GUAC adopts license metadata from ClearlyDefined

The software supply chain just gained some transparency thanks to an integration of the Open Source Initiative (OSI) project, ClearlyDefined, into GUAC (Graph for Understanding Artifact Composition), an OpenSSF project from the Linux Foundation. GUAC provides a comprehensive mapping of software packages, dependencies, vulnerabilities, attestations, and more, allowing organizations to achieve better compliance and security of their software supply chain.

GUAC offers the full view of the supply chain

Software supply chain attacks are on the rise. Many tools are available to help generate software bills of materials (SBOMs), signed attestations and vulnerability reports, but they stop there, leaving users to figure out how they all fit together. GUAC provides an aggregated, queryable view across the whole software supply chain, not just one SBOM at a time.

GUAC is for developers, operations and security practitioners who need to identify and address problems in their software supply chain, including proactively managing dependencies and responding to vulnerabilities. GUAC provides supply chain observability with a graph view of the software supply chain and tools for performing queries to gain actionable insights.

GUAC enhanced with ClearlyDefined integration

The latest version of GUAC (v0.8.0) now provides support for ClearlyDefined. GUAC will query the ClearlyDefined license metadata store to discover license information for packages, even when the SBOM does not include that information.

A ClearlyDefined certifier will listen on collector-subscriber for any pkg/src strings, then convert to ClearlyDefined coordinates, then query the API service for the definition. The user agent will be the same as existing outgoing GUAC requests GUAC/ (e.g. GUAC/v0.1.0).

A CertifyLegal node will be created using the “licensed➡declared” field from the definition. The expression will be copied and any license identifiers found will result in linked License noun nodes, created if needed. Type will be “declared”. Justification will be “Retrieved from ClearlyDefined”. Time will be the current time the information was retrieved from the API.

Similarly a node will be created using the “licensed➡facets➡core➡discovered➡expressions” field. Multiple expressions will be “AND”ed together. Type will be “discovered”, and other fields the same (Time, Justification, License links, etc).

The “licensed➡facets➡core➡attribution➡parties” array will be concatenated and stored in the Attribution field on CertifyLegal.

Optionally, “described➡sourceLocation” can be used to create a HasSourceAt GUAC node.

Thanks to the community

Although licenses don’t directly impact security, they are an important part of understanding the software supply chain. We would like to thank Parth Patel (Kusari), Jeff Mendoza (Kusari), Ben Cotton (Kusari), and Qing Tomlinson (SAP) for their support to get this feature implemented in GUAC. The ClearlyDefined community looks forward to working together with the GUAC community to help organizations worldwide to better achieve compliance and security of their software supply chain.

Click Here to View Original Source (opensource.org)

Leave a Reply

Your email address will not be published. Required fields are marked *

Shared by: voicesofopensource August 6, 2024

Tags: , ,