back to article Worried about the security of your code's dependencies? Try Google's Deps.dev

In early 2002, then Microsoft chairman Bill Gates issued his Trustworthy Computing memo to ensure that computing "is as available, reliable and secure as electricity, water services and telephony." Two decades later, utilities and public infrastructure in the US are generally available but could be more reliable and more …

  1. stiine Silver badge
    Coffee/keyboard

    Trust Google? The evil lords of shutting down applications? Not in a million years.

    1. ChoHag Silver badge

      How about four years though?

      1. VonGell

        Google goes down, Brin-Page-Schmidt are other:

        That “shows what real competition will do,” Dintzer told Judge Amit Mehta. “What has been going on for the past 12 years is Google has been maintaining its monopoly. Would we have seen ChatGPT six years earlier? Would we see five other competitors competing for search? Those are questions none of us can answer.”

        https://finance.yahoo.com/news/google-monopoly-delayed-innovations-chatgpt-174519410.html

        1. Claptrap314 Silver badge

          Google's monopoly delayed ChatGPT? That's a big 'ol check on the "good" side, then...

  2. b0llchit Silver badge

    Until next time

    ... the deps.dev API should be available for at least four years.

    Well, yes, just time enough to ignore it and carry on doing something useful with your time. Like eliminating your unnecessary dependencies.

    1. FrogsAndChips Silver badge

      Re: Until next time

      Why not use it now while you review your dependencies and remove the unnecessary ones? Like it or not, software development nowadays relies *a lot* on external librairies and components, and it could take an awful lot of time to replace all your codebase with in-house versions, which may or may not be more secure than the original ones. At least there are some tools to identify known vulns, as opposed to those present in your code that no one knows about - apart from the bad guys.

      1. Anonymous Coward
        Anonymous Coward

        Re: Until next time

        If a developer came to me and said that they had used this [cough][cough] feature on code that was even an alpha release of something that would clearly make it into production, I might have to think that they were an idiot and did not want their job to last beyond the end of the day.

        Trusting Google with even giving you the time of day without slurping something that could later be used against you is IMHO madness.

        Some websites are dependency hell. Layer after layer after layer that the chances are... all phoning home.

        Developers have got effing lazy. No site with more than one level of dependency can be regarded as even half secure.

        The sites that I run have ZERO dependencies on libraries from Boris or Mao or whoever. I might used them in sandboxes but after that, it is all homegrown.

      2. Michael Wojcik Silver badge

        Re: Until next time

        Perhaps because there are many alternatives, so why expose yourself to Google's miniscule attention span?

        Frankly, if you're not already tracking at least some of this information – like all of your dependencies, their provenance, their versions, their licenses – already in-house, you have a big problem that Yet Another Google Toy will not solve.

        1. FrogsAndChips Silver badge

          Re: Until next time

          Agree with your point about Google and using alternatives instead.

          I was rather reacting to the OP who was stating that instead of wasting time identifying vulns in dependencies, we should just remove them as if that was such an easy task.

        2. -v(o.o)v-

          Re: Until next time

          I would argue that the much bigger problem these days are developers (oh sorry "DevOps") playing systems administrators with Docker and willy-nilly pulling in images done by who-knows-what without any constraints and considering all that smoldering mess fire-and-forget, never bothering to update anything - or indeed even understanding that they need to be updated.

          The amount of images pulled in from random individuals is frankly frightening and a disaster waiting to happen. And even in the rare case they do update there's no guarantees that Jimbo in Lower Elbonistan bothers to keep their image updated.

          Of course all of it is done with minimal understanding of anything, and why would understanding be necessary: just check from the README what few configuration parameters are needed to make it work and off to production it goes.

          (Insert xkcd here about gluing stuff together)

          I ran trivy once and there were thousands and thousands of high+ vulns in just one machine...

  3. Rich 2 Silver badge

    So now all I need to worry about…

    …is Googlies stealing my personal details while using their service! Cool :-)

  4. MOH

    Poacher turned ...

    A) serial killer?

    B) gamekeeper?

    C) serial killing gamekeeper?

  5. sten2012

    This is a great idea. Not convinced many of the data points mentioned can't already be gathered via snyk... It just needs a neutral party to run it, not Google (who would be great to see contribute with their genuinely skilled engineers). And ideally a nonprofit.

    The idea of "had it been code reviewed" is new but seems questionable. Could be incredibly handy:

    By who?

    Can you tag suppliers you trust/fund to review your own dependencies?

    Can it be be crowdsourced to look at specific projects/code?

    Can it be integrated with funding the projects maintenance itself?

    Can risky uses of libraries that aren't underlying vulnerabilities be flagged for people reviewing your own code?

    I share the concerns of Google running this. But the idea isn't an inherently bad one.

    Edit: in answer to my queries no all around. It's question of how the project themselves review pull requests. Not my hopes and utopian dreams of, say, the Truecrypt reviews people pulled together for

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like