Google announces GUAC open source project on software supply chains

Google unveiled a new open source security project on Thursday centered around software supply chain management. 

Given the acronym GUAC – which stands for Graph for Understanding Artifact Composition – the project is focused on creating sets of data about a software’s build, security and dependency. 

Google worked with Purdue University, Citibank and supply chain security company Kusari on GUAC, a free tool built to bring together many different sources of software security metadata. Google has also assembled a group of technical advisory members to help with the project — including IBM, Intel, Anchore and more. 

Google’s Brandon Lum, Mihai Maruseac, Isaac Hepworth pitched the effort as one way to help address the explosion in software supply chain attacks — most notably the widespread Log4j vulnerability that is still leaving organizations across the world exposed to attacks. 

“GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata,” they wrote in a blog post. “GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

They noted that U.S. President Joe Biden issued an executive order last year that said all federal government agencies must send a Software Bill of Materials (SBOM) to Allan Friedman, the director Cybersecurity Initiatives at National Telecommunications and Information Administration (NIST). 

Friedman has been helming the SBOM effort for more than a year, and the White House now mandates that all agencies create a formal record of the details and supply chain relationships of various components used in building software.

While SBOMs are becoming increasingly common thanks to the work of several tech industry groups like OpenSSF, there have been a number of complaints, one of those centered around the difficulty of sorting through troves of metadata, some of which is not useful. 

Maruseac, Lum and Hepworth explained that it is difficult to combine and collate the kind of information found in many SBOMs.

“The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization’s software assets,” they said.

Google shared a proof of concept of the project, which allows users to search data sets of software metadata.

The three explained that GUAC effectively aggregates software security metadata into a database and makes it searchable.

They used the example of a CISO or compliance officer that needs to understand the “blast radius” of a vulnerability. GUAC would allow them to “trace the relationship between a component and everything else in the portfolio.”

Google says the tool will allow anyone to figure out the most used critical components in their software supply chain ecosystem, the security weak points and any risky dependencies.

As the project evolves, Maruseac, Lum and Hepworth said the next part of the work will center around scaling the project and adding new kinds of documents that can be submitted and ingested by the system.