For example, the API supports searching by file hash to see which version of a package it belongs to and whether it’s affected by a known vulnerability. In such cases v API integration could be very useful. Many software companies and development teams found themselves slow to determine if their products were affected or not, because while log4j might not have been a direct dependency for their software, it might have been an indirect one - statically included in some other package they used. Vulnerabilities like Log4Shell, a critical flaw in the Java log4j component, showed how fragile the software ecosystem is. However, it could also be integrated into CI/CD frameworks to prevent rolling out vulnerable code, into build tools and policy engines for compliance reasons, post-release analysis tools to detect newly reported vulnerabilities in existing code bases, software inventory management tools that can help identify mystery files, and visualization tools to get a better understanding and view of a software program’s dependency graph. For example, as a plugin for integrated development environments (IDEs) the API can make dependency and security information immediately available for developers. The new API has already been integrated into Graph for Understanding Artifact Composition ( GUAC) an open-source tool for building SBOMs, but Google expects more integrations in the future. Support for NuGet (.NET framework) packages is also planned. Google’s Open Source Insights team has collected security metadata from multiple sources for 5 million packages with 50 million versions found in the Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust) public registries. Transitive vulnerabilities inherited from dependencies are also a major problem, as many of them are not even unaccounted for if development teams don’t have good tools to track software advisories in indirect dependencies - multiple layers down in the dependency chain. One of the most common ways in which attackers can introduce malicious code into software projects is by compromising a popular open-source component or one of its many dependencies. Today, the company also announced the general availability of its Assured Open Source Software (Assured OSS) service, which provides development teams with a Google-curated repository of security-tested packages for Python and Java.īoth services are part of Google’s efforts to reduce the software supply chain risks that exist in the open-source ecosystem by providing extensive security metadata, vulnerability information, and the needed information to build software bills of materials (SBOMs). ![]() ![]() This week, Google launched a free API service that provides software developers with dependency data and security-related information on over 5 million software components across different programming languages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |