Google Unveils Open Source Project to Improve Software Supply Chain Security

Written by

Google called for contributors on Thursday to a new open source project named Graph for Understanding Artifact Composition (GUAC) as part of its efforts to improve software supply chain security.

According to the tech giant, GUAC is still in the early stages, but it is set to change how the industry perceives software supply chains.

“GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata,” Google wrote in a blog post.

“True to Google’s mission to organize and make the world’s information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

According to Google, collaboration in groups such as Open Source Security Foundation (OpenSSF), Supply Chain Levels for Software Artifacts (SLSA), Software Package Data Exchange (SPDX) and CycloneDX enables organizations to have ready access to a number of technologies, including Software Bills of Materials (SBOMs), signed attestations about how software was built and cross-database vulnerability databases.

“These data are useful on their own, but it’s difficult to combine and synthesize the information for a more comprehensive view,” reads the blog post.

“The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization’s software assets.”

GUAC has been created to address these issues by bringing together many different sources of software security metadata, also thanks to partnerships between the tech giant, Kusari, Purdue University and Citi.

From a technical standpoint, GUAC has four main areas of functionality: collection of metadata from a variety of sources of software security databases, ingestion of said data, collation into a coherent graph and querying for a given artifact to view its SBOM, provenance, build chain, project scorecard, vulnerabilities, etc.

“GUAC aggregates and synthesizes software security metadata at scale and makes it meaningful and actionable,” Google wrote.

“We’re excited to share the project’s proof of concept, which lets you query a small dataset of software metadata, including SLSA provenance, SBOMs, and OpenSSF Scorecards.”

The creation of GUAC comes months after Google announced a new program designed to reward researchers that find bugs in its open source projects.

What’s hot on Infosecurity Magazine?