Google has announced two new initiatives to increase the security and dependability of open-source software packages developers use. The first one is Deps.dev, a free API service offering complete dependency and security information for over 5 million packages written in various programming languages.
The Deps.dev service collects security metadata from multiple sources for 50 million versions found in public repositories such as Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust). It plans to add information on NuGet packages (.NET framework). With Deps.dev, developers can find answers to important questions such as what versions are available for a particular package, what software licenses a particular version uses, how many dependencies a package has and what they are, and which packages and versions correspond to a particular file. This information can assist developers in making sensible choices when analyzing the risks of using various packages as part of a project.
The second initiative launched by Google is the Assured Open Source Software (Assured OSS) public service. This service provides development teams with a repository of secure packages for Python and Java, curated by Google itself. This move by Google is timely amid recent reports of malware in developer repositories. The Assured OSS repository aims to mitigate the risks associated with using open-source software packages, especially for private and in-house developers who keep frequently used repositories in their local repositories to minimize potential risks if the public version of a popular package is compromised. This procedure can cause security fixes to be delayed for an extended period, compromising the final product’s security.
The Assured OSS repository curated by Google specialists will make the development process safer and more reliable. Many studies have shown that organizations frequently use outdated and vulnerable versions of open-source components in their applications, which poses significant risks. Google’s repository is designed to solve this problem by providing development teams with a curated list of secure packages that they can use confidently.