Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Google today introduced Graph for Understanding Artifact Composition (GUAC), an open source tool for centralizing build, security, and dependency metadata.

Developed in collaboration with Kusari, Purdue University, and Citi, the new project is meant to help organizations better understand software supply chains.

Google today introduced Graph for Understanding Artifact Composition (GUAC), an open source tool for centralizing build, security, and dependency metadata.

Developed in collaboration with Kusari, Purdue University, and Citi, the new project is meant to help organizations better understand software supply chains.

GUAC aggregates metadata from different sources, including supply chain levels for software artifacts (SLSA) provenance, software bills of materials (SBOM), and vulnerabilities, to provide a more comprehensive view over them.

“Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high-fidelity graph database—normalizing entity identities and mapping standard relationships between them,” Google says.

By querying this graph, organizations can improve their audit processes and risk management, can better meet policy requirements, and even provide developer assistance.

GUAC, the internet giant explains, has four areas of functionality, including metadata collection (from public, first-person, and third-party sources), ingestion of data (on artifacts, resources, vulnerabilities, and more), data assembly into a coherent graph, and user query for metadata attached to entities within the graph.

By aggregating software security metadata and making it meaningful and actionable, GUAC can help identify risks, discover critical libraries within open source software, and gather information on software dependencies, to improve supply chain security.

The open source project is in its early stages, with a proof of concept (PoC) now available on GitHub, offering support for the ingestion of SLSA, SBOM, and Scorecard documents and for simple queries for software metadata.

“The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation,” Google says.

The internet giant has created a group of ‘Technical Advisory Members’ that includes SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and others, to help expand the project towards consuming data from many different sources and formats.

Related: Google Launches Bug Bounty Program for Open Source Projects

Related: Academics Devise Open Source Tool For Hunting Node.js Security Flaws

Related: Google Open Sources ‘Paranoid’ Crypto Testing Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...