by For software supply chain attacks, Google open sourced the GUAC (Graph for Understanding Artifact Composition) project, a free tool created by Google in collaboration with Kusari, Purdue University, and Citi, which brings together many different software security metadata sources and combines them A graph database is aggregated to normalize entity identities and standard relationships between mappings. By querying the graph, users can obtain information such as software SBOM, provenance, project scorecards, and vulnerabilities.
