KubeCon 24: GUAC Reveals Where the Vulnerabilities Hide

So now your security team has a software bill of materials (SBOM) for its open source applications. What’s next? If you are KubeCon + CloudNativeCon EU March 19-22 in Paris, stop by the Kusari booth (#M30) to learn more about the Graph for Understanding Artifact Composition (GUAC), which puts all that SBOM data into a more readily-understandable graph data format, augmenting it with vulnerability data.

On Thursday, the Open Source Security Foundation (OpenSSF) adopted GUAC as an incubating project. Open SSF will bring many things to GUAC, including access to and feedback from SBOM and CycloneDX domain experts.

“There’s a lot of a lot of tools generating [security] data, but not a lot of things taking all this information together and like actually utilizing it,” said Michael Lieberman, Kusari co-founder and CTO, in an interview with The New Stack. “GUAC aggregates all this information into a graph database, which you can actually use for actionable insights.”

Kusari, Google and researchers from Purdue University and Citi developed GUAC, which attracted support from companies such as Yahoo, Microsoft, Red Hat, Guidewire and ClearAlpha Technologies.

Thus far the project has attracted 50 contributors, 300 community members and more than 1,100 stars on GitHub.

GUAC was truly a community effort, Lieberman said.

Security academics have long suggested dependency graphs could be useful. Lieberman — who is an OpenSSF Governing Board and TAC member; as well as a CNCF Security TAG lead — saw a lot of interest from the commercial sector for a tool of this nature.

“Instead of us all building different things, we came together and started building something,” Lieberman said.

How Does GUAC Work?

The current version is available as a beta, offering results via a standard Rest API, GraphAPI, and by command line.

GAUC provides the data to display a detailed graph that visualizes all the software in an SBOM, including first-party, third-party or open source software. The software ingests SBOMS in either the SPDX and CycloneDX formats.

It has a set of collectors to pull data from repositories such as Docker Hub. It can also take in data from local file systems, Amazon  Web Services‘ S3, Google Cloud, and external package repositories like GitHub Releases.

To augment this data, GUAC pulls in and integrates vulnerability data, via APIs, from sources such as the Open Source Insights’ deps.dev and Open Source Vulnerabilities.

“We’re enriching the SBOMs with these other open source tools,” Lieberman said.

GUAC in collates this data and returns the information as a set of data nodes and relationships. These artifacts can be used to understand the gaps in software supply chain data, and pinpoint areas of weaknesses in the software stack.

You can query a graph to pinpoint the vulnerabilities within an SBOM, including transitive dependencies where one application depends on a library which in turn relies on a vulnerable element.

Beyond security, it can also highlight packages with restrictive licensing (which can cause a lawsuit).

Input from KubeCon

At KubeCon, the GUAC team is looking for more input from folks who feel they don’t have enough visibility into their supply chain issues. They are looking for heretofore undiscovered use cases.

They are looking for new data sources and feedback on new features, or features that should be added.

Last month, OpenSSF posted a set of principles for securing packaging repositories, establishing a taxonomy and a tier security maturity, from one to four.

As for Kusari itself, it is building a security platform based on GUAC and other tools. The company is contemplating offering it as a service, or maybe selling a version with additional analytics.

“Your software environments are becoming more and more complicated every year. And in order to understand those complex environments, you need to have tools to help out with that. And that’s where Kusari comes in” Lieberman said.

The post KubeCon 24: GUAC Reveals Where the Vulnerabilities Hide appeared first on The New Stack.

Software Bills of Material (SBOMs) are only the first step in understanding security data. GUAC uses a dependency graph to more readily display problematic components.