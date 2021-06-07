



Google is working on new tools to help developers discover the dependencies of open source packages / libraries they are using and the known security vulnerabilities currently being discovered.

Open source insights

Open Source Insights is a tool hosted on Google Cloud Platform that can be accessed from a website where users can enter the names of specific open source packages and get an overview of how they are organized.

It shows:

Information about packages (description, ownership, links) Dependencies (components that packages depend on) Dependencies (packages that depend on packages) Security Advisory (known vulnerabilities in packages and dependencies, unmanaged dependencies, etc.) ) License information

“Among other features, it provides an interactive tool for visualizing and analyzing complete transitive dependency graphs, and emphasizes how different versions of the package affect dependencies. There are also comparison tools to do, such as changing your own dependencies, adding licensing requirements, fixing security issues, etc., ”explains the Open Source Insights team.

This tool currently displays information about 50,000 (Rust) Cargo packages (wooden boxes), 600,000 Go modules, 420,000 Maven (Java), and 3.6 million npm packages (Node.js). Google is working on an additional packaging system.

“The project scans for all available packages that can be found by scanning the system’s package home site, such as npm, or by scanning GitHub and other repository hosting sites,” they explained.

“At this point, Insights needs package information to build dependency graphs, so we can only analyze such systems using known package models. This is clear, at least for now. It means that there is no C or C ++ data that does not have a good package model. “

Improving the security of open source supply chains

As the use of open source software by enterprises increases and the risks posed by unmanaged open source (security vulnerabilities, outdated and abandoned components, license compliance issues, etc.) prevail, software solutions We are noting for many frequent changes to our packages. Dependence is mandatory.

While developers can use vulnerability scanners and dependency audits to identify vulnerabilities, Open Source Insights provides a greater picture of software supply chain security.

“Insights does not replace the standard toolset, but extends with a fresh, integrated view of the entire ecosystem of each package model,” Google explains.

“The main difference is that the Insights data is based on the first principle, taking into account the software and its package definitions. The result is effectively different from declared dependencies, for example packaging” lock “files. Can be different or more complete. In addition, the data presented by Insights is regularly reassessed and kept up to date. This is important in the rapidly changing world of open source development. “

Insights tracks various publicly available vulnerability databases and flags known security issues.

According to Google, commonly used package data is usually up-to-date and up-to-date, but inactive and obsolete package data may be older, Google said.

