[Tool Request]: GUAC

[funnelfiasco]

Tool or Product name

GUAC (Graph for Understanding Artifact Composition)

Open Source or Proprietary

open source

Company or Organization name

OpenSSF

Organization or Company Logo Usage

• [X] Already a member of SPDX
• [ ] Permission to use logo as an SPDX supporter (required if not a member)

Public Contact Email or URL

https://guac.sh/

Product or tool website

https://guac.sh/

Description

GUAC aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

SBOM tool category

• [ ] Produce(Build)
• [ ] Produce(Analyze)
• [ ] Produce(Edit)
• [ ] Consume(View)
• [ ] Consume(Diff)
• [X] Consume(Import)
• [ ] Transform(Translate)
• [ ] Transform(Merge)
• [X] Transform(Tool Support)

SPDX Versions supported

• [ ] 2.0
• [ ] 2.1
• [ ] 2.2
• [X] 2.3
• [ ] 3.0

SPDX verification

GUAC uses the SPDX Golang tooling

How to procure

Download binaries or build from source.

Installation instructions

https://docs.guac.sh/getting-started/

Link to quick start guide

https://docs.guac.sh/getting-started/

[mlieberman85]

Ping @goneall

[goneall]

We're in the middle of creating a new web page for the tools - should be available around mid June.

If you're OK waiting until then, we'll include Guac - it is definitely a tool I'd like to add to the website

[funnelfiasco]

@goneall I think we can wait a few weeks. Thanks for the update!

[goneall]

It's taking longer than expected to get the new tools web pages in shape, so I went ahead and added GUAC to the existing page.

Let's leave this issue open to track adding it to the new format.

Let me know if you see any issues with the updated information.

[funnelfiasco]

Looks good to me! Thanks for following up on this

[podence]

Added to new page to be deployed.