
Google has launched a new project called Graph for Understanding Artifact Composition (GUAC) aims at securing the software supply chain. Also its seeking contributors to the new project.
The consequences of Software supply chain attacks could be devastating, it needs more sophistication to plant, but its stealthier and covers on a wider note.
Few of the examples are Log4Shell and Solarwinds attacks which demonstrated the effect of software supply chain attacks.
GUAC aggregates metadata from different sources, including databases of vulnerabilities, Supply chain Levels for Software Artifacts, and software bills of materials.
It aggregates software security metadata into a high-fidelity graph database that can be queried to drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
The analysis of the results of such queries can allow organizations to audit processes related to the software supply chain and analyze the cyber risk.
GUAC occupies the aggregation and synthesis layer of the software supply chain transparency logical model. It has four areas of functionality
- Metadata collection from a variety of sources.
- ingestion of data.
- Data collation into a coherent graph.
- User query for metadata attached to entities within the graph.
Still in its early stages of development, the PoC released by Google can ingest SLSA, SBOM, and Scorecard documents and support simple queries and exploration of software metadata. In the future, the company plans to add new document types for ingestion.
GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.
Google Statement