[ad_1]
Today, we’re excited to announce the deps.dev API, which offers free entry to the deps.dev dataset of safety metadata, together with dependencies, licenses, advisories, and different important well being and safety alerts for greater than 50 million open supply package deal variations.
Software provide chain assaults are more and more frequent and dangerous, with excessive profile incidents reminiscent of Log4Shell, Codecov, and the latest 3CX hack. The overwhelming complexity of the software program ecosystem causes bother for even probably the most diligent and well-resourced builders.
We hope the deps.dev API will assist the group make sense of complicated dependency knowledge that enables them to answer—and even stop—these kinds of assaults. By integrating this knowledge into instruments, workflows, and analyses, builders can extra simply perceive the dangers of their software program provide chains.
As a part of Google’s ongoing efforts to enhance open supply safety, the Open Source Insights group has constructed a dependable view of software program metadata throughout 5 packaging ecosystems. The deps.dev knowledge set is constantly up to date from a variety of sources: package deal registries, the Open Source Vulnerability database, code hosts reminiscent of GitHub and GitLab, and the software program artifacts themselves. This consists of 5 million packages, greater than 50 million variations, from the Go, Maven, PyPI, npm, and Cargo ecosystems—and also you’d higher imagine we’re counting them!
We gather and mixture this knowledge and derive transitive dependency graphs, advisory impression studies, OpenSSF Security Scorecard info, and extra. Where the deps.dev web site permits human exploration and examination, and the BigQuery dataset helps large-scale bulk knowledge evaluation, this new API permits programmatic, real-time entry to the corpus for integration into instruments, workflows, and analyses.
The API is utilized by quite a lot of groups internally at Google to assist the safety of our personal merchandise. One of the primary publicly seen makes use of is the GUAC integration, which makes use of the deps.dev knowledge to complement SBOMs. We have extra thrilling integrations within the works, however we’re most excited to see what the better open supply group builds!
We see the API as being helpful for instrument builders, researchers, and tinkerers who need to reply questions like:
- What variations can be found for this package deal?
- What are the licenses that cowl this model of a package deal—or all of the packages in my codebase?
- How many dependencies does this package deal have? What are they?
- Does the most recent model of this package deal embrace modifications to dependencies or licenses?
- What variations of what packages correspond to this file?
Taken collectively, this info may also help reply crucial overarching query: how a lot danger would this dependency add to my venture?
The API may also help floor important safety info the place and when builders can act. This knowledge will be built-in into:
- IDE Plugins, to make dependency and safety info instantly accessible.
- CI/CD integrations to stop rolling out code with vulnerability or license issues).
- Build instruments and coverage engine integrations to assist guarantee compliance.
- Post-release evaluation instruments to detect newly found vulnerabilities in your codebase.
- Tools to enhance stock administration and thriller file identification.
- Visualizations that can assist you uncover what your dependency graph truly seems to be like:
The API has a few nice options that aren’t accessible via the deps.dev web site.
Hash queries
A novel function of the API is hash queries: you may search for the hash of a file’s contents and discover all of the package deal variations that comprise that file. This may also help work out what model of which package deal you may have even absent different construct metadata, which is beneficial in areas reminiscent of SBOMs, container evaluation, incident response, and forensics.
Real dependency graphs
The deps.dev dependency knowledge isn’t just what a package deal declares (its manifests, lock information, and so on.), however reasonably a full dependency graph computed utilizing the identical algorithms because the packaging instruments (Maven, npm, Pip, Go, Cargo). This offers an actual set of dependencies much like what you’ll get by truly putting in the package deal, which is beneficial when a package deal modifications however the developer doesn’t replace the lock file. With the deps.dev API, instruments can assess, monitor, or visualize anticipated (or surprising!) dependencies.
API in motion
For an illustration of how the API may also help software program provide chain safety efforts, contemplate the questions it might reply in a scenario just like the Log4Shell discovery:
- Am I affected? – A CI/CD integration powered by the free API would robotically detect {that a} new, important vulnerability is affecting your codebase, and provide you with a warning to behave.
- Where? – A dependency visualization instrument pulling from the deps.dev API transitive dependency graphs would assist you determine whether or not you may replace one among your direct dependencies to repair the difficulty. If you had been blocked, the instrument would level you on the package deal(s) which might be but to be patched, so you could possibly contribute a PR and assist unblock your self additional up the tree.
- Where else? – You might question the API with hashes of vendored JAR information to verify if weak log4j variations had been unexpectedly hiding therein.
- How a lot of the ecosystem is impacted? – Researchers, package deal managers, and different observers might use the API to grasp how their ecosystem has been affected, as we did in this weblog put up about Log4Shell’s impression.
The API service is globally replicated and extremely accessible, which means that you simply and your instruments can depend upon it being there if you want it.
It’s additionally free and instantly accessible—no must register for an API key. It’s only a easy, unauthenticated HTTPS API that returns JSON objects:
# List the advisories affecting log4j 1.2.17 $ curl https://api.deps.dev/v3alpha/systems/maven/packages/log4j%3Alog4j/versions/1.2.17 | jq '.advisoryKeys[].id' "GHSA-2qrg-x229-3v8q" "GHSA-65fg-84f6-3jq3" "GHSA-f7vh-qwp3-x37m" "GHSA-fp5r-v3w9-4333" "GHSA-w9p3-5cr8-m3jj"
A single API name to record all of the GHSA advisories affecting a selected model of log4j.Check out the API Documentation to get began, or soar straight into the code with some examples.
Software provide chain safety is difficult, however it’s in all our pursuits to make it simpler. Every day, Google works onerous to create a safer web, and we’re proud to be releasing this API to assist do exactly that, and make this knowledge universally accessible and helpful to everybody.
We look ahead to seeing what you would possibly do with the API, and would respect your suggestions. (What works? What would not? What makes it higher?) You can attain us at depsdev@google.com, or by submitting a difficulty on our GitHub repo.
