Last Thursday Google called for contributors to collaborate on an open source project titled Graph for Understanding Artifact Composition (GUAC). The project is part of Google’s efforts to improve software supply chain security. GUAC is still in the early stages, but Google hopes that the project will change how the industry perceives software supply chains and security. GUAC is looking to generate software build, security, and dependency metadata, the tech giant says.
The project will collaborate with groups such as the Open Source Security Foundation, Supply Chain Levels for Software Artifacts, Software Package Data Exchange, and CycloneDX. The groups all enable organizations to have access to technologies and attestations about how software was built. The groups provide useful data that will be synthesized to improve comprehensiveness, Google says. The documents are scattered across databases, producers, ecosystems, and more, presenting challenges to the security and development community.
Read More: Google Unveils Open Source Project to Improve Software Supply Chain Security