Add support deps.dev Google-portal

[ultramaxim]

The enhancement may already be reported! Please search for the enhancement before creating one.

Please, can you add support deps.dev Google-portal?

Current Behavior:

no support

Proposed Behavior:

support deps.dev portal

[TorbenCapiau]

Just noticed that a free API was released: https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html

Would love to see this integrated as an additional source for vulnerabilities and dependency matching!

[stevespringett]

The lack of Package URL support for the API will limit its utility. Snyk use to have a similar API (they still do), which we did not support and worked with them on adopting purl. If we adopt deps.dev, we will need them to also adopt purl. The fact a new API does not support purl is interesting. We cannot adopt this as is.

It also appears to be a meta resource and included vulnerabilities from GitHub Advisories and OSV. So if we support deps.dev, we will have to force GitHub Advisories and OSV support to be disabled - or risk having duplicates.

[valentijnscholten]

purl support has been requested in https://github.com/google/deps.dev/issues/10

[rkg-mm]

PURL support is now available experimentally in deps.dev: https://github.com/google/deps.dev/issues/10#issuecomment-1987714742

[aharonh]

@stevespringett what do you think about this feature? as the relativly new fda cybersecurity guidance requires SBOMs to track if used component is maintained, deps.dev/OpenSSF Scorecard maintenance score could come in very handy. does that make sense to use the deps.dev/OpenSSF Scorecard info to enrich the components information in DependencyTrack UI and downloaded SBOMs? do you believe this could be implemented sometime within following few months?

[valentijnscholten]

Purl support is now available https://blog.deps.dev/api-v3/

[stevespringett]

@aharonh Supporting deps.dev should be fine, however, I would highly recommend creating additional tickets for representing things like scorecard data. I haven't seen any concrete evidence that scorecard can be a leading indicator of risk, but in some situations, it can be useful. I would recommend the ticket include the various perspectives that scorecard covers otherwise it will not be overly useful in the context of DT.

[rkg-mm]

There is one for Scorecard already https://github.com/DependencyTrack/dependency-track/issues/3048 . And we use the scorecard and its details for one of the indicators for risk assessment to decide if we use it or not. So representing all its data would be necessary to get the full view for it.

[jkowalleck]

Please, can you add support deps.dev Google-portal?

I really tried to imagine what an actual user story would be here. but i cannot come up with any beneficial one.

I'd imagine - to solve any possible use case - it could be an acceptable outcome to render a hyperlink to the specific package/version page in deps.dev - ala https://deps.dev/maven/org.cyclonedx%3Acyclonedx-core-java/9.0.2. Users could click this hyperlink and see the information and do whatever they need - to solve whatever user story they might have.

(PS: an alternative but similar information source seams to be https://libraries.io)

[aharonh]

@stevespringett Sorry for getting back so late. To my best understanding, deps.dev service provides a quick way to get relatively fresh precomputed ossf scorecard scores. The free access and relatively large rate limits on deps.dev make it a great cache and speedup to getting ossf scorecard.

For now, I implemented it as a side pre-prepcessing of sboms before import. I append properties from the scorecard into the components matched by purl. Works nicely but ofcourse, requires some search/viewing features as well for full utilization.