ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

GUAC-GRAPH-UNDERSTANDING

GUAC supply chain knowledge graph queryable.

Definition

GUAC architecture: (1) Collectors: ingest documents from various sources (SBOM from Syft, CycloneDX Maven, SPDX Bazel, in-toto attestations from Sigstore Rekor, CSAF VEX from NIST NVD, OSV vulnerability database, etc.). (2) Ingestor: normalises ingested documents into GUAC internal data model (NoVulnerability, Vulnerability, Source, Package, Builder, Artifact, etc.). (3) Database backend: Neo4j or similar property graph supporting GraphQL queries. (4) GraphQL API: supports complex queries 'what packages depend on log4j 2.14? which builders produced this image? which CVEs affect kubernetes 1.30?'. (5) Visualizer: Web UI showing dependency graphs, vulnerability impact, supply chain trees. Use cases: (a) Vulnerability impact analysis ('CVE-2024-XXXX in package P, which artifacts depend on P?'), (b) Provenance tracking ('this binary, what was built it? from what source?'), (c) SBOM compliance reporting. Adopters: Google internal supply chain analytics, Kusari (founders), academic security researchers. CNCF Sandbox 2024.

Origin

GUAC announced October 2022 by Google + Purdue University + Citi + Kusari + IBM + others ; OpenSSF project 2022 ; CNCF Sandbox 2024 ; v0.x active development 2024.

Example in context

Enterprise security team uses GUAC to query 'which production images depend on Apache Commons Text 1.9 (CVE-2022-42889 Text4Shell vulnerability)?' GUAC graph database response lists all affected container images via dependency chains, response integration via SOAR security automation.

Last updated: May 16, 2026