Immediately, we’re excited to announce the deps.dev API, which supplies free entry to the deps.dev dataset of safety metadata, together with dependencies, licenses, advisories, and different crucial well being and safety alerts for greater than 50 million open supply package deal variations.
Software program provide chain assaults are more and more widespread and dangerous, with excessive profile incidents reminiscent of Log4Shell, Codecov, and the current 3CX hack. The overwhelming complexity of the software program ecosystem causes bother for even probably the most diligent and well-resourced builders.
We hope the deps.dev API will assist the neighborhood make sense of advanced dependency information that enables them to answer—and even forestall—these kinds of assaults. By integrating this information into instruments, workflows, and analyses, builders can extra simply perceive the dangers of their software program provide chains.
As a part of Google’s ongoing efforts to enhance open supply safety, the Open Supply Insights staff has constructed a dependable view of software program metadata throughout 5 packaging ecosystems. The deps.dev information set is constantly up to date from a spread of sources: package deal registries, the Open Supply Vulnerability database, code hosts reminiscent of GitHub and GitLab, and the software program artifacts themselves. This contains 5 million packages, greater than 50 million variations, from the Go, Maven, PyPI, npm, and Cargo ecosystems—and also you’d higher imagine we’re counting them!
We acquire and combination this information and derive transitive dependency graphs, advisory impression stories, OpenSSF Safety Scorecard info, and extra. The place the deps.dev web site permits human exploration and examination, and the BigQuery dataset helps large-scale bulk information evaluation, this new API permits programmatic, real-time entry to the corpus for integration into instruments, workflows, and analyses.
The API is utilized by quite a few groups internally at Google to assist the safety of our personal merchandise. One of many first publicly seen makes use of is the GUAC integration, which makes use of the deps.dev information to complement SBOMs. Now we have extra thrilling integrations within the works, however we’re most excited to see what the better open supply neighborhood builds!
We see the API as being helpful for software builders, researchers, and tinkerers who need to reply questions like:
- What variations can be found for this package deal?
- What are the licenses that cowl this model of a package deal—or all of the packages in my codebase?
- What number of dependencies does this package deal have? What are they?
- Does the newest model of this package deal embody adjustments to dependencies or licenses?
- What variations of what packages correspond to this file?
Taken collectively, this info can assist reply a very powerful overarching query: how a lot danger would this dependency add to my undertaking?
The API can assist floor crucial safety info the place and when builders can act. This information will be built-in into:
- IDE Plugins, to make dependency and safety info instantly out there.
- CI/CD integrations to stop rolling out code with vulnerability or license issues).
- Construct instruments and coverage engine integrations to assist guarantee compliance.
- Put up-release evaluation instruments to detect newly found vulnerabilities in your codebase.
- Instruments to enhance stock administration and thriller file identification.
- Visualizations that can assist you uncover what your dependency graph really seems like:
The API has a few nice options that aren’t out there by way of the deps.dev web site.
Hash queries
A singular function of the API is hash queries: you may search for the hash of a file’s contents and discover all of the package deal variations that comprise that file. This can assist determine what model of which package deal you’ve even absent different construct metadata, which is helpful in areas reminiscent of SBOMs, container evaluation, incident response, and forensics.
Actual dependency graphs
The deps.dev dependency information isn’t just what a package deal declares (its manifests, lock recordsdata, and so forth.), however fairly a full dependency graph computed utilizing the identical algorithms because the packaging instruments (Maven, npm, Pip, Go, Cargo). This offers an actual set of dependencies just like what you’ll get by really putting in the package deal, which is helpful when a package deal adjustments however the developer doesn’t replace the lock file. With the deps.dev API, instruments can assess, monitor, or visualize anticipated (or surprising!) dependencies.
API in motion
For an illustration of how the API can assist software program provide chain safety efforts, contemplate the questions it may reply in a state of affairs just like the Log4Shell discovery:
- Am I affected? – A CI/CD integration powered by the free API would robotically detect {that a} new, crucial vulnerability is affecting your codebase, and provide you with a warning to behave.
- The place? – A dependency visualization software pulling from the deps.dev API transitive dependency graphs would show you how to establish whether or not you may replace certainly one of your direct dependencies to repair the difficulty. If you happen to have been blocked, the software would level you on the package deal(s) which are but to be patched, so you could possibly contribute a PR and assist unblock your self additional up the tree.
- The place else? – You may question the API with hashes of vendored JAR recordsdata to examine if weak log4j variations have been unexpectedly hiding therein.
- How a lot of the ecosystem is impacted? – Researchers, package deal managers, and different observers may use the API to grasp how their ecosystem has been affected, as we did in this weblog publish about Log4Shell’s impression.
The API service is globally replicated and extremely out there, which means that you just and your instruments can depend upon it being there once you want it.
It is also free and instantly out there—no must register for an API key. It is only a easy, unauthenticated HTTPS API that returns JSON objects:
# Record the advisories affecting log4j 1.2.17 $ curl https://api.deps.dev/v3alpha/techniques/maven/packages/log4jpercent3Alog4j/variations/1.2.17 | jq '.advisoryKeys[].id' "GHSA-2qrg-x229-3v8q" "GHSA-65fg-84f6-3jq3" "GHSA-f7vh-qwp3-x37m" "GHSA-fp5r-v3w9-4333" "GHSA-w9p3-5cr8-m3jj"
A single API name to checklist all of the GHSA advisories affecting a particular model of log4j.Try the API Documentation to get began, or leap straight into the code with some examples.
Software program provide chain safety is difficult, however it’s in all our pursuits to make it simpler. Each day, Google works arduous to create a safer web, and we’re proud to be releasing this API to assist just do that, and make this information universally accessible and helpful to everybody.
We look ahead to seeing what you may do with the API, and would admire your suggestions. (What works? What would not? What makes it higher?) You possibly can attain us at depsdev@google.com, or by submitting a problem on our GitHub repo.
