[ad_1]
Posted by Jesper Sarnesjo and Nicky Ringland, Google Open Supply Safety Staff
Right this moment, we’re excited to announce the deps.dev API, which supplies free entry to the deps.dev dataset of safety metadata, together with dependencies, licenses, advisories, and different essential well being and safety alerts for greater than 50 million open supply bundle variations.
Software program provide chain assaults are more and more frequent and dangerous, with excessive profile incidents reminiscent of Log4Shell, Codecov, and the current 3CX hack. The overwhelming complexity of the software program ecosystem causes hassle for even probably the most diligent and well-resourced builders.
We hope the deps.dev API will assist the group make sense of complicated dependency knowledge that permits them to answer—and even stop—a lot of these assaults. By integrating this knowledge into instruments, workflows, and analyses, builders can extra simply perceive the dangers of their software program provide chains.
As a part of Google’s ongoing efforts to enhance open supply safety, the Open Supply Insights workforce has constructed a dependable view of software program metadata throughout 5 packaging ecosystems. The deps.dev knowledge set is constantly up to date from a variety of sources: bundle registries, the Open Supply Vulnerability database, code hosts reminiscent of GitHub and GitLab, and the software program artifacts themselves. This consists of 5 million packages, greater than 50 million variations, from the Go, Maven, PyPI, npm, and Cargo ecosystems—and also you’d higher imagine we’re counting them!
We gather and mixture this knowledge and derive transitive dependency graphs, advisory affect reviews, OpenSSF Safety Scorecard data, and extra. The place the deps.dev web site permits human exploration and examination, and the BigQuery dataset helps large-scale bulk knowledge evaluation, this new API allows programmatic, real-time entry to the corpus for integration into instruments, workflows, and analyses.
The API is utilized by various groups internally at Google to help the safety of our personal merchandise. One of many first publicly seen makes use of is the GUAC integration, which makes use of the deps.dev knowledge to counterpoint SBOMs. We’ve got extra thrilling integrations within the works, however we’re most excited to see what the better open supply group builds!
We see the API as being helpful for instrument builders, researchers, and tinkerers who need to reply questions like:
What variations can be found for this bundle?
What are the licenses that cowl this model of a bundle—or all of the packages in my codebase?
What number of dependencies does this bundle have? What are they?
Does the newest model of this bundle embody modifications to dependencies or licenses?
What variations of what packages correspond to this file?
Taken collectively, this data can assist reply an important overarching query: how a lot danger would this dependency add to my venture?
The API can assist floor essential safety data the place and when builders can act. This knowledge might be built-in into:
IDE Plugins, to make dependency and safety data instantly obtainable.
CI/CD integrations to stop rolling out code with vulnerability or license issues).
Construct instruments and coverage engine integrations to assist guarantee compliance.
Publish-release evaluation instruments to detect newly found vulnerabilities in your codebase.
Instruments to enhance stock administration and thriller file identification.
Visualizations that can assist you uncover what your dependency graph really appears like:
The API has a few nice options that aren’t obtainable by way of the deps.dev web site.
Hash queries
A novel characteristic of the API is hash queries: you possibly can lookup the hash of a file’s contents and discover all of the bundle variations that include that file. This can assist work out what model of which bundle you’ve even absent different construct metadata, which is helpful in areas reminiscent of SBOMs, container evaluation, incident response, and forensics.
Actual dependency graphs
The deps.dev dependency knowledge is not only what a bundle declares (its manifests, lock recordsdata, and so on.), however relatively a full dependency graph computed utilizing the identical algorithms because the packaging instruments (Maven, npm, Pip, Go, Cargo). This offers an actual set of dependencies just like what you’d get by really putting in the bundle, which is helpful when a bundle modifications however the developer doesn’t replace the lock file. With the deps.dev API, instruments can assess, monitor, or visualize anticipated (or surprising!) dependencies.
API in motion
For an indication of how the API can assist software program provide chain safety efforts, take into account the questions it may reply in a scenario just like the Log4Shell discovery:
Am I affected? – A CI/CD integration powered by the free API would routinely detect {that a} new, essential vulnerability is affecting your codebase, and provide you with a warning to behave.
The place? – A dependency visualization instrument pulling from the deps.dev API transitive dependency graphs would make it easier to determine whether or not you possibly can replace considered one of your direct dependencies to repair the difficulty. When you have been blocked, the instrument would level you on the bundle(s) which might be but to be patched, so you might contribute a PR and assist unblock your self additional up the tree.
The place else? – You may question the API with hashes of vendored JAR recordsdata to verify if susceptible log4j variations have been unexpectedly hiding therein.
How a lot of the ecosystem is impacted? – Researchers, bundle managers, and different observers may use the API to grasp how their ecosystem has been affected, as we did on this weblog publish about Log4Shell’s affect.
The API service is globally replicated and extremely obtainable, that means that you just and your instruments can rely on it being there whenever you want it.
It is also free and instantly obtainable—no have to register for an API key. It is only a easy, unauthenticated HTTPS API that returns JSON objects:
# Listing the advisories affecting log4j 1.2.17
$ curl https://api.deps.dev/v3alpha/programs/maven/packages/log4jpercent3Alog4j/variations/1.2.17
| jq ‘.advisoryKeys[].id’
“GHSA-2qrg-x229-3v8q”
“GHSA-65fg-84f6-3jq3”
“GHSA-f7vh-qwp3-x37m”
“GHSA-fp5r-v3w9-4333”
“GHSA-w9p3-5cr8-m3jj”
A single API name to checklist all of the GHSA advisories affecting a selected model of log4j.
Take a look at the API Documentation to get began, or bounce straight into the code with some examples.
Software program provide chain safety is difficult, however it’s in all our pursuits to make it simpler. Daily, Google works arduous to create a safer web, and we’re proud to be releasing this API to assist just do that, and make this knowledge universally accessible and helpful to everybody.
We stay up for seeing what you may do with the API, and would respect your suggestions. (What works? What would not? What makes it higher?) You may attain us at depsdev@google.com, or by submitting a problem on our GitHub repo.
[ad_2]