The Graph for Understanding Artifact Composition (GUAC), an open source tool from Google that aims to centralise development, security, and dependency metadata, was unveiled today.
The new project, which was created in association with Kusari, Purdue University, and Citi, is intended to aid businesses in comprehending software supply chains. For a more thorough understanding of them, GUAC gathers metadata from several sources, such as software bills of materials (SBOM), vulnerabilities, and supply chain levels for software artefacts (SLSA).
“Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high-fidelity graph database—normalizing entity identities and mapping standard relationships between them,” States Google.
Organizations can enhance their audit procedures and risk management, more effectively adhere to policy requirements, and even offer developer support by querying this graph.
According to the internet behemoth, GUAC has four functional areas: metadata collection (from open, first-person, and third-party sources), ingestion of data (on artefacts, resources, vulnerabilities, and more), data assembly into a coherent graph, and user query for metadata attached to entities within the graph.
To increase supply chain security, GUAC can help identify vulnerabilities, find crucial libraries inside open source software, and gather data on software dependencies by aggregating software security metadata and making it useful and actionable.
The open source project is still in its early stages, but a proof of concept (PoC) that supports the ingestion of SLSA, SBOM, and Scorecard documents as well as basic software metadata queries is already accessible on GitHub.
The internet behemoth has assembled a group of “Technical Advisory Members” to aid in the project’s expansion toward consuming data from other sources and formats, including SPDX, CycloneDX Anchore, Aquasec, IBM, and others.