Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project
GUAC Maintainers
March 7, 2024
The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.
Terror of cURL - Preparation is half the battle
Kusari
October 16, 2023
Last week, on October 11th, we finally found out more information on the high-severity CVE that affected numerous versions of cURL. Everyone was waiting in dreaded anticipation to determine if they were affected or not!
GUAC allows you to be proactive in responding to threats without waiting for the CVEs to be released, reducing the MTTR significantly! In our latest combined blog with Brandon Lum and Mihai Maruseac, we discuss this in greater detail and provide insight.
Quest to determine the 'G' in GUAC
Kusari
June 27, 2023
As we work to meet the goals of persistence in GUAC, we are running a series of analyses and comparisons among the many different graph database options. GUAC has a few critically important requirements for the backend, including: efficient ingestion of data, performant complex queries, the schema in which the data is stored, and finally optimization of the query based on the specific language.
Announcement for the GUAC v0.1 beta release
Kusari
May 24, 2023
Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition. This open-source tool, created in partnership with Google and with valuable input from Purdue University and Citi, is set to change the game in software supply chain analysis.”
Announcing the launch of GUAC v0.1
Google Security Blog
May 24, 2023
Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the software industry to understand the software supply chain. In collaboration with Kusari, Purdue University, Citi, and community members, we have incorporated feedback from our early testers to improve GUAC and make it more useful for security professionals. This improved version is now available as an API for you to start developing on top of, and integrating into, your systems.
Read the full post on the Google Security Blog
A high fidelity view of software supply chain
Kusari
October 20, 2022
Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance. The recent report from Sonatype: State of the Software Supply Chain has shown that supply chain attacks are on the rise (742% average annual increase in the past 3 years). Along with the fact that 6 out of the 7 project vulnerabilities come from transitive dependencies, the industry is in desperate need of having a clear, holistic understanding of the software supply chain.
Announcing GUAC, a great pairing with SLSA (and SBOM)!
Google Security Blog
October 20, 2022
Supply chain security is at the fore of the industry’s collective consciousness. We’ve recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity.