Google today introduced Graph for Understanding Artifact Composition (GUAC), an open source tool for centralizing build, security, and dependency metadata.
Developed in collaboration with Kusari, Purdue University, and Citi, the new project is meant to help organizations better understand software supply chains.
GUAC aggregates metadata from different sources, including supply chain levels for software artifacts (SLSA) provenance, software bills of materials (SBOM), and vulnerabilities, to provide a more comprehensive view over them.
“Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high-fidelity graph database—normalizing entity identities and mapping standard relationships between them,” Google says.
By querying this graph, organizations can improve their audit processes and risk management, can better meet policy requirements, and even provide developer assistance.
GUAC, the internet giant explains, has four areas of functionality, including metadata collection (from public, first-person, and third-party sources), ingestion of data (on artifacts, resources, vulnerabilities, and more), data assembly into a coherent graph, and user query for metadata attached to entities within the graph.
By aggregating software security metadata and making it meaningful and actionable, GUAC can help identify risks, discover critical libraries within open source software, and gather information on software dependencies, to improve supply chain security.
The open source project is in its early stages, with a proof of concept (PoC) now available on GitHub, offering support for the ingestion of SLSA, SBOM, and Scorecard documents and for simple queries for software metadata.
“The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation,” Google says.
The internet giant has created a group of ‘Technical Advisory Members’ that includes SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and others, to help expand the project towards consuming data from many different sources and formats.
Related: Google Launches Bug Bounty Program for Open Source Projects
Related: Academics Devise Open Source Tool For Hunting Node.js Security Flaws
Related: Google Open Sources ‘Paranoid’ Crypto Testing Library
More from Ionut Arghire
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
- Many Vulnerabilities Found in PrinterLogic Enterprise Software
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
