Google has unveiled the open source Graph for Understanding Artifact Composition tool aimed at bolstering software supply chain understanding through centralized build, security, and dependency metadata, reports SecurityWeek.
GUAC, which was co-developed with Citi, Purdue University, and Kusari, facilitates metadata aggregation from security vulnerabilities, software bills of materials, and supply chain levels for software artifacts provenance, which then helps normalize entity identities and relationship mapping, according to Google.
With its metadata collection, data ingestion, graphical data assembly, and metadata querying capabilities, GUAC could be leveraged not only for risk identification but also for the discovery of critical open source software flaws, and collection of software dependency information for better supply chain security. Google has already provided the proof of concept for GUAC on GitHub and more capabilities are expected to be added to the open source tool in the future.
"The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation," said Google.
Supply chain, Vulnerability Management
New Google open source tool seeks to bolster software supply chains
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds