GUAC Blog

GUAC v1.1.0 is now available.

Enhancements

This release adds support, contributed by Brandt Keller, for configurable TLS verification settings on the OCI collectors. This is allows for prototyping and deployments with otherwise insecure registries. It also supports specifying a port in the address of a registry endpoint.

In addition, the Dockerfile for ent migrations now uses a local user instead of root.

Fixes

The new release contains a fix, contributed by Paul Joseph and Shreyas Pandya, to gracefully handle unknown scores when ingesting vulnerabilities instead of failing to ingest.

Numerous dependency updates are included as well. See the GitHub release for a full listing.

New contributors

The following people made their first commits to guacsec/guac in this release:

• Paul Joseph
• Irena Liu

Join us

If you’re interested in joining our community or contributing, we’d love to have you.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

• guac-visualizer v0.6.1 included a fix for CVE-2025-66478 in next.js.
• trustify v0.4.5 included several fixes.

Community

New contributors

• Stas Semeniuk contributed to trustify-ui
• Pavel Sedlák contributed to trustify
• Irena Liu contributed to GUAC

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

• Trustify 0.4.3
• Trustify 0.4.4

Community

The GUAC Maintainers Meeting is every-other-week. You can always find the most up-to-date time and location of meetings on the OpenSSF Calendar. Of course, the GUAC public slack channel is always open.

New contributors

• Irena Liu fixed missing VEX statuses in GUAC.
• Jochen added documentation for IPv6 support in Trustify.

Coming up

Be sure to join us in the Maintainer Meetings or on Slack to participate in the conversation.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

• Trustify 0.4.1 adds a REST API endpoint for recommended pURLS, along with many other features.

Community

The GUAC Maintainers Meeting is now every-other-week instead of weekly. You can always find the most up-to-date time and location of meetings on the OpenSSF Calendar. Of course, the GUAC public slack channel is always open.

New contributors

• Paul fixed an OSV ingestion issue in GUAC.

Coming up

Several members of the GUAC community will be at Open Source SecurityCon and KubeCon NA in Atlanta, GA, US the week of 10 November. Be sure to join us in the Maintainer Meetings or on Slack to participate in the conversation.

The GUAC Maintainer Meeting is switching from a weekly schedule to bi-weekly. The next meeting will be Monday 17 November. We’re making this switch to better respect people’s time as the meeting agendas have become smaller after the GUAC 1.0 release and Trustify merger.

You can always find the most up-to-date time and location of meetings on the OpenSSF Calendar. Of course, the GUAC public slack channel is always open.

Trustify v0.4.1 is now available. This release provides a new recommendations API endpoint for PURLs to suggest updated package versions and related vulnerability remediations.

The new release also includes the features in the v0.4.0 release from earlier this month:

• Enhanced SBOM Correlation: Improved correlation for SBOMs, especially those without CPEs
• Advanced License Filtering: New filtering capabilities for SBOMs, PURLs, and a dedicated license list endpoint
• Performance and Memory Improvements: Analysis memory consumption has been reduced by approximately 15%, and caching has been improved
• Expanded Vulnerability Scores: Now includes scores from CVSSv4 and CVSSv2
• Storage and GC Enhancements: Added a garbage collection endpoint and improved the deletion process for SBOMs and advisories

Join us

If you’re interested in joining our community or contributing, we’d love to have you.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

With the addition of Trustify, the community has grown quite a bit.

Releases

• GUAC v1.0.1 includes several bug fixes and dependency updates
• trustify v0.3.6 adds support for deletions and fixes several bugs

Community

New contributors

• Shreyas Pandya fixed a bug in GUAC
• Vilém Obrátil contributed tests to trustify-ui
• Matěj Nesuta made improvements to the trustify-ui CI workflow

Coming up

Be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.

GUAC v1.0.1 is now available. This patch release largely updates dependencies. It also fixes a bug where an ingestor process could hang when encountering a read error from the NATS pub-sub service. This bug fix was contributed by Shreyas Panyda.

Join us

If you’re interested in joining our community or contributing, we’d love to have you.

Welcome to the GUAC Update, a monthly review of what has happened in the GUAC community and what’s coming up. If you have feedback, please let us know. To include something in next month’s update, leave a comment in the issue.

Releases

guac-visualizer v0.6.0 was released which includes GQL updates for recent GUAC releases and various bug fixes.

Community

The big news is that Trustify has joined the GUAC community. Check out the newly-reconfigured website and docs!

New contributors

• Ruben Romero Montes fixed a bug in the footer of the updated webpage. (guac-landing#154)

Coming up

Be sure to join us in the weekly Maintainer Meetings or on Slack to participate in the conversation.

The superpower of open source is multiple people working together on a common goal. That works for projects, too. GUAC and Trustify are two projects bringing visibility to the software supply chain. Today, they’re combining under the GUAC umbrella. With Red Hat’s contribution of Trustify to the GUAC project, the two combine to create a unified effort to address the challenges of consuming, processing, and utilizing supply chain security metadata at scale.

Why join?

The Graph for Understanding Artifact Composition (GUAC) project was created to bring understanding to software supply chains. GUAC ingests software bills of materials (SBOMs) and enriches them with additional data to create a queryable graph of the software supply chain. Trustify also ingests and manages SBOMs, with a focus on security and compliance. With so much overlap, it makes sense to combine our efforts.

The grand vision for this evolved community is to become the central hub within OpenSSF for initiatives focused on building and using supply chain knowledge graphs. This includes: defining & promoting common standards, data models, & ontologies; developing shared infrastructure & libraries; improving the overall tooling ecosystem; fostering collaboration & knowledge sharing; and providing a clear & welcoming community for contributors.

What’s next?

Right now, we’re working on the basic logistics: migrating repositories, updating websites, merging documentation. We have created a new GUAC Steering Committee that oversees two core projects: Graph for Understanding Artifact Composition (GUAC) and Trustify, and subprojects like sw-id-core and GUAC Visualizer. These projects have their own maintainers, but we expect to see a lot of cross-collaboration as everyone gets settled in.

If you’d like to learn more, join Ben Cotton and Dejan Bosanac at OpenSSF Community Day Europe for their talk on Thursday 28 August. If you can’t make it to Amsterdam, the community page has all of the ways you can engage with our community.