GUAC Beta v0.1

[lumjjb]

GUAC Beta v0.1

GUAC Beta v0.1 provides a runnable service for users to get started with building a software catalog and understanding their organization's software supply chain and prototyping security evaluations and controls.

With the GUAC Beta, a user can provide their SBOM and SLSA documents and the service will ingest the software metadata into a knowledge graph which will automatically be augmented with additional vulnerability, security and open source insights (e.g. OSV.dev, Deps.dev, Scorecards). All this information will then be accessible and queryable to answer supply chain questions.

With the help of additional experimental utilities, a user will be able to:

• Understand the "hidden" imported dependencies and the scale of the organization's software supply chain blast radius
• Finding out if my organization's software is vulnerable to log4shell
• Marking certain software as "known bad" (e.g. known malware, compromise) and detect if software uses it

The above examples showcase some utilities we've built to preview the GUAC Beta API. As a developer, you can leverage this yourself and build your own products on GUAC through our GraphQL API. For example, you may be able to create a:

• Code IDE plugins that enforces supply chain security policy at development time

Note: The GUAC Beta is NOT production ready. We'd like to get feedback on both the capabilities of the service and use cases from an end-user perspective as well as the GraphQL API from a developer perspective.

What does it include

Provide a deployable service that an organization will be able to answer the vulnerability question (and more) about their software dependencies.

• E2E Service with an experimental web interface for users to query by software identifiers
• GUAC consumes/ingests organization SBOMs and SLSA documents
• GUAC augments the graph automatically with Open Source Insights and security metadata (deps.dev, osv.dev, scorecards)
• A set of example utilities building on top of the GraphQL interface to showcase building on top of GUAC

Below this line are logistics/planning

Example flow

Setting up and configuring GUAC through an all-in-one container

The GUAC Web UI

The GUAC results page with insights and navigable graph

Technical Details

This should include:

• Ability for parsers to request the augmentation of additional data in GUAC (functional equivalence to "Fetcher" component in initial design doc)
  • https://github.com/guacsec/guac/issues/244
    1. Create data model for subscription model
    2. Create API and service for subscription model
    3. Integrate subscription API into collectors
    4. Integrate subscription API into parsers
• A graphQL API to obtain results
  • https://github.com/guacsec/guac/issues/216 (pre-workshop)
  • Implement golang genqlient and gqlgen into GUAC project
  • Generate a GraphQL interface that would ensure that the proof of concept from SETUP.md and the certifier workflow produce the same results via Cypher and via the new interface. This phase involves building the GraphQL interface for read only queries from the database.
  • tracking all the queries that are currently being used to write to the database and creating corresponding GraphQL mutations.
  • https://github.com/guacsec/guac/issues/291 (workshop)
  • https://github.com/guacsec/guac/issues/218 (post-workshop)
• A runnable persistent GUAC deployment with end-to-end workflows of collectors/processors/parsers/assemblers
  • https://github.com/guacsec/guac/issues/31
    1. Complete NATs implementation
    2. Create service run GUAC with multiple collectors and 1 parser/assembler (2 piece service, collector talks to parser/assembler)
    3. Create all in 1 container image to run GUAC services
    4. Change/add to SETUP.md to use this model
• Collectors:
  • OSV Certifier
  • https://github.com/guacsec/guac/issues/222
    • Implement OSV.dev certifier collector
    • Update OSV.dev certifier collector to use subscription model
  • Deps.dev certifier/collector
  • https://github.com/guacsec/guac/issues/214
    • Create deps.dev certifier collector based on BigTable data source
    • Update deps.dev certifier collector based on queryable API if exists
    • Update deps.dev certifier collector to use subscription model
  • Scorecards collector
  • https://github.com/guacsec/guac/issues/249
    • Implement scorecards certifier collector
    • Update scorecards certifier collector to use subscription model
  • Github collector (repo information, release info, etc.)
  • https://github.com/guacsec/guac/issues/205
    • Implement Github repo certifier collector
    • Update github repo certifier collector to use subscription model
• A service to ingest SLSA/SBOM from the user and return results by querying the GraphQL API.
  • https://github.com/guacsec/guac/issues/250
    1. Design the UX for the service
    2. Design and Create API to perform functionality (logic to query GraphQL Api, perform the right ingestion, provide feedback on ingestion)
    3. Create front-end site and service for user flow
    4. Create deployment of entire service in 1 container with documentation
    5. Scale testing sample deployment
• Document URI encoded within node (and have collectors propagate that information)

Technical issues that need to be ironed out:

• Initial model of resolving the identifier problem
  • https://github.com/guacsec/guac/issues/217
  • https://github.com/guacsec/guac/issues/239
• General data quality problems that come up, especially with SBOM formats (== sourceinformation?)

Performance issues that need to track:

• L1 policy to skip duplicated documents to optimize ingestion
• Collectors should also have a "greedy" slider for polling and document expiration
• Make ingestion more performant

[lumjjb]

https://github.com/guacsec/guac/releases/tag/v0.1.0 🎉