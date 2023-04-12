



This week, Google launched a free API service that provides software developers with dependency data and security-related information about over 5 million software components across a variety of programming languages. Today, the company also announced the general availability of its Assured Open Source Software (Assured OSS) service. The service provides development teams with his Google-curated repository of security-tested packages for Python and Java.

Both services provide extensive security metadata, vulnerability information, and the information needed to create a Software Bill of Materials (SBOM) to help mitigate the risks of the software supply chain that exists in the open source ecosystem. It’s part of Google’s effort. One of the most common ways attackers introduce malicious code into software projects is by compromising a common open source component or one of its many dependencies.

Transitive vulnerabilities inherited from dependencies are also a big problem. Many of them don’t even go unexplained unless development teams have good tools for tracking software advisories with indirect dependencies (multiple layers of the dependency chain).

Google’s free deps.dev API

Google’s Open Source Insights team has extracted 5 million packages from multiple sources, including 50 million versions found in the Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust) public registries. Collected security metadata. Support for NuGet (.NET framework) packages is also planned.

Collected metadata includes transitive dependency graphs, license information, security advisory impact reports, and OpenSSF Security Scorecard information. This data is now organized as a BigQuery dataset and can be queried and analyzed for free via the deps.dev API.

For example, this API allows developers to answer questions such as: What versions are available for a particular package? What software license does a particular version use? How many dependencies does the package have? What are the relationships and what are they? What package and version does a particular file correspond to? You can make better-informed decisions when

The new API is already integrated into Graph for Understanding Artifact Composition (GUAC), an open source tool for building SBOMs, and Google expects more integrations in the future. For example, as an integrated development environment (IDE) plugin, an API can make dependencies and security information readily available to developers. However, it integrates into CI/CD frameworks to prevent the rollout of vulnerable code, integrates into build tools and policy engines for compliance reasons, and detects newly reported vulnerabilities in existing code bases. It can also be integrated with post-release analysis tools that you use, or integrate with software inventory management tools. It can help you identify mystery files and use visualization tools to better understand and view the dependency graph of your software program.

Vulnerabilities like Log4Shell, a critical flaw in the Java log4j component, have shown just how fragile the software ecosystem is. Many software companies and development teams have taken time to determine if their products have been affected.

In such cases the deps.dev API integration is very useful. For example, the API supports searching by file hash to see which version a package belongs to and whether it is affected by known vulnerabilities. CI/CD tools that use APIs instantly alert you to known vulnerabilities affecting your codebase, and visualization tools rely on APIs to show dependency graphs and identify which direct dependencies are vulnerable. log4j file and start working on connecting to that package. Maintainers request or contribute expedited patches.

Nearly a year after Log4Shell was discovered and received widespread coverage across the tech community, 72% of organizations still have vulnerable assets in order to understand how pervasive and serious the problem of transitive vulnerabilities is. and the number of attempts to exploit this vulnerability remained high. One reason is that log4j wasn’t the only one that was directly affected and needed a patch. A vulnerable Java class called JndiManager included in Log4j-core has been borrowed by 783 other projects and is currently found in over 19,000 software components.

The deps.dev API service is globally replicated using Google’s cloud infrastructure for high availability. It’s free to use and doesn’t require authentication or API keys. Developers can simply issue API queries over HTTPS and receive query responses formatted as JSON objects.

“Software supply chain security is hard, but it’s in our all interest to make it easier,” said a member of the Google Open Source Security Team in a blog post. “Google works hard every day to build a safer internet, and we want to help by releasing this API to make this data universally accessible and available to everyone. I am proud of

Free and guaranteed OSS

In addition to the deps.dev API, Google announced the general availability of the Assured OSS service. It’s essentially a repository of over 1,000 of the most popular Java and Python packages, whose provenance has been verified and security tested by Google’s own team. The service was originally launched in public preview a year ago.

“Assured OSS, available for free today, empowers any organization that uses open source software with the same OSS packages that Google protects and uses for their own developer workflows, helping Google reduce their open source dependencies. It provides an opportunity to take advantage of security and experiences that apply to relationships,” Andy Chang, group product manager for security and privacy at Google Cloud, said in a blog post.

All packages hosted in this repository adhere to the Supply-chain Levels for Software Artifacts (SLSA) framework, which offers three levels of assurance:

Level 1, built and signed by Google Level 2, safely built from vetted sources and attesting to all transitive dependencies Level 3, including transitive closure of all dependencies and ongoing scanned and fuzzed by

The package undergoes regular vulnerability scanning, analysis, and fuzz testing and includes data from the Open-Source Vulnerabilities (OSV) database. Package artifacts are also signed and distributed from secure repositories maintained by Google. Finally, each package comes with metadata, artifact analysis, package health, and vulnerability impact data from SBOM and Cloud Build in multiple standard formats for consumption by various tools.

In addition to security testing, Google has a patch team that quickly patches security issues identified in packages, such as backporting patches to older versions not supported by the original maintainer. “The curation process provides significant security benefits to Assured OSS adopters and the wider community,” Chang said. “The Assured OSS team was the first to discover 48% of new vulnerabilities (CVEs) since the Assured OSS team curated his first 278 packages. Each of these CVEs has been fixed and upstreamed. .”

Keeping copies of commonly used packages in local repositories instead of constantly pulling them from public repositories is a practice many companies are working on. In theory, this provides a buffer if public versions of popular packages are compromised and malicious code is injected. However, it can also delay the application of security patches. Numerous studies over the years have shown that organizations commonly use outdated and vulnerable versions of open source components in their applications.

Google’s Assured OSS aims to address some of the drawbacks of maintaining private repositories. This is done by hiring a dedicated team of experienced security professionals to manage the repository and ensure the security quality of packages inside, which most companies cannot afford to do in-house.

