Provide chain safety is on the fore of the trade’s collective consciousness. We’ve just lately seen a big rise in software program provide chain assaults, a Log4j vulnerability of catastrophic severity and breadth, and even an Government Order on Cybersecurity.
It’s towards this background that Google is looking for contributors to a brand new open supply venture known as GUAC (pronounced just like the dip). GUAC, or Graph for Understanding Artifact Composition, is within the early levels but is poised to alter how the trade understands software program provide chains. GUAC addresses a necessity created by the burgeoning efforts throughout the ecosystem to generate software program construct, safety, and dependency metadata. True to Google’s mission to prepare and make the world’s info universally accessible and helpful, GUAC is supposed to democratize the provision of this safety info by making it freely accessible and helpful for each group, not simply these with enterprise-scale safety and IT funding.
Because of group collaboration in teams reminiscent of OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations more and more have prepared entry to:
These knowledge are helpful on their very own, nevertheless it’s tough to mix and synthesize the knowledge for a extra complete view. The paperwork are scattered throughout totally different databases and producers, are hooked up to totally different ecosystem entities, and can’t be simply aggregated to reply higher-level questions on a corporation’s software program belongings.
To assist deal with this challenge we’ve teamed up with Kusari, Purdue College, and Citi to create GUAC, a free software to carry collectively many various sources of software program safety metadata. We’re excited to share the venture’s proof of idea, which helps you to question a small dataset of software program metadata together with SLSA provenance, SBOMs, and OpenSSF Scorecards.
Graph for Understanding Artifact Composition (GUAC) aggregates software program safety metadata right into a excessive constancy graph database—normalizing entity identities and mapping customary relationships between them. Querying this graph can drive higher-level organizational outcomes reminiscent of audit, coverage, danger administration, and even developer help.
Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software program provide chain transparency logical mannequin:
GUAC has 4 main areas of performance:
- Assortment
GUAC could be configured to hook up with quite a lot of sources of software program safety metadata. Some sources could also be open and public (e.g., OSV); some could also be first-party (e.g., a corporation’s inside repositories); some could also be proprietary third-party (e.g., from knowledge distributors). - Ingestion
From its upstream knowledge sources GUAC imports knowledge on artifacts, initiatives, sources, vulnerabilities, repositories, and even builders. - Collation
Having ingested uncooked metadata from disparate upstream sources, GUAC assembles it right into a coherent graph by normalizing entity identifiers, traversing the dependency tree, and reifying implicit entity relationships, e.g., venture → developer; vulnerability → software program model; artifact → supply repo, and so forth. - Question
In opposition to an assembled graph one might question for metadata hooked up to, or associated to, entities throughout the graph. Querying for a given artifact might return its SBOM, provenance, construct chain, venture scorecard, vulnerabilities, and up to date lifecycle occasions — and people for its transitive dependencies.
A CISO or compliance officer in a corporation desires to have the ability to cause concerning the danger of their group. An open supply group just like the Open Supply Safety Basis desires to establish crucial libraries to keep up and safe. Builders want richer and extra reliable intelligence concerning the dependencies of their initiatives.
The excellent news is, more and more one finds the upstream provide chain already enriched with attestations and metadata to energy higher-level reasoning and insights. The dangerous information is that it’s tough or inconceivable in the present day for software program shoppers, operators, and directors to assemble this knowledge right into a unified view throughout their software program belongings.
To know one thing advanced just like the blast radius of a vulnerability, one must hint the connection between a part and all the pieces else within the portfolio—a job that might span 1000’s of metadata paperwork throughout tons of of sources. Within the open supply ecosystem, the variety of paperwork may attain into the thousands and thousands.
GUAC aggregates and synthesizes software program safety metadata at scale and makes it significant and actionable. With GUAC in hand, we will reply questions at three necessary levels of software program provide chain safety:
- Proactive, e.g.,
- What are essentially the most used crucial parts in my software program provide chain ecosystem?
- The place are the weak factors in my general safety posture?
- How do I forestall provide chain compromises earlier than they occur?
- The place am I uncovered to dangerous dependencies?
- Operational, e.g.,
- Is there proof that the applying I’m about to deploy meets group coverage?
- Do all binaries in manufacturing hint again to a securely managed repository?
- Reactive, e.g.,
- Which components of my group’s stock is affected by new vulnerability X?
- A suspicious venture lifecycle occasion has occurred. The place is danger launched to my group?
- An open supply venture is being deprecated. How am I affected?
- Proactive, e.g.,
GUAC is an Open Supply venture on Github, and we’re excited to get extra of us concerned and contributing (learn the contributor information to get began)! The venture remains to be in its early levels, with a proof of idea that may ingest SLSA, SBOM, and Scorecard paperwork and assist easy queries and exploration of software program metadata. The following efforts will give attention to scaling the present capabilities and including new doc varieties for ingestion. We welcome assist and contributions of code or documentation.
For the reason that venture can be consuming paperwork from many various sources and codecs, we’ve got put collectively a bunch of “Technical Advisory Members” to assist advise the venture. These members embody illustration from firms and teams reminiscent of SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and many extra. If you happen to’re keen on collaborating as a contributor or advisor representing finish customers’ wants—or the sources of metadata GUAC consumes—you’ll be able to register your curiosity within the related GitHub challenge.
The GUAC crew can be showcasing the venture at Kubecon NA 2022 subsequent week. Come by our session should you’ll be there and have a chat with us—we’d be completely satisfied to speak in individual or just about!
