ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

GUAC-GRAPH-UNDERSTANDING

GUAC supply chain knowledge graph queryable.

Définition

GUAC architecture : (1) Collectors : ingest documents from various sources (SBOM from Syft, CycloneDX Maven, SPDX Bazel, in-toto attestations from Sigstore Rekor, CSAF VEX from NIST NVD, OSV vulnerability database, etc.). (2) Ingestor : normalises ingested documents into GUAC internal data model (NoVulnerability, Vulnerability, Source, Package, Builder, Artifact, etc.). (3) Database backend : Neo4j ou similar property graph supporting GraphQL queries. (4) GraphQL API : supports complex queries 'what packages depend on log4j 2.14? which builders produced this image? which CVEs affect kubernetes 1.30?'. (5) Visualizer : Web UI showing dependency graphs, vulnerability impact, supply chain trees. Use cases : (a) Vulnerability impact analysis ('CVE-2024-XXXX in package P, which artifacts depend on P?'), (b) Provenance tracking ('this binary, what was built it? from what source?'), (c) SBOM compliance reporting. Adopters : Google internal supply chain analytics, Kusari (founders), academic security researchers. CNCF Sandbox 2024.

Origine

GUAC announce octobre 2022 par Google + Purdue University + Citi + Kusari + IBM + others ; OpenSSF project 2022 ; CNCF Sandbox 2024 ; v0.x active development 2024.

Exemple en contexte

Enterprise security team utilise GUAC pour query 'which production images depend on Apache Commons Text 1.9 (CVE-2022-42889 Text4Shell vulnerability)?' GUAC graph database response liste tous container images affected via dependency chains, integration responses via SOAR security automation.

Termes liés

Dernière mise à jour: 16 mai 2026