back to article How to use Google's new dependency mapping tool to find security flaws buried in your projects

Google has built an online tool that maps out all the dependencies in millions of open-source software libraries and flags up any unpatched vulnerabilities. This is useful for finding out what exactly is inside the libraries used by your programming projects, and crucially, whether they contain hidden security bugs that haven' …

  1. Peter Prof Fox

    One leaf out of a whole tree.

    I know most people can't be bothered but what about using the information to prune library bloat. For example, suppose my Hello World application uses some date library which uses some internationalisation library which uses some foo and some bar. Except that my HW only actually uses one API call from the date library which only uses one API call from the internationalisation library. No matter, there are 100 extra routines lurking in my code. So surely I'd want to spend a Friday afternoon cutting out the tiny bit I do need, or rewriting etc. to avoid the date library overhead. Then I have a much more manageable development environment with fewer risks of being struck by a wild issue from out of the Wide Blue Yonder. (Plus other benefits.) Perhaps somebody could invent an 'optimising compiler' for or 'standard library internal dependency map reader/writer'.

    1. Pascal Monett Silver badge

      Library bloat ?

      It's not because you have no need for some of the functions of a library that nobody else does. The library was not written for you, it was written to answer a specific set of requirements and contains the code necessary to do so.

      Asking the compiler to remove functions that are never called is an interesting idea though. I would guess it is technically possible.

      1. Arthur the cat Silver badge

        Re: Library bloat ?

        Asking the compiler to remove functions that are never called is an interesting idea though. I would guess it is technically possible.

        It used to be standard on optimising compilers back when computer memories were measured in kilobytes. Also libraries were just collections of relocatable routines and the loader picked only the ones needed, rather than today's shared libraries which contain all the code and hope to amortise the cost across all programs that use the library. Given that we're tending towards containers that run single apps maybe shared libraries are not necessarily a good idea any more. (See also unikernels.)

        1. Claptrap314 Silver badge

          Re: Library bloat ?

          Ever hear of DLL hell? I've never been a fan of shared libraries at all.

          Before I was a professional programmer, it was due to premature optimization. But my first professional work was for a decade in validation, and--just no.

          1. Paul Crawford Silver badge

            Re: Library bloat ?

            The advantage of shared libraries is they get updated for security & bug fixes by the system update process. Or should do...

            The advantage of statically linked libraries is the program keeps working.

            1. Claptrap314 Silver badge
              Trollface

              Re: Library bloat ?

              Don't forget that you get those security & bug fixes for free. No testing of the applications relying on them required.

    2. karlkarl Silver badge

      Re: One leaf out of a whole tree.

      I like the idea but I guess the real issue is that potentially if you only need a small functionality, why do you need to drag in the library? Either reimplement that small part or rip just the function from the library.

      I do understand that in practice, under deadlines you don't always get the time to do so.

    3. T. F. M. Reader

      Re: One leaf out of a whole tree.

      The linker and the loader will do the job: only what is needed will actually be loaded into memory.

  2. Paul Crawford Silver badge

    indexing, scanning, and monitoring 1.63 million JavaScript libraries

    Does that not strike fear in to your heart? Surly the number of useful libraries must be a lot, lot, less! How many of them were written by someone not bothering to check if it is already standardised, and making new and exciting mistakes again and again?

    1. Gene Cash Silver badge

      > the number of useful libraries

      So how do you decide what's useful? I just wrote a Python library that talks the Bluetooth protocol from my Zero electric motorcycle. I mainly use it to monitor how charged it is from the other end of the house.

      That's surely a library that's only useful to a handful of people on the planet, but it's still useful, and it's on GitHub in the hopes they stumble across it.

      They're ALL "useful" because nobody would spend the time writing something without a use, aside from Microsoft and Oracle.

      1. Paul Crawford Silver badge

        How do you know that has not already been implemented in one of the other 1.63M libraries?

        If someone else cannot realistically discover the presence of such a library, or its quality/supported status, how useful is it?

      2. Charlie Clark Silver badge

        I think the reference is specific to Javascript where it's known that there are many duplicate libraries and the quality of many leaves a lot to be desired.

  3. captain veg Silver badge

    write your own

    I just don't get why people import third party libraries to do trivial stuff like string manipulation. A relational database, sure. Some kind of cool UI widget, maybe. But at the very least you should ask yourself "could I write that?".

    If the answer is no then maybe you should find another career.

    If the answer is "of course, but I don't have time" then the supplementary questions are (a) how long will it take to learn and master the library, (b) have you got time to read and validate the library's source code, and (c) how much additional effort will it take to get that third party thing to do exactly what I need it to do rather than what the author presumed I would need.

    The "it's been tested lots and ought to work perfectly" proposition is attractive, but flies contrary to experience.

    -A.

    1. Anonymous Coward
      Anonymous Coward

      Re: write your own

      Good luck trying to convince anyone in a managerial position. They wanted their product finished last quarter.

  4. Will Godfrey Silver badge
    Big Brother

    Hmmm

    I can't think of an organisation I'd be less keen to fondle the crown jewels. I'm nowhere near smart enough to be able to definitively ascertain whether they've hidden any 'interesting' bits in there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021