December 7, 2021

Fork This! Paranoids’ Grafeas Improvements Add Amazon RDS Support and Speed-Up Queries

Note: Verizon Media is now known as Yahoo.

Stylized illustration of a file and a target over it.

In October, the Paranoids — the information security team inside Yahoo — added key contributions to Grafeas, an open-source supply chain auditing tool.  

Grafeas enables us to store critical metadata from various events that happen during the software development life-cycle including: 

  • Commit events that identify source code repository and authors
  • Dependency information, which lets us know internal and external libraries or packages the software depends on
  • Build metadata that provides information about a build environment
  • Artifact metadata, which tells us what the artifact is composed of, version information, etc
  • And vulnerability scan results.

Ultimately, the Paranoids use this data to decide whether a particular version of software can be deployed to production. It enables us to enforce security policies such as preventing the deployment of software with known vulnerabilities. 

This is part of our overall software supply chain security strategy.

Now, on to Grafeas! Most importantly, we added support for AWS Relational Database Service (RDS) through a connector, grafeas-rds. It is now one of the recommended storage backends for Grafeas.

For us, Grafeas is a critical piece of infrastructure. Downtime is unacceptable. 

With RDS, we get the benefits of improved scalability and reliability — sans managing our own backend database. 

Using RDS also gave us an additional security benefit. It uses Amazon’s IAM system, which helps us audit and control access and eliminates the need for static passwords or credentials.

But that’s not all we’re doing to improve the open-source project.

We worked with the Grafeas community to improve support for vulnerability information standards. These standards include CVSS v2 and CVSS v3, with CWE support in progress. We also improved Grafeas by adding database filtering for PostgreSQL, ultimately making queries more efficient.

Why are we telling you this? We’d love to hear if our contributions are actually working for you. So, fork it.

About the Authors

Aditya Mahendrakar is an Engineering Director in the Paranoids group at Yahoo. In his current role, he leads a team of passionate individuals who research and build security capabilities into Yahoo infrastructure and applications that help defend against various attacks. 

Yonghe Zhao is a Software Dev Engineer in the Paranoids group at Yahoo. He is responsible for designing, implementing, testing, deploying, and maintaining security-related software systems at Yahoo. He uses Go, AWS, Ansible, Docker, Kubernetes, and PostgreSQL in his daily work.

We would like to thank Hemil Kadakia and Hsing-Yu Chen for their contributions.

We're hiring!