This week, Google launched a free API service that provides software developers with dependency data and security-related information on over 5 million software components across different programming languages. Today, the company also announced the general availability of its Assured Open Source Software (Assured OSS) service, which provides development teams with a Google-curated repository of security-tested packages for Python and Java.
Both services are part of Google’s efforts to reduce the software supply chain risks that exist in the open-source ecosystem by providing extensive security metadata, vulnerability information, and the needed information to build software bills of materials (SBOMs). One of the most common ways in which attackers can introduce malicious code into software projects is by compromising a popular open-source component or one of its many dependencies.