Google on Thursday announced[1]
the creation of a new “Open Source Maintenance Crew” to focus on
bolstering the security of critical open source projects.
Additionally, the tech giant pointed out Open Source Insights[2]
as a tool for analyzing packages and their dependency graphs, using
it to determine “whether a vulnerability in a dependency might
affect your code.”
“With this information, developers can understand how their
software is put together and the consequences to changes in their
dependencies,” the company said.
The development comes as security and trust in the open source
software ecosystem has been increasingly thrown into question in
the aftermath of a string[3]
of supply chain[4]
attacks[5]
designed to compromise developer workflows.
In December 2021, a critical flaw in the ubiquitous open source
Log4j logging library[6]
left several companies scrambling to patch their systems against
potential abuse.
The announcement also comes less than two weeks after the Open
Source Security Foundation (OpenSSF) announced what’s called the
Package Analysis project[7] to carry out dynamic
analysis of all packages uploaded to popular open source
repositories.
References
- ^
announced
(blog.google) - ^
Open Source Insights
(deps.dev) - ^
string
(thehackernews.com) - ^
supply
chain (thehackernews.com) - ^
attacks
(thehackernews.com) - ^
Log4j
logging library (thehackernews.com) - ^
Package
Analysis project (thehackernews.com)
Read more https://thehackernews.com/2022/05/google-created-open-source-maintenance.html