GUAC’s Open-Source Journey: Advancing Software Supply Chain Security with Kusari and OpenSSF

Introduction

As software supply chains grow in complexity, ensuring their security has become increasingly important. GUAC (Graph for Understanding Artifact Composition) is an open-source tool designed to bring greater visibility to software dependencies and component relationships. Developed by Kusari in partnership with organizations like Google and Citi, GUAC functions as a central hub that gathers, organizes, and enables the querying of information on software components, vulnerabilities, and dependencies.

In March 2024, GUAC reached a new milestone, joining the Open Source Security Foundation (OpenSSF) as an incubating project. This achievement underscores its potential as a security tool that operates under open-source principles, which allows the industry at large to benefit from increased transparency and shared security practices.

What is GUAC, and What Does It Do?

GUAC is designed to address essential questions about the software supply chain by transforming dispersed data points into a structured, queryable system. Through its backend, GUAC collects data from various sources, such as Software Bills of Materials (SBOMs), Security Levels for Software Artifacts (SLSA) attestations, and vulnerability databases. This allows organizations to understand the structure and security status of their software’s dependencies.

The main functionalities of GUAC include:

• Metadata Collection: GUAC aggregates SBOMs, license information, vulnerability reports, and other metadata. This data is then visualized in a graph format to help users see how different components interact.
• Querying and Visualizing Data: Using GraphQL and a soon-to-be-launched REST API, GUAC enables users to query specific details about software components, assess dependencies, and detect vulnerabilities.
• Compliance and Risk Management Support: By verifying attestations like SLSA, GUAC helps organizations meet regulatory and compliance requirements more efficiently, making it easier to assess risk across the software supply chain.

OpenSSF and Apache 2.0 License: Providing Stability and Protection

The Open Source Security Foundation (OpenSSF) is a cross-industry collaboration dedicated to improving the security of open-source software. By supporting projects like GUAC, OpenSSF fosters a community of shared best practices, giving open-source tools the stability needed to grow sustainably.

The Apache 2.0 license supports GUAC’s goal of accessibility by allowing users to freely use, modify, and distribute the tool. This permissive license model emphasizes transparency, flexibility, and legal protection, ensuring GUAC remains free from restrictive changes that could hinder adoption or use.

Open-Source Licensing with Apache 2.0

Released under the Apache 2.0 license, GUAC benefits from a licensing model that aligns with open-source principles, emphasizing freedom of use and adaptability. This licensing choice allows organizations to use, modify, and distribute the tool without restrictive clauses that could complicate its adoption or future use.

“The Apache 2.0 license provides a stable foundation for GUAC, ensuring that organizations can integrate it without fearing unexpected costs or restrictive licensing,” said Ben Cotton, Open Source Community Lead for Kusari. “It’s a license that embodies the spirit of open-source collaboration.”

The Apache 2.0 license provides:

• Transparency: GUAC’s codebase is accessible, fostering transparency and building trust within the community.
• Flexibility: Organizations can modify GUAC according to their needs without added costs or licensing changes that would restrict its usage.
• Legal Safeguards: The license offers an express grant of patent rights from contributors to users, reducing potential risks related to software patents.

In recent years, some high-profile open-source projects, such as Puppet and Terraform, have encountered challenges due to restrictive licensing changes. By contrast, GUAC’s Apache 2.0 license guards against restrictive licensing, supporting its goal of remaining accessible and freely available.

Stability and Support Through OpenSSF

As an OpenSSF Incubating Project, GUAC gains additional stability and credibility. The OpenSSF, a cross-industry collaboration focused on improving the security of open-source software, provides a framework for GUAC’s growth. This structure promotes long-term development while protecting GUAC from restrictive practices, such as vendor lock-in.

Ben Cotton shared, “The OpenSSF is a natural home for the GUAC project. It’s a central place for individuals and organizations working on software supply chain security to share their expertise.”

As part of OpenSSF, GUAC benefits in several ways:

• Long-Term Continuity: OpenSSF governance supports the project’s neutrality, ensuring it is not influenced by sudden changes in licensing or commercial interests.
• Protection from Restrictive Licensing: OpenSSF encourages open-source projects to maintain transparency and accessibility, shielding GUAC from restrictive licensing practices.
• Ongoing Development and Support: The OpenSSF community provides resources and feedback from industry contributors, helping GUAC adapt to evolving security needs.

Kusari’s Vision and the Inspiration for GUAC

Kusari’s founders, with backgrounds in financial sector security, recognized the challenges of managing secure software in complex, highly regulated environments. GUAC was created to provide a central hub where data could be organized and queried to offer greater insights into the software supply chain.

“GUAC is our attempt to solve our own problem: how to turn a pile of disconnected facts into a queryable set of information to know what’s in the software supply chain,” said Cotton. “Our goal is to make sense of massive amounts of data on dependencies and vulnerabilities, helping organizations secure their supply chain from the ground up.”

Real-World Use Cases for GUAC

GUAC’s capabilities extend to numerous real-world scenarios, particularly for organizations seeking greater control and visibility into their software assets:

• Risk Assessment: A company needing to understand potential vulnerabilities within a component can use GUAC to quickly locate vulnerabilities across dependencies, facilitating a faster response.
• Regulatory Compliance: For businesses striving to meet federal software mandates, GUAC can verify whether software components in the supply chain meet standards like SLSA, simplifying compliance processes.
• Lifecycle Management: GUAC’s feature for tracking software end-of-life status, contributed by a Microsoft engineer, ensures users are informed of critical updates or the need for replacements.

These use cases illustrate GUAC’s practical value for organizations that prioritize security, visibility, and regulatory alignment.

Overcoming Technical Challenges and Lessons Learned

Building GUAC as an open-source security tool has presented technical challenges. For example, early support for multiple storage backends added complexity to maintenance, which led Kusari to narrow its focus to PostgreSQL for production environments. Additionally, a REST API will soon make GUAC’s powerful query capabilities more accessible for users who may not require GraphQL’s advanced options.

“The choice to use GraphQL as our main interaction layer offered power but also added complexity,” Cotton explained. “To make GUAC more accessible, we’re developing a REST API, which will simplify common queries and help users get started quickly.”

These refinements demonstrate GUAC’s adaptability, as Kusari responds to community feedback to simplify the tool’s usability.

GUAC’s Role in Meeting Federal Mandates and Secure by Design Standards

With growing regulatory attention on software supply chain security, GUAC has established itself as a helpful resource for organizations seeking compliance. By consolidating and structuring data, GUAC supports verification of security attestations and vulnerability assessments across dependencies, aligning with standards like SLSA and others in the Secure Software Development Framework.

“With GUAC, you can ensure the components in your supply chain meet standards like SLSA to verify security, and you can track vulnerabilities quickly, no matter how deep they are in your dependency graph,” Cotton shared.

Future Directions and Kusari’s SaaS Offering

As the GUAC community works toward a 1.0 release, plans are underway to add support for additional data services, such as container registry querying and end-of-life tracking for software components. These enhancements aim to make GUAC even more effective for organizations seeking comprehensive supply chain visibility.

Kusari is also preparing a SaaS version of GUAC, bringing the same transparency and security capabilities to organizations with minimal infrastructure requirements. The SaaS model will allow a wider range of users to benefit from GUAC’s insights, supporting faster implementation and onboarding.

“With a SaaS offering, GUAC can help even more organizations secure their supply chains by making data insights easier to adopt and manage. SaaS will allow companies to get the benefits of GUAC without needing dedicated infrastructure,” Cotton noted.

Call to Action for Open Source Involvement

As GUAC continues to evolve, Kusari and the OpenSSF invite the community to engage with the project by contributing, testing, and providing feedback. By joining the effort to enhance software supply chain security, contributors can support the broader mission of open-source security and gain hands-on experience with a critical security tool.

“Whether it’s reporting a bug, suggesting a feature, or contributing code, we welcome the community to help make GUAC the best it can be,” Cotton added.

Conclusion

As the complexity of software supply chains continues to evolve, GUAC is well-positioned to support security in a broad, adaptable manner. Released under the open-source Apache 2.0 license and developed within the OpenSSF framework, GUAC combines accessibility and stability with a commitment to industry standards. With an upcoming SaaS offering, GUAC will be available to a broader range of users, providing a scalable, foundational tool to meet the security challenges of today’s software ecosystem.