Reacting to a supply chain incident

A new high-profile vulnerability landed and now you’re wondering how you should react to it.

How do you discover which of your products and software are vulnerable? How should you go about remediating the problem in your organization? What is the patch plan?

Using the GraphQL API, you can expose the necessary information to discover how your organization’s software catalog is affected and remediate against large-scale security incidents.

This demo simulates the discovery of a high-profile vulnerability and shows how you can discover what software needs to be reviewed or patched. In the future, CertifyBad/CertifyGood will be similar to a binary authorization, where certain checks or policies have determined that an artifact should be utilized or not.

To find out if you’re affected by the security incident and decide what you need to patch, utilize the Guac Visualizer. The GUAC visualizer provides a utility to do some basic analysis and exploration of the software supply chain. This is a great way to get a sense of the size of the problem and helps when developing prototype utilities and queries with GUAC (very much like the vulnerability CLI).


Step 1: Set up your organization’s software catalog

For this demo, we will simulate ingesting an organization’s software catalog. To do this, we will ingest a collection of SBOMs and SLSA attestations into GUAC:

guacone collect files guac-data-main/docs/

Once ingested we will see the following message (the number of documents may vary):

{"level":"info","ts":1681864775.1161852,"caller":"cmd/files.go:201","msg":"completed ingesting 67 documents of 67"}

Step 2: Mark packages as bad when a security incident occurs

A new security incident has occurred and various communities have pointed out that a particular package is affected. In this scenario, the debian package “tzdata” has been found to have a critical vulnerability (yikes!). Now that we know the package and the vulnerable version, can we use this information to quickly find where this package is being used?

The first step we can take is to mark this package as bad by using the guacone certify command. This command defaults to assert a negative certification (instead of a positive one), as well as a justification to indicate why the package is bad. In this case, it is a critical vulnerability:

guacone certify package "compromised version of tzdata" "pkg:deb/debian/tzdata@2021a-1+deb11u5?arch=all&distro=debian-11"

If we successfully added “CertifyBad”, the output will show:

{"level":"info","ts":1683130083.9894989,"caller":"helpers/assembler.go:69","msg":"assembling CertifyBad: 1"}

Step 3: Explore bad packages

  1. To explore all the “certifyBad” items (packages, sources, or artifacts), run the “query Bad” CLI:

    guacone query bad

    This query will automatically search the database and find the list of “certifyBad” that are present. For example, an output will look like the following:

    Use the arrow keys to navigate: ↓ ↑ → ←
    ? Select CertifyBad to Query:
        pkg:golang/ (compromised go-runner)
      ▸ pkg:deb/debian/tzdata@2021a-1+deb11u5 (compromised version of tzdata)
  2. Select a package, source, or artifact from the list to generate a visualizer URL containing all the dependent packages and artifacts (packages that use the certifyBad items).

    Further iterations of the same CLI tool (or another) could be used to give a step-by-step guide to remediation!

    For this scenario, select the pkg:deb/debian/tzdata@2021a-1+deb11u5 (compromised version of tzdata) that we created earlier.

    Doing so will produce a output similar to this:

    ✔ pkg:deb/debian/tzdata@2021a-1+deb11u5 (compromised version of tzdata)
    Visualizer url: http://localhost:3000/?path=142605,44614,1372,1305,1304,127547,127527,127526,36248,2,125455,125358,125357,123291,123287,123286,121220,121216,121215,119149,119145,119144,117075,117074,117073,115010,115006,115005,112939,112935,112934,110299,110283,110282,107515,107453,107452,68077,67990,67989,65923,65745,65744,63678,63674,63673,61607,61603,61602,59536,59532,59531,57463,57461,57460,55393,55390,55389,53320,53319,53318,51236,51113,51112,49048,48779,48778,46714,46713,46712,44615,44610,44609,42533,42528,42527,40466,40462,40461,38397,38393,38392,36252,36250,36249,15392,15337,15336,15335,4155,4125,4124,3,3182,2865,2864,2667,2633,2632,2501,2419,2418,2413,2312,2311,2190,2150,2149,2092,2048,2047,1374,1303,1302
  3. Navigate to the URL to visualize the output. This will show an expanded graph of dependencies.

    An image of the visualizer output graph

    We can tell from this example (arranging the graph a little) the bad debian package (used for timezone information) is commonly used throughout a bunch of dependant container images! All are a cause for concern as they are notable images for Kubernetes, Redis, Nginx and Python. We need to remediate these right away! This allows us to quickly figure out what needs to be updated, so that we are not scrambling to first scan and determine where tzdata might be used.

Exploring a known bad source repo

In the above example, we looked at a specific package. For this demo, we’ll use a git repo that we know is producing a bunch of bad packages. We want to mark the repo as compromised, learn which packages are linked to the repo, and figure out where the packages could be used.

For example, let’s take the googleapis/google-cloud-go git repo. We will begin by certifying it as bad:

guacone certify source "github repo compromised" "git+"

You will see an output confirming that it has been added to the database:

{"level":"info","ts":1683130083.9894989,"caller":"helpers/assembler.go:69","msg":"assembling CertifyBad: 1"}

We perform the same actions by running the CLI but this time selecting the new compromised source repo:

? Select CertifyBad to Query:
    pkg:golang/ (undisclosed vuln)
    pkg:golang/ (pretty bad undisclosed vuln)
    pkg:golang/ (pretty bad undisclosed vuln)
  ▸ git+ (github repo compromised)
↓   pkg:golang/ (github repo compromised)

Selecting the gitt+ (github repo compromised)

will output the following (the IDs path could be different):

✔ git+ (github repo compromised)
Visualizer url: http://localhost:3000/?path=130726,1001,1000,97,130727,130629,4501,130728,130632,130729,130635,130730,4611,131477,4930,131478,131469,131468,133884,5380,133898,5188,133918,4502,133976,5425,134985,134417,134986,134542,138434,130615,130614,5435

We can now follow the url to see the following graph:

An image of the visualizer output graph

From this view, we can see that this particular repo is being used by a bunch of packages, specifically:


With this data, we can investigate further and determine which packages are dependent on these compromised packages and remediate them quickly.

Building more advanced patch planning capability

One of the potential next areas of work for the project is to create a CLI to do patch planning for the organization. Patch planning will allow an organization to determine which packages to update first.

In order to build more robust patch planning, you can leverage the GraphQL Query API that GUAC provides.