Table of Contents
  • Home
  • /
  • Blog
  • /
  • Open Source Insights (deps.dev)- Google’s New API Service to Identity Vulnerabilities of Open Source Packages
December 14, 2023
|
4m

Open Source Insights (deps.dev)- Google’s New API Service to Identity Vulnerabilities of Open Source Packages


Open Source Insights Deps Dev Googles New Api Service To Identity Vulnerabilities Of Open Source Packages

We discussed Third-Party Risk Management, also known as Vendor Risk Management through thesecmaster.com quite a few weeks ago before publishing this post. We recommend reading those posts to learn more about Vendor Risk Management, what are its challenges, consequences, and top strategies to mitigate Vendor Risk Management. Today, we are covering one such related topic. This time we are writing on an Open Source Insights service hosted on deps.dev. An open-source service Google made public to help identify vulnerabilities of open-source packages.

The Problem Associated With The Third-Party Open-Source Software Packages

In software development, packages are groups of pre-written code modules designed to accomplish specific tasks, such as formatting data. These code modules save developers valuable time and resources by allowing them to avoid creating every element of their programs from scratch.

However, incorporating such open-source software packages into a program can also introduce vulnerabilities. It’s challenging for developers to determine the vulnerable packages to use in their projects. To mitigate the risks of open-source vulnerabilities, Google has recently announced the release of the deps.dev API, which builds upon its open-source cybersecurity initiative that was initiated in 2021. This innovative API aims to simplify the process of identifying and mitigating vulnerabilities in open-source software packages.

“Your software and your users rely not only on the code you write, but also on the code your code depends on, the code that code depends on, and so on. An accurate view of the complete dependency graph is critical to understanding the state of your project. And it’s not just code: you need to know about security vulnerabilities, licenses, recent releases, and more.”
– deps.dev

A Short Introduction to Open Source Insights (deps.dev)

Source: deps.dev

This is an open-source API service to enhance developers’ understanding of open-source software packages. It aims to provide developers with a comprehensive understanding of the structure, construction, and security of open-source software packages. By examining each package, constructing a detailed graph of its dependencies and their properties, and making the results available to anyone who could benefit from them, the service aims to give developers a picture of how their software is put together, how that changes as dependencies change, and what the consequences might be.

The Open Source Insights service currently indexes several package ecosystems, including Cargo, Go, Maven, npm, NuGet, and PyPI. It also indexes project hosts such as GitHub, GitLab, and Bitbucket, as well as security advisories from OSV. The data is updated regularly to ensure that the information is up-to-date and relevant, while also allowing developers to look back and see how things have changed over time.

npm3.20M
Go1.00M
Maven532k
PyPI431k
NuGet358k
Cargo114k

Developers can access this service in a few ways. Firstly, they can visit the deps.dev website, where they can search for open-source packages, visualize dependencies, compare versions, investigate security advisories, and more. Alternatively, they can build tools and integrations using the Open Source Insights API, which is available via HTTP and gRPC. Finally, developers can discover their own insights by running queries against the Open Source Insights BigQuery public dataset.

Bottom Line

In conclusion, Google’s Open Source Insights service is an innovative solution for enhancing developers’ understanding of open-source software packages. By providing comprehensive data on package dependencies and their properties, the service empowers developers to make informed decisions about their software and mitigate potential risks. Developers can access this data through various means, including the deps.dev website, API, and BigQuery dataset.

We hope this article helped you know about Open Source Insights (deps.dev)- Google’s new API service to identify vulnerabilities of open source packages. Thanks for reading this post. Please share this post and help secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Explore

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe