Google Open Source Code Insight – Software Supply Chain

The previous post talked about the importance of the Software Supply Chain (SSC) for companies. Just yesterday came up a new article by Google discussing the subject and presenting an insight tool.

I was stricken by some similarities in some paragraphs of Google’s article to my own. This shouldn’t be too surprising though, the subject is not often talked about but is quite relevant and unambiguous.

A glance at Kubernetes (k8s) project dependency graph is eye-opening, in case anyone should doubt its technical complexity.

Docker, the popular container platform also looks very complex.

The tool is flagging some security vulnerability issues as well, interested parties may want to dig it further.

Having mentioned left-pad as an example earlier, let’s look it up – thankfully we see that it is marked as deprecated, the long list of indirect dependencies is noticeable.

Finally, let’s look at Hibernate framework, a widely used framework in Java web applications: we see that the tool flags a vulnerability issue that could be interesting to check out.

Google Open Source Insights looks to be a young but promising project, worth watching for teams taking this subject seriously.

Google’s article may be worth checking out, they’re promising to cover NuGet (.Net package repository) and PyPi (Python): Introducing the Open Source Insights Project

Since publishing my article, I am increasingly seeing the subject pop up every day, probably just because I am now paying more attention to it than before.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.