Highlights:

  • A software team can determine whether a package has any known vulnerabilities by using deps.dev.
  • According to the corporation, using the deps.dev dataset will be simpler for developers due to the newly unveiled API.

Google LLC is publishing an application programming interface allowing programmers to scan open-source code for vulnerabilities and other issues.

The deps.dev API, as it is known, made its debut recently. It expands the deps.dev open-source cybersecurity project that Google launched in 2021.

Open-source ecosystem packages are frequently integrated into software development projects. A package is a collection of pre-written code modules designed to perform a specific task, such as formatting data; these code modules liberate developers from having to create every aspect of their programs from scratch.

A program may pick up vulnerabilities from open-source software. In 2021, Google introduced deps.dev to mitigate risk. Through the initiative, more than 5 million open-source products’ cybersecurity information is accessible.

Using deps.dev, a software team can determine whether a product contains any known vulnerabilities. Google also provides information on other topics, such as licensing restrictions. Several open-source software packages are incompatible with some enterprise software projects because their licenses restrict their use for commercial purposes.

According to the corporation, using the deps.dev dataset will be more straightforward for developers due to the newly unveiled API. It achieves this by facilitating the creation of automation workflows. Google claims that using deps.dev data, these workflows can more effectively identify vulnerabilities and other problems.

An organization may use the API to construct a component that links deps.dev to the code editor that its developers use. When a developer downloads an open-source program, such a component may automatically check for vulnerabilities. Similar methods can be employed to identify prospective licensing issues.

Software development teams utilize so-called CI/CD, or continuous integration and continuous delivery, tools to turn their source code into working programs. Google claims that the new deps.dev API can be incorporated with these tools. Before processing a new code file, a CI/CD tool may examine the deps.dev dataset to identify potential issues.

In addition to outsourcing cybersecurity duties, the new API from Google will offer developers more ways to interact with the deps.dev dataset.

Open-source products include documentation detailing their constituent parts. However, the documentation is not always current. A so-called true dependency graph capability, which is new to the API, analyzes the code of a package to generate a more comprehensive list of its components.

Jesper Sarnesjo, Senior Software Engineer at Google, and Nicky Ringland, Product Manager, reported, “This gives a real set of dependencies similar to what you would get by actually installing the package, which is useful when a package changes but the developer doesn’t update the lock file. With the deps.dev API, tools can assess, monitor, or visualize expected (or unexpected!) dependencies.”

The search engine giant claims that the API also supports hash queries. With the use of that functionality, supply chain threats and cyberattacks in which hackers introduce malicious code into a company’s apps will be simpler to spot. Sometimes open-source packages are used to distribute such malicious programs.

Using the new hash query functionality, developers can quickly determine whether a specific code file was added to an application via an open-source package. Also, the functionality draws attention to the particular package version the file came from.

Ringland and Sarnesjo stated, “We hope the deps.dev API will help the community make sense of complex dependency data that allows them to respond to or prevent these types of attacks. By integrating this data into tools, workflows, and analyses, developers can more easily understand the risks in their software supply chains.”