Published on

GUAC Introduction and Demo! Know your software supply chain GUACademy

GUAC Introduction and Demo! Know your software supply chain GUACademy

Hello, I am Jeff Mendoza, a software engineer at Kusari, and welcome to the GUACademy video series. This is the first video in the series, and I will be introducing you to GUAC (Graph for Understanding Artifact Composition), an open-source project that helps you understand your software supply chain. GUAC is licensed with the Apache License and serves as a database or graph where you can add supporting tools to collect data and insights on your supply chain for discovery purposes.

How Does GUAC Help with Supply Chain Questions?

To understand how GUAC helps with supply chain questions, let's take a look at some diagrams. First, we have software bill of materials (s-bombs) that cover a single service package or deliverable and include other software pieces within that package. By loading these s-bombs into GUAC, you can visualize the package's graph, with the root package and all the included packages. GUAC connects the dots between different packages, allowing you to identify common dependencies and critical components for your organization.

In addition to visualizing the package graph, GUAC can also pull in more information from public services about the open-source packages in your graph. This includes rich and detailed dependency hierarchy information and scorecard ranking data. GUAC's tooling can also fetch vulnerability information from osv.dev, enabling you to track vulnerabilities and determine the exact path for a specific version.

GUAC Ecosystem Architecture

To give you an overview of the GUAC ecosystem, let's look at the architecture diagram. At the bottom, we have the data that goes into GUAC, including the s-bombs from your organization and information pulled from public services. The big green box represents the full GUAC deployment. To extract insights from GUAC, you can use the QUAC-1 CLI and the GUAC visualizer, which is currently under development. The GUAC graph data model is fully queryable via GraphQL, allowing you to dive deeper into the data and build integrations. Some example integrations include IDE plugins and CI checks.

Demo: Exploring Vulnerabilities and Marking Packages as "Bad"

Let's dive into a demo to see how GUAC works in action. In this example, I'm using Python, and I have ingested s-bombs for the packages I build into GUAC. I want to check if any of these packages are vulnerable to known vulnerabilities. I use the GUAC-1 CLI command guac1 query vulnerabilities to query vulnerabilities based on the packages I care about.

By running the query against GUAC, I can see all the packages that have attached s-bombs. I then run the query for vulnerabilities on specific packages to identify any vulnerabilities. GUAC provides a link to the visualizer, which allows me to explore the vulnerability path graphically.

In another example, I demonstrate how to mark a package as "bad" using the guac1 certify bad command. This command is useful when there's a zero-day or other security concerns with a package. I provide a justification for marking the package as "bad," and it gets ingested into GUAC. By using the visualizer, I can explore the dependencies and see which packages have a link to the "bad" package.

Summary

GUAC is an open-source tool that helps you understand your software supply chain by visualizing the package graph, connecting dependencies, and providing insights into vulnerabilities. It allows you to query vulnerabilities, mark packages as "bad," and explore the dependencies within your supply chain.

Keywords

  • GUAC
  • Graph for Understanding Artifact Composition
  • Software Supply Chain
  • S-Bombs
  • Vulnerabilities
  • Public Services
  • Query
  • Visualizer
  • Integration
  • CLI

FAQ

  • What is GUAC? GUAC is an open-source project that helps you understand your software supply chain by visualizing the package graph and providing insights into dependencies and vulnerabilities.

  • What are S-Bombs? S-Bombs (Software Bill of Materials) cover a single service package or deliverable and include other software pieces within that package. They help you understand the components and dependencies of a package.

  • How does GUAC help with vulnerabilities? GUAC allows you to query vulnerabilities based on specific packages and provides insights into the exact path of the vulnerability. It helps you track and understand vulnerabilities within your supply chain.

  • Can GUAC mark packages as "bad"? Yes, GUAC provides a command to mark packages as "bad" in cases of zero-day vulnerabilities or other security concerns. This feature helps to identify and flag compromised or malicious packages within your supply chain.

  • What integrations can be built with GUAC? GUAC's data model is fully queryable via GraphQL, allowing you to build integrations such as IDE plugins and CI checks. This makes it easier to incorporate GUAC into your existing software development workflows.