{"id":41231,"date":"2021-06-04T02:59:13","date_gmt":"2021-06-04T02:59:13","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/"},"modified":"2021-06-04T02:59:13","modified_gmt":"2021-06-04T02:59:13","slug":"how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/","title":{"rendered":"How to use Google&#8217;s new dependency mapping tool to find security flaws buried in your projects"},"content":{"rendered":"<p>Google has built an online tool that maps out all the dependencies in millions of open-source software libraries and flags up any unpatched vulnerabilities.<\/p>\n<p>This is useful for finding out what exactly is inside the libraries used by your programming projects, and crucially, whether they contain hidden security bugs that haven&#8217;t been fixed. Thus, you can choose another set of packages, or help get the holes patched, to avoid leaving your application exploitable.<\/p>\n<p>These days, when you pull a library into a project, you&#8217;re typically pulling in dozens of dependencies and sub-dependencies of that library. And any of these components could \u2013 <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/06\/26\/open_source_security_snyk_survey\/\" rel=\"noopener noreferrer\">and do<\/a> \u2013 contain security holes, which may leave the parent program vulnerable to attack.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,leaderboard,mpu,\" data-lg=\",fluid,leaderboard,\" data-xlg=\",fluid,superleaderboard,billboard,leaderboard,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>These dependencies can also break or <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2016\/03\/23\/npm_left_pad_chaos\/\" rel=\"noopener noreferrer\">vanish<\/a>, preventing code from building, deploying, or building as expected. Programs can import out-of-date libraries and not stay up to date, meaning they miss out on bug fixes, security patches, and new features.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>It&#8217;s safe to say developers rarely know what they&#8217;re getting into, or what issues lie beneath the surface, when they add a library to their project. This fragile state of software engineering <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/05\/12\/open_source_bugs\/\" rel=\"noopener noreferrer\">affects<\/a> commercial applications as well as free software and it&#8217;s an issue Googlers are increasingly <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/02\/04\/google_open_source_security\/\" rel=\"noopener noreferrer\">vocal<\/a> about.<\/p>\n<h3 class=\"crosshead\"> <span>Goals<\/span><br \/>\n<\/h3>\n<p>Which leads us to the web giant&#8217;s experimental dependency exploration tool, dubbed Open Source Insights, which was <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/opensource.googleblog.com\/2021\/06\/introducing-open-source-insights-project.html\">announced<\/a> today and is available at <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/deps.dev\/\">deps.dev<\/a>. You can search for a package, and browse its contents as a table or a graph, and any known security holes in those dependencies are flagged up.<\/p>\n<p>We&#8217;re told the service is, right now, indexing, scanning, and monitoring 1.63 million JavaScript libraries in npm, 624,000 Go modules, 404,000 Maven artifacts of Java code, and 62,000 Rust Cargo crates. PyPi and NuGet packages are set to be added next. It is also free to use.<\/p>\n<p>&#8220;Open Source Insights continuously scans millions of projects in the open source software ecosystem, gathering information about packages, including licensing, ownership, security issues, and other metadata such as download counts, popularity signals, and OpenSSF Scorecards,&#8221; said the project&#8217;s Andrew Gerrand, Michael Goddard, Rob Pike, and Nicky Ringland in their announcement.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,leaderboard,mpu,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;It then constructs a full dependency graph \u2014 transitively tracking dependencies, dependencies&#8217; dependencies, and so on \u2014 and incorporates the metadata, then publishes it so you can see how it all might affect your software. And the information it provides is continually updated.&#8221;<\/p>\n<h3 class=\"crosshead\"> <span>How well does it work?<\/span><br \/>\n<\/h3>\n<p>Your humble vulture decided to take the service out for a spin with a library, picking off the top of his head a useful Rust crate called <code><a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/github.com\/fdehau\/tui-rs\">tui<\/a><\/code>.<\/p>\n<p>This software can be used to create great looking text-based user interfaces within a terminal. It&#8217;s been starred more than 5,100 times on GitHub, has scores of contributors, and is used to build various apps, including a terminal-based Spotify client.<\/p>\n<p>Entering <code>tui<\/code> into the deps.dev search bar, and selecting the Cargo crate, brings up the library&#8217;s <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/deps.dev\/cargo\/tui\">dashboard<\/a>. Clicking on the dependencies tab shows a table of its components, which can be searched, and clicking on the graph button on the right opens a <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/deps.dev\/cargo\/tui\/0.15.0\/dependencies\/graph\">visualization<\/a> of <code>tui<\/code>&#8216;s libraries.<\/p>\n<div class=\"CaptionedImage width_85\" readability=\"8\"><a href=\"https:\/\/regmedia.co.uk\/2021\/06\/04\/screenshot_tui_dep_graph.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2021\/06\/04\/screenshot_tui_dep_graph.jpg?x=648&amp;y=358&amp;infer_y=1\" alt=\"A graph of tui's dependencies, generated by Google's deps.dev service\" title=\"A graph of tui's dependencies, generated by Google's deps.dev service\" height=\"358\" width=\"648\"><\/a><\/p>\n<p class=\"text_center\">The busted cobweb of dependencies in tui, generated by deps.dev &#8230; Click to enlarge<\/p>\n<\/div>\n<p>You can zoom in and out by scrolling in the graph view, and move points around by click-and-dragging them. Each crate, starting with <code>tui<\/code>, has lines with arrowheads pointing to its dependencies. You can see, for instance, the chain of dependencies to the crates that handle Windows API calls on that operating system, and all the paths leading to <code>libc<\/code>.<\/p>\n<p>More importantly, and unexpectedly for a Rust project, Google&#8217;s service shows the latest version of <code>tui<\/code>, 0.15.0, has a couple of security holes.<\/p>\n<div class=\"CaptionedImage width_85\" readability=\"7\"><a href=\"https:\/\/regmedia.co.uk\/2021\/06\/04\/screenshot_tui_vulnerabilities.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2021\/06\/04\/screenshot_tui_vulnerabilities.jpg?x=648&amp;y=177&amp;infer_y=1\" alt=\"Screenshot of security vulnerabilities in tui's dependencies\" title=\"Screenshot of security vulnerabilities in tui's dependencies\" height=\"177\" width=\"648\"><\/a><\/p>\n<p class=\"text_center\">Uh-oh &#8230; Security issues flagged up by Google&#8217;s service<\/p>\n<\/div>\n<p>However, it&#8217;s clear these are in <code>tui<\/code>&#8216;s dependencies, and programmers who use the interface library in their applications may not be aware of the buried bugs.<\/p>\n<p>One of these vulnerabilities is <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/deps.dev\/advisory\/RustSec\/RUSTSEC-2019-0005\">RUSTSEC-2019-0005<\/a> in <code>tui<\/code>&#8216;s <code>pancurses<\/code> dependency. This library is one of the available backends for <code>tui<\/code> that takes care of sending the necessary character sequences to the terminal, be it on Linux or Windows, to display the text-based user interface.<\/p>\n<p>The bug can be exploited in &#8220;a format string attack, which trivially allows writing arbitrary data to stack memory.&#8221; This is present in version 0.16.1 of <code>pancurses<\/code>, the latest version and the one used by <code>tui<\/code> in its latest release.<\/p>\n<p>That suggests it may be possible to hijack an application that uses <code>tui<\/code> with <code>pancurses<\/code> by giving it a string of data, such as a specially crafted filename, or contents of a file, or information from the network, that takes advantage of the aforementioned security oversight.<\/p>\n<p>The other vulnerability is <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/deps.dev\/advisory\/RustSec\/RUSTSEC-2019-0006\">RUSTSEC-2019-0006<\/a>, which is in the <code>ncurses<\/code> crate that is a thin wrapper around the <code>ncurses<\/code> C library. This bug is present in the latest version of the wrapper crate, 5.101.0, and in the version used by <code>pancurses<\/code>, version 5.91.0. It is exploitable through buffer overflow and format string attacks, and so like the above flaw, may be potentially used to hijack applications using maliciously crafted input data.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The two bugs are documented <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/github.com\/RustSec\/advisory-db\/issues\/106\">here in detail<\/a> with a proof-of-concept crash exploit, if you&#8217;re interested. Even if they are not practicably exploitable in real-world applications, they still serve as an example of how Google&#8217;s Open Source Insights can be used to discover potential security flaws lurking in your project&#8217;s dependency graph.<\/p>\n<p>There are other dependency vulnerability scanners out there \u2013 <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2018\/03\/23\/github_dependency_scanner\/\" rel=\"noopener noreferrer\">GitHub<\/a>&#8216;s springs to mind. OWASP has <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/owasp.org\/www-project-dependency-check\/\">one<\/a>. Snyk, <a target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"https:\/\/snyk.io\/\">too<\/a>. Feel free to share your recommendations in the comments. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2021\/06\/04\/google_open_source_insights\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Millions of Rust, JavaScript, Go, Maven repositories scanned and visualized Google has built an online tool that maps out all the dependencies in millions of open-source software libraries and flags up any unpatched vulnerabilities.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-41231","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to use Google&#039;s new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to use Google&#039;s new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-04T02:59:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How to use Google&#8217;s new dependency mapping tool to find security flaws buried in your projects\",\"datePublished\":\"2021-06-04T02:59:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/\"},\"wordCount\":941,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/\",\"name\":\"How to use Google's new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2021-06-04T02:59:13+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to use Google&#8217;s new dependency mapping tool to find security flaws buried in your projects\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to use Google's new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/","og_locale":"en_US","og_type":"article","og_title":"How to use Google's new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-06-04T02:59:13+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How to use Google&#8217;s new dependency mapping tool to find security flaws buried in your projects","datePublished":"2021-06-04T02:59:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/"},"wordCount":941,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/","name":"How to use Google's new dependency mapping tool to find security flaws buried in your projects 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2021-06-04T02:59:13+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YL15QifYZCDLWpJEs1fLeQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-use-googles-new-dependency-mapping-tool-to-find-security-flaws-buried-in-your-projects\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"How to use Google&#8217;s new dependency mapping tool to find security flaws buried in your projects"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41231"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41231\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}