Security News > 2021 > June > How to use Google's new dependency mapping tool to find security flaws buried in your projects

Google has built an online tool that maps out all the dependencies in millions of open-source software libraries and flags up any unpatched vulnerabilities.

"It then constructs a full dependency graph - transitively tracking dependencies, dependencies' dependencies, and so on - and incorporates the metadata, then publishes it so you can see how it all might affect your software. And the information it provides is continually updated."

You can see the chain of dependencies to the crates that handle Windows API calls on that operating system, and all the paths leading to libc. More importantly, and unexpectedly for a Rust project, Google's service shows the latest version of tui, 0.15.0, has a couple of security holes.

It's clear these are in tui's dependencies, and programmers who use the interface library in their applications may not be aware of the buried bugs.

One of these vulnerabilities is RUSTSEC-2019-0005 in tui's pancurses dependency.

Even if they are not practicably exploitable in real-world applications, they still serve as an example of how Google's Open Source Insights can be used to discover potential security flaws lurking in your project's dependency graph.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/04/google_open_source_insights/