In a bid to reduce software supply chain risks in the open source software ecosystem, Google launched a free API service providing dependency data and security-related information on over 5 million software components across different programming languages.
Attackers are increasingly injecting malicious code into widely used open source components or dependencies to compromise software projects. According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack. This attack vector is the second most common method used. The most common is using exploits targeting vulnerabilities in code.
The free deps.dev API allows developers to find out information about the packages they are thinking of using, such as what versions are available, software license being used, and which dependencies are included in the package. The information comes from the security metadata collected by Google’s Open Source Insights team. The metadata comes from multiple sources for 5 million packages with 50 million versions found in the Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust) public registries.The metadata includes transitive dependency graphs, license information, security advisory impact reports, and OpenSSF Security Scorecard information.
Support for NuGet (.NET framework) packages is on the roadmap, Google said.
“Software supply chain security is hard, but it’s in all our interests to make it easier,” the Google Open Source Security Team said in a blog post. “Every day, Google works hard to create a safer internet, and we’re proud to be releasing this API to help do just that and make this data universally accessible and useful to everyone.”
As part of the company’s efforts to improve open source software security, Google Cloud also announced general availability for the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems. Assured OSS allows organizations to incorporate the same open source packages Google secures and uses into their own developer workflows. When the service was originally announced in May 2022, it launched with 278 packages. Now it contains over 1,000 Java and Python packages, including projects such as TensorFlow, Pandas, and Scikit-learn.
Many organizations maintain private repositories of commonly used packages instead of always connecting to public repositories. While there are benefits to this approach, it also puts the onus of regularly updating the packages in the local repository whenever the official package is changed onto the organization. Many developers wind up pulling outdated and vulnerable versions of open source packages as a result.
Using this service would help reduce risk as Google is actively scanning these packages to find and fix vulnerabilities. The vulnerabilities are fixed and “quickly contributed back upstream to limit the exposure time and blast radius,” Google Cloud’s group product manager of security and privacy Andy Chang wrote in the announcement.
The service provides Assured SBOMs (Software Bill of Materials) so that organizations know what dependencies are included in those packages. That way, if a vulnerability is disclosed in a dependency, organizations using the service would have a easier time finding out if they are impacted, even if the dependency is buried deep down in the software.