GUAC will allow developers, auditors, and risk management teams to evaluate risk more easily in their codebases.
What: Google is seeking contributors to a new open-source project it has launched called Graph for Understanding Artifact Composition or GUAC. The goal of the effort, according to the company is to democratize the availability of software build, security, and dependency metadata. GUAC will bring together data from multiple sources on Software Bills of Materials (SBOMs); attestations on how a particular piece of software was built; and information about known vulnerabilities in components and libraries that organizations use to build software. GUAC will present the information as a high-fidelity graph that anyone can query for information about a particular piece of software’s SBOM provenance, build chain, project score card, vulnerabilities, and lifecycle events.
Why it matters: The security of the software supply chain has become a major issue following breaches like the one at SolarWinds, CodeCov and other organizations in recent years. Over the past year, attackers have also been trying to breach software development environments by planting malicious code in public code repositories such as npm and PyPI, that development organizations use when building software. The trend has heightened interest among organizations in identifying and evaluating the security of all the individual components in their applications. An Executive Order that President Biden issued in May 2021 mandates the need for federal civilian agencies to get detailed SBOMs and software component details from their software providers.
GUAC will combine and synthesize the following information:
- SBOMs from SPDX-SBOM-Generator, Syft, kubernetes bom tool,
- attestations on software builds (e.g. SLSA with SLSA3 Github Actions Builder, Google Cloud Build)
- vulnerabilities from databases like. OSV.dev, Global Security Database (GSD)).