Achieving Wisdom with GUAC Visualizer

“I have my software bill of materials. Now what?” You’ve probably asked yourself that question more than once — and if you haven’t, you should. The value of a software bill of materials (SBOM) isn’t in its mere existence, but in what you can learn from it. That’s why Graph for Understanding Artifact Composition (GUAC) aggregates data from multiple sources into a queryable database and the experimental GUAC Visualizer provides an interactive visual interface.

Building the pyramid

The “DIKW pyramid” is a common model for understanding information science. Data forms the base upon which information is built. From information comes knowledge, which forms the basis for wisdom. So how does this relate to software supply chain security?

You start with data: SBOMs, Vulnerability Exploitability eXchange (VEX) statements, and other facts about the software. But all of those facts do nothing on their own. To be useful, you need information — the connections between data. This is challenging in practice because the data come in different formats and from different sources. GUAC was created to solve this problem by building format-agnostic connections between related pieces of data.

‍

When you can ask questions of your information, you get knowledge. You may want to know “does my supply chain contain code affected by a particular vulnerability? Where?” Or perhaps “what parts of my software supply chain have poor security hygiene practices?” This knowledge is helpful for reacting to incidents or even preventing them. With repeated application of knowledge, you obtain wisdom. This deeper understanding of why your software supply chain is the way it is means you can make decisions ahead of time that avoid issues entirely.

Seeing the path

GUAC’s powerful graph query language (GraphQL) interface gives you the tools to ask many questions of your supply chain, but we humans are a visual species. Our brains can make connections from pictures that would never occur to us when looking at text.

‍

Anujin Erdenetuya and Odile Gautier, students at Telecom SudParis, wrote in their final year engineering project report:

Given that the primary objective of SBOM is to facilitate effective monitoring of the supply chain and associated vulnerabilities, a graphical visualizer plays a crucial role in enhancing this aspect. It provides a concise and lucid overview of the dependency chain, contributing to a more efficient management of the supply chain and its potential vulnerabilities.

‍

Working with Nicolas Peiffer and other staff from Thales Group, Erdenetuya and Gautier examined the current state of the SBOM ecosystem — including tools like GUAC Visualizer. Of the visualization tools they reviewed, only GUAC Visualizer merited a “high” maturity rating. They cited GUAC Visualizer support of many SBOM formats, documentation quality, and interactive interface as key reasons for this rating.

‍

You can try using it to visualize your software supply chain by following the directions in the GUAC docs. Many GUAC command line queries print a URL you can use as a visualization starting point.

You can help

GUAC and GUAC Visualizer are open source projects under the OpenSSF. You can join the community to learn, share, and contribute. There are plenty of ways to contribute: you can write code, help us improve the documentation, and share your use cases. Plus, we’re always interested in hearing what new insights you gained.

‍

For more information:

• GUAC website
• CNCF Live GUAC Demo
• GUAC Visualizer docs