GUAC blog

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

Nathan Naveen

October 31, 2023

As the leaves turn and the air chills, we at Kusari are excited to unveil a treat that will send shivers down your spine - our new OpenVEX feature! This Halloween, we're not just carving pumpkins. We're also enhancing our software supply chain security with the power of OpenVEX.

What is OpenVEX?

OpenVEX, or Open Vulnerability Exploitability eXchange, is a powerful tool that's been brewed up by the OpenVEX community. It's like a magic potion that provides a standardized language to whisper about the exploitability of vulnerabilities lurking in the shadows of software components.

OpenVEX provides a standardized way to communicate the exploitability of vulnerabilities in software components. OpenVEX documents are JSON-LD files that capture the minimal requirements for VEX as defined by the VEX working group organized by CISA.

The OpenVEX schema captures crucial information about software vulnerabilities, including their severity, the software components they affect, and their exploitability status. This information is crucial for understanding the risk posed by a vulnerability and making informed decisions about addressing it.

This is what an OpenVEX document looks like:

 	
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/example/vex-9fb3463de1b57",
  "author": "Wolfi J Inkinson",
  "role": "Document Creator",
  "timestamp": "2023-01-08T18:02:03.647787998-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2014-123456"
      },
      "products": [
        {"@id": "pkg:apk/distro/git@2.39.0-r1?arch=armv7"},
        {"@id": "pkg:apk/distro/git@2.39.0-r1?arch=x86_64"}
      ],
      "status": "fixed"
    }
  ]
}

GUAC's OpenVEX Integration

Our integration of OpenVEX into GUAC is like adding antidotes to the spooky brew of security vulns. It enhances the depth and detail of the information we can provide about vulnerabilities in the software supply chain. 

The OpenVEX Parser in GUAC ingests OpenVEX documents, breaking them down into graph components that can be easily understood and analyzed. It maps out the relationship between software components, vulnerabilities, and their exploitability status, providing a comprehensive view of the software's security position.

By integrating OpenVEX, GUAC can provide more detailed information about the vulnerabilities in a software supply chain. This allows users to make more informed decisions about their software's security risk. For example, a user could prioritize addressing vulnerabilities that have a known exploit over those that are merely theoretical. This level of detail and insight is a significant enhancement to GUAC's capabilities, making it an even more powerful tool for managing software supply chain security.

How Does It Help the Community?

This new feature is like a flashlight guiding you through a dark, haunted forest. It illuminates the path, helping you navigate the complex landscape of software vulnerabilities.

By integrating OpenVEX, we're enabling users to gain a deeper understanding of the vulnerabilities in their software supply chain. It allows users to identify not just the vulnerabilities but also their exploitability, providing a more nuanced view of the software's security risk.

Moreover, the OpenVEX Parser also generates identifiers for each software component, making it easier to track and manage vulnerabilities across different components.

Conclusion

This Halloween, while you enjoy the thrills and chills of the season, rest assured that GUAC's OpenVEX feature is working to keep the ghouls of software vulnerabilities at bay. It's our treat to the community, helping to make software supply chain security a little less scary.

As the moonlight filters through the autumn leaves, take a moment to delve into the intricate web of your software supply chain with GUAC's OpenVEX feature. As the shadows of vulnerabilities recede, you'll find a clearer path toward enhanced security. Happy Halloween!

Whispers from the Shadows

Should you dare to delve deeper into the lore of OpenVEX, the following scrolls might satiate your thirst:

  1. The Doctrine of VEX: A parchment revealing the sacred rites for crafting VEX manuscripts.
  2. The OpenVEX Grimoire: A tome that harnesses the arcane powers of VEX, written in the ancient language of Go.
  3. GUAC's OpenVEX Codex: Delve into GUAC's meticulous documentation detailing the integration of the haunting OpenVEX.

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Open Source Summit 2022

Takeaways & Learnings

June 23, 2022
Tim Miller

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE tool

June 27, 2022
Parth Patel

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

July 20, 2022
Michael Lieberman

Government Memo for Enhancing the Security of the Software Supply Chain

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

September 19, 2022
Parth Patel

A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

October 20, 2022
Michael Lieberman

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

October 21, 2022
Parth Patel

The Next Heartbleed?

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

October 31, 2022
Parth Patel

Kusari's Software Supply Chain Security Overview

What is Software Supply Chain security, and why should I care?

March 14, 2023
Michael Lieberman

Applying Zero Trust to the Software Supply Chain

Understanding Zero Trust and Its Benefits

March 28, 2023
Michael Lieberman

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

A Story of Software and Cats

April 4, 2023
Michael Lieberman

Kusari Open-Sources Spector

We’re excited to announce the open-sourcing of Spector.

April 26, 2023
Michael Lieberman

GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

May 23, 2023
Tim Miller

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

June 27, 2023
Parth Patel

daBOM Podcast with Tim & DJ

Tim appeared as a guest on the daBOM podcast.

July 5, 2023
Tim Miller

Announcing Helm Chart for GUAC

Helm Chart for GUAC

July 12, 2023
Tim Miller

Case Study: A discussion with Guidewire on GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

August 2, 2023
Michael Lieberman

Announcing the Kusari YouTube Channel and GUACademy

Kusari have just launched a YouTube Channel!

August 23, 2023
Jeff Mendoza

Terror of cURL - Preparation is Half the Battle

CVE-2023-38545 - HIGH Severity Vulnerability

October 16, 2023
Parth Patel

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

October 31, 2023
Nathan Naveen

What the NSA Missed in its SBOM Management Recommendations

The missing first step that most organizations are still struggling with

December 22, 2023
Parth Patel

Contributor to Leader: Securing Open Source Software at OpenSSF

Kusari elected to OpenSSF leadership roles

January 16, 2024
Michael Lieberman

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari raises seed funding

January 18, 2024
Tim Miller

Kusari Soaks up Community at FOSDEM and Beyond

Kusari speaking at FOSDEM and other EU community venues

January 26, 2024
Jeff Mendoza

From Open Source Community to Joining a Start-up – while in High School

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

February 8, 2024
Nathan Naveen

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

March 7, 2024
Parth Patel
Michael Lieberman

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

March 7, 2024
Michael Lieberman
Brandon Lum

XZ Backdoor: Software Security Lessons

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

April 5, 2024
Michael Lieberman

Proactive Security in the Post-Log4j Era

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

April 23, 2024
Tim Miller

Previous

No older posts

Next

No newer posts

Want to have a conversation about your software supply chain?

We’d love to hear from you.  Get in touch and we'll get back to you.

Say Hello
About KusariOpen SourceGUACResourcesContactOpen RolesMedia Kit
© 2024 Kusari Inc. All rights reserved.
Terms
Privacy
Cookies
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept