New Google open source tool seeks to bolster software supply chains

Google has unveiled the open source Graph for Understanding Artifact Composition tool aimed at bolstering software supply chain understanding through centralized build, security, and dependency metadata, reports SecurityWeek. GUAC, which was co-developed with Citi, Purdue University, and Kusari, facilitates metadata aggregation from security vulnerabilities, software bills of materials, and supply chain levels for software artifacts provenance, which then helps normalize entity identities and relationship mapping, according to Google. With its metadata collection, data ingestion, graphical data assembly, and metadata querying capabilities, GUAC could be leveraged not only for risk identification but also for the discovery of critical open source software flaws, and collection of software dependency information for better supply chain security. Google has already provided the proof of concept for GUAC on GitHub and more capabilities are expected to be added to the open source tool in the future. "The next efforts will focus on scaling the current capabilities and adding new document types for ingestion. We welcome help and contributions of code or documentation," said Google.