Google delivers secure open source software packages

Google has announced the Google Cloud Assured Open Source Software (Assured OSS) service, which aims to be a trusted source of secure open source packages, and the deps.dev API, which provides access to security metadata for 50+ million open source package versions.

The Assured OSS service

With Assured OSS, Google offers organizations the opportunity to integrate into their own developer workflows the same OSS packages Google uses and secures.

“Threat actors regularly attempt to compromise the source code and source repos for OSS projects. By building Assured OSS packages from a Google-secured and managed mirror rather than directly off the web, Google is able to take responsibility for securing the source code, repo, securing end-to-end build, packaging and deploy so the integrity of the source code is maintained even if it or its repo has been compromised,” Andy Chang, Group Product Manager at Google Cloud, told Help Net Security.

Threat actors also regularly try to compromise the software pipeline tools and the integrity of the artifacts as they progress through the many stages of the software supply chain, he added. “Google secures, controls and manages this end-to-end for Assured OSS packages and generate tamper-evident provenance and attestations so that customers can verify for themselves.”

As part of the service, Google also does daily fuzzing, scanning and security testing of the curated packages and reports the found vulnerabilities.

“Our critical patching team works with upstream maintainers to expedite the release of security updates and fixes to found issues. When necessary this includes directly fixing the identified vulnerabilities and submitting our fixes to upstream to become the security update. Of the vulnerabilities found to date by Assured OSS, in two cases, with vulns that had CVSS scores both at 9.8, Google teams were both first-to-find and first-to-fix,” Chang explained.

The present and future of the service

Assured OSS has been in Preview since October 2022 but is now generally available and offered at no charge.

It currently covers the Java and Python ecosystems, but Chang says that the company plans to expand it to additional ecosystems based on ongoing discussions with customers about their needs.

The list of OSS packages that Google curates and secures includes 1017 binaries (443 Java and 574 Python packages).

For each, Google provides a software bill of materials (SBOM) and vulnerability metadata in industry standard formats (SPDX, VEX).

The packages are built with Cloud Build (Google’s serverless CI/CD platform), include evidence of verifiable SLSA-compliance, are signed by Google and are distributed from an Artifact Registry secured by Google.

Customers can self-serve their access to Assured OSS through the onboarding form, and then use the metadata API to list available Python and Java packages and determine which Assured OSS packages they want to use.

“Assured OSS does not require the use of Google’s Software Delivery Shield solution. However, if you are using it together with SDS, then the experience is even more integrated,” Chang explained.

Google previously said that users will be able to submit packages from their own OSS portfolio to be secured and managed through the Google Cloud managed service.

“For this first GA version of Assured OSS, customers can contact the Assured OSS support team with their requests to further expand the Assured OSS portfolio. Requested OSS packages can be ones the customer’s organization uses but Google doesn’t,” he clarified.

The deps.dev API

The newly opened deps.dev API allows users to discover dependencies, licenses, advisories and other security information on 50+ million versions of 5+ million packages found on the Go, Maven, PyPI, npm, and Cargo online repositories.

The API is used by Google internally, and can now be used by all developers.

“The deps.dev data set is continuously updated from a range of sources: package registries, the Open Source Vulnerability database, code hosts such as GitHub and GitLab, and the software artifacts themselves,” says the Google Open Source Security Team.

“Taken together, this information can help answer the most important overarching question: how much risk would this dependency add to my project?”

The data can be integrated into IDE Plugins, CI/CD platforms, build tools, analysis tolls, etc.

The API can also help security researchers, developers and organizations discover whether their codebase is affected by a newly discovered critical vulnerability and where.