and integrating into, your systems.
Tags: releases