GUAC blog

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

Parth Patel

June 27, 2023

In the era of big data and interconnected systems, organizations face the challenge of effectively managing and analyzing complex relationships within their data. Graph databases have emerged as a powerful solution for representing and querying highly connected data, enabling businesses to gain valuable insights. With GUAC (Graph for Understanding Artifact Composition), we face a similar issue. With large amounts of data from SBOMs, SLSA attestations, and other ITE-6 based attestations, it is integral that we can effectively manage and create the edges that represent the relationships between these documents.

As we work to meet the goals of persistence in GUAC, we are running a series of analyses and comparisons among the many different graph database options. GUAC has a few critically important requirements for the backend, including: efficient ingestion of data, performant complex queries, the schema in which the data is stored, and finally optimization of the query based on the specific language.

Evaluating the Requirements

  • Efficient Data Ingestion: A graph database that excels in data ingestion is essential for managing large-scale datasets. The speed and efficiency of data ingestion directly impact the ability to update and integrate new information into the database seamlessly. This is important as software supply chain metadata will constantly be growing. For example, the time it takes to ingest packages and create the dependency relationship between them. In graphQL this would relationship would look like:
 	
mutation IngestPackage($pkg: PkgInputSpec!) {
	ingestPackage(pkg: $pkg) {
  	...AllPkgTree
  }
}
  


 	
mutation IsDependency(
	$pkg: PkgInputSpec!
  $depPkg: PkgInputSpec!
  $dependency: IsDependencyInputSpec!
) {
	ingestDependency(pkg: $pkg, depPkg: $depPkg, dependency: $dependency) {
  	...allIsDependencyTree
  }
}
  • First, we would have to ingest the packages (both package and dependent) and after that ingest the actual dependency node that connects to two packages together. We have to work to reduce the time that it takes complete these series of steps in the most efficient manner.
  • Quick and Complex Query Execution: Graph databases provide powerful querying capabilities for traversing complex relationships and uncovering valuable insights. The efficiency of query execution is crucial, especially when dealing with large datasets. For GUAC, being able to answer specific queries quickly can allow for quick and proactive decision-making. While complex queries might still take time that a fast-paced industry leader cannot afford, we can work around this by pre-computing results from these queries and creating “proceed” or “not proceed” type attestations that can be updated based on a set schedule. For example, for GUAC we would want to quickly determine which all the vulnerabilities (even transitive) for a particular package or artifact:
 	
./bin/guacone query vuln "pkg:guac/spdx/ghcr.io/guacsec/vul-image-latest"
+-------------+-----------+---------------------------------------+
| NODE TYPE   | NODE ID # | ADDITIONAL INFORMATION                |
+-------------+-----------+---------------------------------------+
| certifyVuln | 131588    | vulnerability ID: ghsa-vwqq-5vrc-xw9h |
| certifyVuln | 131585    | vulnerability ID: ghsa-8489-44mv-ggj8 |
| certifyVuln | 131594    | vulnerability ID: ghsa-jfh8-c2jp-5v3q |
| certifyVuln | 131598    | vulnerability ID: ghsa-7rjr-3q55-vv33 |
| certifyVuln | 131600    | vulnerability ID: ghsa-p6xc-xr62-6r2g |
| certifyVuln | 131590    | vulnerability ID: ghsa-fxph-q3j8-mv87 |
| certifyVuln | 131574    | vulnerability ID: ghsa-599f-7c49-w659 |
+-------------+-----------+---------------------------------------+
  • The query above has to traverse the relationships between the packages and vulnerability information to provide us the output shown above.
  • Schema: Data ingestion and retrieval is not just reliant on the database you choose to work with, it also depends on the schema in which the data is stored. A complex schema with unnecessarily fragmented data can result in poor performance for ingestion and querying. Simplifying the schema greatly improves performance by reducing the number of reads and writes that need to take place. In graphQl the schema would look like the following for dependency between two packages:
 	
"DependencyType determines the type of the dependency."
enum DependencyType {
	"direct dependency"
  DIRECT
  "indirect dependency"
  INDIRECT
  "type not known/not specified"
  UNKNOWN
}

"IsDependency is an attestation to record that a package depends on another."
type IsDependency {
	id: ID!
  "Package that has the dependency"
  package: Package!
  "Package for the dependency; MUST BE PackageName, not PackageVersion"
  dependentPackage: Package!
  "Version range for the dependency link"
  versionRange: String!
  "Type of dependency"
  dependencyType: DependencyType!
  "Justification for the attested relationship"
  justification: String!
  "Document from which this attestation is generated from"
  origin: String!
  "GUAC collector for the document"
  collector: String!
}
  • The above schema contains the necessary information to create the dependency relationship. We can map this schema or a representation of this, for the graph database to store and retrieve the data needed to recreate the “isDependency” node.
  • Optimizing the query language: Many graph databases (such as ArangoDB or Neo4j) come with their own query language that can be used to ingest and read data. Optimizing the query for the most efficient reads and writes can be challenging and may require evaluation/inspection to determine where the costly operations are occurring. For example, a query to ingest dependencies may look like the following in Arango Query Language (AQL) which is quite complex:
 	
LET firstPkg = FIRST(
			FOR pkg IN Pkg
    				FILTER pkg.root == 'pkg'
            	FOR pkgHasType IN OUTBOUND pkg PkgHasType
              	FILTER pkgHasType.type == doc.pkgType && pkgHasType._parent == pkg._id
                	FOR pkgHasNamespace IN OUTBOUND pkgHasType PkgHasNamespace
                  		FILTER pkgHasNamespace.namespace == doc.namespace && pkgHasNamespace._parent == pkgHasType._id
                      	FOR pkgHasName IN OUTBOUND pkgHasNamespace PkgHasName			        
                        			FILTER pkgHasName.name == doc.name && pkgHasName._parent == pkgHasNamespace._id
                            FOR pkgHasVersion IN OUTBOUND pkgHasName PkgHasVersion
                            			FILTER pkgHasVersion.version == doc.version && pkgHasVersion.subpath == doc.subpath &&
pkgHasVersion.qualifier_list == doc.qualifier && pkgHasVersion._parent == pkgHasName._id	
			RETURN {
      	'type': pkgHasType.type,
      	'namespace': pkgHasNamespace.namespace,
        'name': pkgHasName.name,
        'version': pkgHasVersion.version,
        'subpath': pkgHasVersion.subpath,
        'qualifier_list': pkgHasVersion.qualifier_list,
        'versionDoc': pkgHasVersion
      }
  )
  
LET secondPkg = FIRST(
	FOR pkg IN Pkg
  	FILTER pkg.root == 'pkg'
    			FOR pkgHasType IN OUTBOUND pkg PkgHasType
          			FILTER pkgHasType.type == doc.secondPkgType && pkgHasType._parent == pkg._id
              FOR pkgHasNamespace IN OUTBOUND pkgHasType PkgHasNamespace
              			FILTER pkgHasNamespace.namespace == doc.secondNamespace && pkgHasNamespace._parent == pkgHasType._id
                    	FOR pkgHasName IN OUTBOUND pkgHasNamespace PkgHasName				        
                      	FILTER pkgHasName.name == doc.secondName && pkgHasName._parent == pkgHasNamespace._id
RETURN {
	'type': pkgHasType.type,
  'namespace': pkgHasNamespace.namespace,
  'name': pkgHasName.name,
  'nameDoc': pkgHasName
}
)

	LET isDependency = FIRST(
				UPSERT { packageID:firstPkg.versionDoc._id, depPackageID:secondPkg.nameDoc._id, versionRange:doc.versionRange,
dependencyType:doc.dependencyType, justification:doc.justification, collector:doc.collector, origin:doc.origin }
				INSERT { packageID:firstPkg.versionDoc._id, depPackageID:secondPkg.nameDoc._id, versionRange:doc.versionRange,
dependencyType:doc.dependencyType, justification:doc.justification, collector:doc.collector, origin:doc.origin }
				UPDATE {} IN isDependencies	
        RETURN NEW
        )
        
  LET edgeCollection = (FOR edgeData IN [
  				{fromKey: isDependency._key, toKey: secondPkg.nameDoc._key, from: isDependency._id, to: secondPkg.nameDoc._id,
label: 'dependency'},
					{fromKey: firstPkg.versionDoc._key, toKey: isDependency._key, from: firstPkg.versionDoc._id, to: isDependency._id, 
label: 'subject'}]

					INSERT { _key: CONCAT('isDependencyEdges', edgeData.fromKey, edgeData.toKey), _from: edgeData.from, _to:
edgeData.to, label : edgeData.label } INTO isDependencyEdges OPTIONS { overwriteMode: 'ignore' }
					)
          
    RETURN {
    			'firstPkgType': firstPkg.type,
          'firstPkgNamespace': firstPkg.namespace,
          'firstPkgName': firstPkg.name,
          'firstPkgVersion': firstPkg.version,
          'firstPkgSubpath': firstPkg.subpath,
          'firstPkgQualifier_list': firstPkg.qualifier_list,
          'secondPkgType': secondPkg.type,
          'secondPkgNamespace': secondPkg.namespace,
          'secondPkgName': secondPkg.name,
          'versionRange': isDependency.versionRange,
          'dependencyType': isDependency.dependencyType,
          'justification': isDependency.justification,
          'collector': isDependency.collector,
          'origin': isDependency.origin
    }

  • While in neo4j, it would be:
 	
MATCH (root:Pkg)-[:PkgHasType]->(type:PkgType)-[:PkgHasNamespace]->(namespace:PkgNamespace)-[:PkgHasName]->(name:PkgName)-[:PkgHasVersion]->(version:PkgVersion), (objPkgRoot:Pkg)-[:PkgHasType]->(objPkgType:PkgType)-[:PkgHasNamespace]->(objPkgNamespace:PkgNamespace)-[:PkgHasName]->(objPkgName:PkgName) 

WHERE type.type = $pkgType AND namespace.namespace = $pkgNamespace AND name.name = $pkgName AND version.version = $pkgVersion AND version.subpath = $pkgSubpath AND version.qualifier_list = $pkgQualifierList AND objPkgType.type = $objPkgType AND objPkgNamespace.namespace = $objPkgNamespace AND objPkgName.name = $objPkgName

MERGE (version)<-[:subject]-
(isDependency:IsDependency{versionRange:$versionRange,dependencyType:$dependencyType,justification:$justification,origin:$origin,collector:$collector})-[:dependency]->(objPkgName) 

RETURN type.type, namespace.namespace, name.name, version.version, version.subpath, version.qualifier_list, isDependency, objPkgType.type, objPkgNamespace.namespace, objPkgName.name
  • Both queries are different but are trying to achieve the same operations, ingestion of the “isDependency” node. For each language, the query must have efficient traversal, proper indexing and limit the number of nodes that have to be filtered. We also need to remove unnecessary “UPSERT” or “MERGE” which either “INSERT” or “UPDATE” depending on the node which can be costly operations. These queries have to be carefully crafted for each language utilizing their own unique syntax.

Quantitative Analysis

As we work towards providing a persistent database for GUAC, the above characteristics need to be measured and quantified. Currently, we are in the process of evaluating ArangoDB, Neo4J and Cloud Spanner. The GUAC community is also evaluating AWS Neptune and ENT (an ORM framework that supports multiple backends such as SQLite, MySQL, and others). The flexibility of GUAC, via its graphQL interface, is that we are not limited to a singular database. We have the ability to support multiple depending on the use cases but maintenance can be troublesome. Therefore, we must do our due diligence to determine which databases should be incorporated as the persistent backend for GUAC. Stay tuned for our next blog where we go into further detail about the evaluations of the above characteristics in the databases we mentioned above. We will go into specific details and provide real word metrics around ingestion and execution times.

To learn more about GUAC, visit the official site at https://guac.sh, the docs at https://docs.guac.sh, or the source code repository at https://github.com/guacsec/guac (Give us a star while you’re there!).

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Open Source Summit 2022

Takeaways & Learnings

June 23, 2022
Tim Miller

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE tool

June 27, 2022
Parth Patel

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

July 20, 2022
Michael Lieberman

Government Memo for Enhancing the Security of the Software Supply Chain

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

September 19, 2022
Parth Patel

A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

October 20, 2022
Michael Lieberman

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

October 21, 2022
Parth Patel

The Next Heartbleed?

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

October 31, 2022
Parth Patel

Kusari's Software Supply Chain Security Overview

What is Software Supply Chain security, and why should I care?

March 14, 2023
Michael Lieberman

Applying Zero Trust to the Software Supply Chain

Understanding Zero Trust and Its Benefits

March 28, 2023
Michael Lieberman

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

A Story of Software and Cats

April 4, 2023
Michael Lieberman

Kusari Open-Sources Spector

We’re excited to announce the open-sourcing of Spector.

April 26, 2023
Michael Lieberman

GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

May 23, 2023
Tim Miller

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

June 27, 2023
Parth Patel

daBOM Podcast with Tim & DJ

Tim appeared as a guest on the daBOM podcast.

July 5, 2023
Tim Miller

Announcing Helm Chart for GUAC

Helm Chart for GUAC

July 12, 2023
Tim Miller

Case Study: A discussion with Guidewire on GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

August 2, 2023
Michael Lieberman

Announcing the Kusari YouTube Channel and GUACademy

Kusari have just launched a YouTube Channel!

August 23, 2023
Jeff Mendoza

Terror of cURL - Preparation is Half the Battle

CVE-2023-38545 - HIGH Severity Vulnerability

October 16, 2023
Parth Patel

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

October 31, 2023
Nathan Naveen

What the NSA Missed in its SBOM Management Recommendations

The missing first step that most organizations are still struggling with

December 22, 2023
Parth Patel

Contributor to Leader: Securing Open Source Software at OpenSSF

Kusari elected to OpenSSF leadership roles

January 16, 2024
Michael Lieberman

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari raises seed funding

January 18, 2024
Tim Miller

Kusari Soaks up Community at FOSDEM and Beyond

Kusari speaking at FOSDEM and other EU community venues

January 26, 2024
Jeff Mendoza

From Open Source Community to Joining a Start-up – while in High School

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

February 8, 2024
Nathan Naveen

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

March 7, 2024
Parth Patel
Michael Lieberman

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

March 7, 2024
Michael Lieberman
Brandon Lum

XZ Backdoor: Software Security Lessons

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

April 5, 2024
Michael Lieberman

Proactive Security in the Post-Log4j Era

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

April 23, 2024
Tim Miller

Previous

No older posts

Next

No newer posts

Want to have a conversation about your software supply chain?

We’d love to hear from you.  Get in touch and we'll get back to you.

Say Hello
About KusariOpen SourceGUACResourcesContactOpen RolesMedia Kit
© 2024 Kusari Inc. All rights reserved.
Terms
Privacy
Cookies
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept