Created
October 23, 2023 14:05
-
-
Save naveensrinivasan/5a70dab9884d60f662363430dcd48e84 to your computer and use it in GitHub Desktop.
guac-demo.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hello I am Jeff Mendoza software engineer at kusari and welcome to the guacademy video series this is the first video in the series and I'm here to introduce you to guac guac is an open source project licensed with the Apache License it is a tool that helps you understand your software supply chain it stands for it stands for graph for understanding artifact composition it's sort of a database or graph that you add supporting tools to as part of the project and it collects data and insight on your supply chain and then you can use it for Discovery in that supply chain so you might ask how does a graph help with the these supply chain questions so we'll look at some diagrams to show you first we'll start with some s-bombs or software bill of materials these s-bombs cover a single service package or deliverable and then includes the other software pieces that are in that package so you can then load all of those s-bombs into guac and you can see that you have well a bunch of disparate graphs here with the root package that the s-bomb is attached to and then all of the other packages that are included in that one package but now what you'll see is is guac can look at the different packages or different nodes in the in the s-bombs and connect the dots so once you have links between everything you can start seeing such as things such as common dependencies and things that might be critical for your organization after that more tooling that's part of guac can pull in more information from public services about those open source packages in your graph this might be more rich and detailed dependency hierarchy information from open source insights in addition to scorecard ranking data then more guac tooling can pull vulnerability information from osv.dev and now you can see the full graph forming and how this can be beneficial tracking of vulnerability the exact path for what is pulling in that version and where and why can easily be determined here is a overall architecture diagram of the full guac ecosystem at the bottom are the data that's put into guac both the s-bombs from your organization and information that's pulled from public services the big green box is the full guac deployment next to pull insights out of guac you have the quak one CLI as well as the guac visualizer that's under development the guac graph data model is fully queryable via graphql to dive deeper into the data and to build Integrations that's what you'll be using some example Integrations include IDE plugins CI checks Etc next to see how it works let's dive into a demo in this example I'm a python shop and I've ingested a lot of s-bombs for the packages that I build into guac I wanted to see if any of the packages that I build are vulnerable to any kind of vulnerabilities if guac has found any of that information so I'm going to use the guac CLI quack 1 to query for vulnerabilities based on the packages that I care about here's an uh the help for that that command guac onequery Von and I need to provide it a package URL or Pearl to ask you know which vulnerabilities are are discoverable or traceable to that package to do that I'm going to go ahead and use a graphql query and query which packages have s-bombs attached to them in my python shop I generate s-bombs with every build and so those get ingested into quacks so the guac keeps track that of of packages that have s-bombs by attaching the has s-bomb node here we can see if I run that query against guac it gives out back all the information of the packages that have this has s mom node attached and I want to use that to um I want to use that to query walk and see which vulnerabilities are are discoverable from that package so you can actually run that from the command line as well and then I used some jQuery or JQ command to format all the results in pearls and now I want to go ahead and pipe all of that into this quak one query volt command in a loop and start looking at which vulnerabilities can be found in my organization so here it's running some packages don't have any vulnerabilities but we do see oh some of them do skipping ahead let's say I see a package that has a vulnerability that I want to look closer into so I'm going to look at this xqr8 vulnerability here that guac is saying that is discoverable from the Google API core package so jumping over to GitHub I look up this uh GHSA and I find that it's in the certify package however looking at the requirements for my my package that guac says it was found in I don't see certify I see all of these dependencies this is where guac can help us find what is the path between that package that it found the vulnerability in and the one that you ran the query on so to dive deeper into this vulnerability found in this package I'm going to run guac one with the query vulnerability on that exact package and also I want to zero in on this vulnerability ID that I care about and it still finds it there also we get a link to the visualizer that will let us graphically explore this uh this path so I'm going to switch back over to my browser and paste that in and here we see that graph um I'm going to pull out some of the nodes that I care about I believe this is the namespace Pipi is the type remember Google API core is the package that I queried about and here you can start see the path so that vulnerability that we saw and it is on the certify package and how does that link to the Google API core package that we queried on we can see that Google API core has a dependency on requests and then requests has a dependency on certify so using this combination of graphql queries CLI commands and visualizer exploration it's you can really see the full picture of your supply chain and start to dig into how things are connected for another example let's take a look at the certified bad command and quark so jumping back to the command line here we can see this guac 1 certify command can be used to Mark a package as a badpackage the most common use case for this would be if there's a zero day or there's some other kind of notification that this package has been compromised or been turned to malicious in some way so for this one I have an example called colorama and first I'm going to run the query known on colorama and see that it looks like a pretty standard package it has a source and it has no vulnerabilities next I'll use that um certified bad and let me look at the help one line one more time right I'm going to give it a justification and say that this has a zero day that command will then result in that node being ingested into clock and now when we do the query known command we'll see that this package has a bad link and it's a justification of zero day again we get a visualizer URL which I'll use to jump back over to the visualizer take a look at that link I can see yep there is a certify bad but the other thing I want to do is explore well which dependencies are do I have on colorama clicking on that node expands all the links there and we can see well there's a dependency between a version of AWS CLI on colorama and that's something I may want to look into and that about wraps up the demo for today again this was just an introduction to quok and just a touch on what it can do we'll be doing more videos in this series covering things like installation setup ingestion and deeper a deeper look into the graphql queries and how the data model is so look forward to those videos on the qual academy series and on the kusara YouTube and if you'd like go ahead and subscribe so you'll get a notification for those thank you very much |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment