We discussed Third-Party Risk Management, also known as Vendor Risk Management through securitymaster.dev quite a few weeks ago before publishing this post. We recommend reading those posts to learn more about Vendor Risk Management, what are its challenges, consequences, and top strategies to mitigate Vendor Risk Management. Today, we are covering one such related topic. This time we are writing on an Open Source Insights service hosted on deps.dev. An open-source service Google made public to help identify vulnerabilities of open-source packages.
The Problem Associated With The Third-Party Open-Source Software Packages
In software development, packages are groups of pre-written code modules designed to accomplish specific tasks, such as formatting data. These code modules save developers valuable time and resources by allowing them to avoid creating every element of their programs from scratch.
However, incorporating such open-source software packages into a program can also introduce vulnerabilities. It’s challenging for developers to determine the vulnerable packages to use in their projects. To mitigate the risks of open-source vulnerabilities, Google has recently announced the release of the deps.dev API, which builds upon its open-source cybersecurity initiative that was initiated in 2021. This innovative API aims to simplify the process of identifying and mitigating vulnerabilities in open-source software packages.
“Your software and your users rely not only on the code you write, but also on the code your code depends on, the code that code depends on, and so on. An accurate view of the complete dependency graph is critical to understanding the state of your project. And it’s not just code: you need to know about security vulnerabilities, licenses, recent releases, and more.”– deps.dev
A Short Introduction to Open Source Insights (deps.dev)
This is an open-source API service to enhance developers’ understanding of open-source software packages. It aims to provide developers with a comprehensive understanding of the structure, construction, and security of open-source software packages. By examining each package, constructing a detailed graph of its dependencies and their properties, and making the results available to anyone who could benefit from them, the service aims to give developers a picture of how their software is put together, how that changes as dependencies change, and what the consequences might be.
The Open Source Insights service currently indexes several package ecosystems, including Cargo, Go, Maven, npm, NuGet, and PyPI. It also indexes project hosts such as GitHub, GitLab, and Bitbucket, as well as security advisories from OSV. The data is updated regularly to ensure that the information is up-to-date and relevant, while also allowing developers to look back and see how things have changed over time.
Developers can access this service in a few ways. Firstly, they can visit the deps.dev website, where they can search for open-source packages, visualize dependencies, compare versions, investigate security advisories, and more. Alternatively, they can build tools and integrations using the Open Source Insights API, which is available via HTTP and gRPC. Finally, developers can discover their own insights by running queries against the Open Source Insights BigQuery public dataset.
In conclusion, Google’s Open Source Insights service is an innovative solution for enhancing developers’ understanding of open-source software packages. By providing comprehensive data on package dependencies and their properties, the service empowers developers to make informed decisions about their software and mitigate potential risks. Developers can access this data through various means, including the deps.dev website, API, and BigQuery dataset.