In a bid to reduce software supply chain risks in the open source software ecosystem, Google launched a free API service providing dependency data and security-related information on over 5 million software components across different programming languages.
Attackers are increasingly injecting malicious code into widely used open source components or dependencies to compromise software projects. According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack, the second most common method used. The most common is using exploits targeting vulnerabilities in code.
Support for NuGet (.NET framework) packages is on the roadmap, Google said.
Google has already integrated the deps.dev API into Graph for Understanding Artifact Composition (GUAC) to build SBOMs, and other integrations -- such as an integrated development environment (IDE) plugin to provide dependency information, hooking into continuous integration/continuous delivery (CI/CD) frameworks to prevent vulnerable code from being deployed, identifying unknown files in software inventory management tools, and using visualization tools to generate dependency graphs -- are in the works.
"Software supply chain security is hard, but it’s in all our interests to make it easier," the Google Open Source Security Team said in a blog post. "Every day, Google works hard to create a safer internet, and we’re proud to be releasing this API to help do just that and make this data universally accessible and useful to everyone."
Safer Than Local Repos
As part of the company’s efforts to improve open source software security, Google Cloud also announced general availability for the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems. Assured OSS allows organizations to incorporate the same open source packages Google secures and uses into their own developer workflows. When the service was originally announced in May 2022, it launched with 278 packages. Now it contains over 1,000 Java and Python packages, including projects such as TensorFlow, Pandas, and Scikit-learn.
Many organizations maintain private repositories of commonly used packages instead of always connecting to public repositories. While there are benefits to this approach, it also puts the onus of regularly updating the packages in the local repository whenever the official package is changed onto the organization. Many developers wind up pulling outdated and vulnerable versions of open source packages as a result.
Using this service would help reduce risk as Google is actively scanning these packages to find and fix vulnerabilities. The vulnerabilities are fixed and “quickly contributed back upstream to limit the exposure time and blast radius,” Google Cloud’s group product manager of security and privacy Andy Chang wrote in the announcement.
The service provides Assured SBOMs (Software Bill of Materials) so that organizations know what dependencies are included in those packages. That way, if a vulnerability is disclosed in a dependency, organizations using the service would have a easier time finding out if they are impacted, even if the dependency is buried deep down in the software.