Google today introduced Graph for Understanding Artifact Composition (GUAC), an open source tool for centralizing build, security, and dependency metadata.
Developed in collaboration with Kusari, Purdue University, and Citi, the new project is meant to help organizations better understand software supply chains.
GUAC aggregates metadata from different sources, including supply chain levels for software artifacts (SLSA) provenance, software bills of materials (SBOM), and vulnerabilities, to provide a more comprehensive view over them.
“Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high-fidelity graph database—normalizing entity identities and mapping standard relationships between them,” Google says.
By querying this graph, organizations can improve their audit processes and risk management, can better meet policy requirements, and even provide developer assistance.
GUAC, the internet giant explains, has four areas of functionality, including metadata collection (from public, first-person, and third-party sources), ingestion of data (on artifacts, resources, vulnerabilities, and more), data assembly into a coherent graph, and user query for metadata attached to entities within the graph.
By aggregating software security metadata and making it meaningful and actionable, GUAC can help identify risks, discover critical libraries within open source software, and gather information on software dependencies, to improve supply chain security.
The open source project is in its early stages, with a proof of concept (PoC) now available on GitHub, offering support for the ingestion of SLSA, SBOM, and Scorecard documents and for simple queries for software metadata.
“The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation,” Google says.
The internet giant has created a group of ‘Technical Advisory Members’ that includes SPDX, CycloneDX Anchore, Aquasec, IBM, Intel, and others, to help expand the project towards consuming data from many different sources and formats.