Skip to content

Commit

Permalink
Add GUAC contribution application (#178)
Browse files Browse the repository at this point in the history
* Add GUAC contribution application

Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>

* Update process/project-lifecycle-documents/guac_sandbox.md

Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>

* Update guac_sandbox.md

Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>

* Update README.md

Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>

* Rename guac_sandbox.md to guac_incubating.md

Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>

* allow words

* add SBOMit and gittuf back

* fix some bad links

Signed-off-by: Amanda L Martin <hythloda@gmail.com>

* Update README.md

Signed-off-by: Amanda L Martin <hythloda@gmail.com>

---------

Signed-off-by: Michael Lieberman <mlieberman85@gmail.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Amanda L Martin <hythloda@gmail.com>
Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
Co-authored-by: Amanda L Martin <hythloda@gmail.com>
  • Loading branch information
3 people authored Oct 10, 2023
1 parent d53e6fe commit 92dfb41
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 0 deletions.
34 changes: 34 additions & 0 deletions .github/actions/spelling/allow.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,39 @@
github
GUAC
guacsec
mlieberman85
Kusari
mihaimaruseac
https
ssh
ubuntu
workarounds
Mihai
Maruseac
Google
lumjjb
Brandon
Lum
pxp928
Parth
Patel
SantiagoTorres
Santiago
Torres
Purdue
rgreinho
Rémy
Greinhofer
Citi
ClearAlpha
SSCS
Dejan
Bosanac
Hemil
Kadakia
Yahoo
Terretta
Gopalakrishnan
Anoop
Guidewire
GraphQL
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ Diagrams with an overview of the OpenSSF, including its projects and SIGs, are a
| Best Practices Badge | https://github.com/coreinfrastructure/best-practices-badge | [Mailing list](https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges) | Best Practices WG | TBD |
| Criticality Score | https://github.com/ossf/criticality_score | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit?usp=sharing) | Securing Critical Projects WG | TBD |
| Fuzz Introspector | https://github.com/ossf/fuzz-introspector | [Meeting Notes](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit?usp=sharing) | Security Tooling WG | TBD |
| GUAC | https://github.com/guacsec/guac | TBD | TBD | Supply Chain Integrity WG | Incubating |
| gittuf | https://github.com/gittuf/gittuf | TBD | Supply Chain Integrity WG | Sandbox |
| OSV Schema | https://github.com/ossf/osv-schema | [Meeting Notes](https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA/edit?usp=sharing) | Vulnerability Disclosures WG | TBD |
| Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
Expand All @@ -80,6 +81,7 @@ Diagrams with an overview of the OpenSSF, including its projects and SIGs, are a
| Sigstore | https://github.com/sigstore | [Meeting Notes](https://docs.google.com/document/d/1bsl-Y0KulSD7O_nTekad1sAKOVRb80wyGb-Q5x-zdg0/edit) | OpenSSF TAC | TBD |
| SLSA Tooling | https://github.com/ossf/wg-supply-chain-integrity/blob/main/slsa-tooling.md | [Meeting Notes](https://docs.google.com/document/d/18oj3CLJQhZj1dMHKDTq_1kKg0syysKCS7pLyXlw1SRc/edit#heading=h.yfiy9b23vayj) | Supply Chain Integrity WG | TBD |


### OpenSSF affiliated projects

| Name | Repository | Notes | Status |
Expand Down
37 changes: 37 additions & 0 deletions process/project-lifecycle-documents/guac_incubating.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
## Application for adopting GUAC at the incubating stage

Check failure on line 1 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`guac` is not a recognized word. (check-file-path)

### List of project maintainers
The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
* "mlieberman85", "Michael Lieberman", "Kusari"

Check failure on line 5 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`mlieberman` is not a recognized word. (unrecognized-spelling)
* "mihaimaruseac", "Mihai Maruseac", "Google"

Check failure on line 6 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Mihai` is not a recognized word. (unrecognized-spelling)
* "lumjjb", "Brandon Lum", "Google"
* "pxp928", "Parth Patel", "Kusari"

Check failure on line 8 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`pxp` is not a recognized word. (unrecognized-spelling)
* "SantiagoTorres", "Santiago Torres", "Purdue University"
* "rgreinho", "Rémy Greinhofer", "Citi"

### Mission of the project
* GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, SLSA attestations, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed. GUAC gives you directed, actionable insights into the security of your software supply chain.

### Project adoption
Here are quotes from adopters:
* With the growing number of software supply chain security (SSCS) data, tools that allow us to find relevant information are crucial. Guac, providing graph representation of software packages, dependencies, vulnerabilities, attestations, etc. is a great tool for use cases in this domain. With mechanisms to ingest and certify data from various sources and GraphQL API to later query those data, we see it as a good foundation for our current and future SSCS efforts. Being a true open source initiative with a welcoming community is just a plus. -- Dejan Bosanac, Red Hat

Check failure on line 17 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Guac` is not a recognized word. (unrecognized-spelling)

Check failure on line 17 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Dejan` is not a recognized word. (unrecognized-spelling)
* At Yahoo, we have found immense value and significant efficiency by utilizing the open source project GUAC. GUAC has allowed us to streamline our processes and increase efficiency in a way that was not possible before. It allows us to ingest large number of SBOMs and also provides an interface to visualize the current state of images & packages used at Yahoo in real time. We look forward to continuing to utilize GUAC and contribute to its growth in any way we can. -- Hemil Kadakia, Yahoo

Check failure on line 18 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Hemil` is not a recognized word. (unrecognized-spelling)
* As the CTO of ClearAlpha, I can't recommend GUAC enough for companies looking to boost their software security. GUAC's innovative approach to software supply chain security helps uncover hidden gaps and threats as we’re downloading dependencies and building apps, making it a perfect fit for our “solve it earlier” mindset at ClearAlpha. It also lines up with our commitment to transparency, open-source principles, and continuous learning. GUAC works well in teams practicing the rugged software manifesto, focusing on strong coding practices, constant testing, and automated tools to enhance security. Plus, its ability to trace risks back to their source aligns with our proactive risk awareness goals, enabling companies to spot and tackle potential issues early on. GUAC is just a fantastic tool to help any organization improve their software security with principles we all should value. If you're a tech founder, you'll definitely want to have GUAC on your team! -- Sean Terretta, ClearAlpha
* GUAC came along as an open-source software at the right time helping us pivot away from building a bespoke solution and involving ourselves with the best minds behind the project. The value we see with GUAC is its flexibility and plugin architecture leading up to helping the users achieve compliance at different levels. The biggest benefit of GUAC has been producing it in the open with a widespread community behind it, from Google to Kusari and others. As the industry progresses, the threats to the software supply chain will become more complex, and relying on a tool backed by people with many years of experience in the area would make things easier for Guidewire to consume. -- Anoop Gopalakrishnan, Guidewire Software

### Governance
* https://github.com/guacsec/guac/blob/main/GOVERNANCE.md

### IP policy and licensing due dilligence

Check failure on line 25 in process/project-lifecycle-documents/guac_incubating.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`dilligence` is not a recognized word. (unrecognized-spelling)
* This has been completed as per https://github.com/ossf/tac/issues/179.

### Project References

| Reference | URL |
|--------------------|-----|
| Repo | https://github.com/guacsec/guac |
| Website | https://guac.sh |
| Contributing guide | https://github.com/guacsec/guac/blob/main/CONTRIBUTING.md |
| Roadmap | https://github.com/guacsec/guac/blob/main/ROADMAP.md |
| Demos | https://youtu.be/mkZJcIkOF8Q |
| Other | https://docs.guac.sh |

0 comments on commit 92dfb41

Please sign in to comment.