Google provides an API for querying Open Source Insights data. The project provides an overview of the dependencies in open source packages and is intended to help secure the software supply chain. With the new deps.dev API, the query for metadata can be integrated into workflows and tools.
recognize dependencies
The Open Source Insights website was launched in 2021. It offers an interactive search using five package managers and shows the packages and elements used by the found package under Dependencies. Conversely, under Dependents, it lists those modules that use the package.
Anyone who integrates tailwindcss from npm into their project adopts numerous transitive dependencies, which can be seen in the graph display on Open Source Insights.
In this way, transitive dependencies can be identified, which then show, for example, whether your own software project does not use a package with a newly discovered vulnerability directly, but integrates it indirectly through the dependencies of an integrated module.
Real-time access via API
The now released deps.dev API allows integration into tools. This allows teams to incorporate dependency queries into their CI/CD (Continuous Integration, Continuous Delivery) processes. Tools such as build tools or IDE plug-ins can also access the information.
The API can be accessed either with JSON over HTTP or via gRPC (gRPC Remote Procedure Calls). Among other things, the programming interface offers calls to query the number of dependencies and to list the individual dependencies. In addition, programs can use the API to query which versions of a package are available and which licenses apply to each.
Beyond the information that the website presents interactively, the API provides hash queries. The queries can be used to try to determine the version of an included package based on its hash value if the metadata from the build process is missing or incomplete.
5 ecosystems, 5 million packages and 50 million versions
The metadata on Open Source Insights that the API exposes comes from Maven, npm, PyPI, Go Modules, and the Rust package manager Cargo. The website also announces that NuGet for .NET packages will follow shortly. According to Google, deps.dev currently knows about five million packages and a total of 50 million versions.
The API is available free of charge and can be used without an API key. It is currently still marked as “v3alpha”. More details can be can be found on the Google Security Blog. On the The documentation can be found on the Open Source Insights siteand examples GitHub should help you get started.
(rme)
