Security News > 2021 > June > New Google tool reveals dependencies for open source projects

Google has been working on a new, experimental tool to help developers discover the dependencies of the open source packages/libraries they use and known security vulnerabilities they are currently sporting.

Open Source Insights is a Google Cloud Platform-hosted tool that's accessible via a website into which users can enter the name of specific open source packages and get an overview of how they are put together.

"Among other features, it provides interactive tools to visualize and analyze full, transitive dependency graphs. It also has a comparison tool to highlight how different versions of a package might affect your dependencies, perhaps by changing their own dependencies, adding licensing requirements, or fixing security problems," the Open Source Insights Team explained.

As enterprises' use of open-source software increases and the risks posed by unmanaged open source are pervasive, keeping an eye on the many and frequent changes in packages one's software solutions depend on is a must.

"Insights is not an attempt to replace the standard tool set, but rather to augment it with a fresh, integrated view of the whole ecosystem for each packaging model," Google explained.

"A key difference is that the Insights data is derived from first principles, looking at the software and its packaging definition. The result may be substantially different or more complete than just the declared dependencies of a packaging 'lock' file. Moreover, the data presented by Insights is re-evaluated regularly, to keep it up to date, which is important in the fast-moving world of open source development."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/GpqsmbynU3Q/