A programming interface is being made available by Google LLC so that programmers can check the open source code they use for bugs and other concerns.
The deps.dev API has made its debut today. It expands on the deps.dev open-source cybersecurity initiative that Google started in 2021. Packages from the open-source ecosystem are frequently incorporated into software development initiatives. A package is a group of pre-written code modules intended to accomplish a specific task, such formatting data. These code modules free developers from having to create every element of their programmes from start.
An programme may pick up vulnerabilities from open-source software. In order to mitigate the risk, Google introduced deps.dev in 2021. More than 5 million open-source packages’ cybersecurity information is accessible through the project.
A software team can determine whether a package has any known vulnerabilities by using deps.dev. Google also offers details on various other topics, such licencing constraints. Some open-source software packages are not compatible with some enterprise software projects because their licences restrict their use for commercial purposes.
According to the corporation, using the deps.dev dataset will be simpler for developers thanks to the new API that was unveiled today. The API accomplishes this by making it easier to create automation workflows. Google claims that these workflows can more effectively than before identify vulnerabilities and other problems using data from deps.dev.
An organisation can use the API to build a plugin that connects deps.dev to the code editor used by its developers. Such a plugin may automatically check for vulnerabilities when a developer downloads an open-source programme. Similar techniques can be used to identify potential licencing problems.
To turn their source code into working programs, software development teams utilise so-called CI/CD, or continuous integration and continuous delivery, tools. The new deps.dev API, according to Google, can be integrated with these tools. A CI/CD tool may run a deps.dev dataset check before processing a new code file to identify any potential problems. Google’s new API will provide developers more ways to interact with the deps.dev dataset in addition to automating cybersecurity duties.
Open-source packages come with documentation outlining the components they are made up of. That documentation isn’t always current, though. A so-called true dependency graph capability, which is new to the API, examines a package’s code to compile a more precise list of its parts.
The search engine behemoth claims that the API also provides support for hash queries. With the use of that functionality, supply chain assaults and cyberattacks in which hackers introduce malicious code into a company’s apps will be simpler to spot. Sometimes open-source software used to distribute such malicious programmes.
Developers may rapidly determine whether a specific code file was introduced to an application through an open-source package using the new hash query functionality. Additionally, the functionality draws attention to the particular package version that the file came from.