Supply chain threats are tough to deal with. The concept is you are dealing with risk that occurs outside of your direct control. What if the vendor you work with makes a mistake? How do you reduce this risk? Obviously you can impact who you do business with but what else can you do?
Google released a new tool that can map out software relationships. This could uncover supply chain risks. GUAC is described as ” GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another. Graph for Understanding Artifact Composition (GUAC) gives you organized and actionable insights into your software supply chain security position”.
How does this relate to supply chain risk? GUAC is designed to bring together Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company’s internal private metadata to help create a better picture of the risk profile and visualize the relationships between artifacts, packages, and repositories. The industry hasn’t offered many tools that can provide this viewpoint.
Check out the hacker news post on this found HERE.