The developers of GUAC, a tool for finding vulnerabilities, announced that they have donated the project to the OpenSSF consortium.
GUAC was released in 2022 by Google, Kusari, Citibank, and Purdue University. OpenSSF, the consortium to which the project has been donated that maintains more than a dozen open-source cybersecurity tools focused on tasks such as finding code vulnerabilities and assessing their severity.
Organizations adopt a new piece of software to check whether the software is secure. The data necessary to carry out the evaluation is readily available from the application’s developer and third-party sources.
GUAC, officially Graph for Understanding Artifact Composition, is designed to aggregate all the available cybersecurity data about an application in a centralized repository that enables developers to run queries to quickly find potential vulnerabilities.
One of the sources from which GUAC collects application security data is the application’s SBOM, that’s a document in which developers list all the open-source components a program includes and the tools that were used to create it.
GUAC can also ingest so-called in-toto attestations. Those are files that have a similar function as a SBOM but provide a more detailed overview of the application they describe. An in-to attestation includes information about every step of the development process through which a piece of software was created.
GUAC works with Google’s SLSA framework as well. A build system is the tool responsible for turning developers’ raw code files into a functioning program.
Records from GitHub, developer laptops, and file storage repositories hosted in the major public clouds can be aggregated in GUAC. It also works with more specialized data sources such as deps.dev, a Google-run service that provides technical information about open-source projects.
Once GUAC collates the available data about an application, software teams can use a built-in query feature to search for vulnerabilities. Users also have access to a data visualization dashboard. It makes it easier to check the reliability of the external software components on which a program relies on work.
According to GUAC’s developers, enterprises can use the platform to scan an open-source application for known vulnerabilities before installing it. It also spots related issues, such cases where a program lacks a SBOM describing what components it includes. It likewise identifies software components that weren’t downloaded from a secure repository.
Managing application updates is another task that the platform promises to ease. Enterprise workloads often incorporate multiple open-source modules. Before upgrading a module to the latest version, developers can use GUAC to check that version for potential security weak points.
GUAC is joining the OpenSSF’s software portfolio as an incubating project. The backing of a major open-source consortium can make it easier for a software project to win the confidence of risk-averse enterprise users. Additionally, GUAC’s developers said that joining OpenSSF will unlock access to technical feedback and other resources
