Examine dependency data

Stay organized with collections Save and categorize content based on your preferences.

This page provides an overview of how Container Analysis can help you use dependency information in a comprehensive process of checks and balances that protect your software supply chain.

If you are not familiar with Container Analysis, see Container Analysis overview.

What is dependency information

Dependency data is a record of all the components used in your software. This list of information is often referred to as a software bill of materials, or SBOM. SBOM contents can include third-party software from vendors, internal artifacts, and open source libraries.

Your dependencies are like the ingredients you need to follow a recipe, or a bill of materials used in manufacturing supply chains.

For example, as an auto manufacturer, you could track the origin and production details for parts that you source from an external supplier. If defects are found in a specific batch, then these supplier details help you figure out whether you are using items from that batch and need to order a newer batch of parts. Similarly, when you have software dependency information available, you gain visibility into the components of your image and you can better manage associated risks.

Utilizing open source software is an increasingly popular way to speed up development, so setting up dependency information management processes is an important step in protecting your applications and your customers.

Container Analysis enables you to automate dependency generation in your continuous integration workflow, and the Container Analysis API allows you to query the results.

When to use it

  • Responding to vulnerability notifications and checking for affected files
  • Examining the freshness of your software dependencies to look for files that might be outdated, unsupported, or incompatible with newer dependencies
  • Building software that complies with government vendor regulations, which might require SBOM data
  • Addressing requirements from internal legal and security teams
  • Migrating between services and ensuring compatibility

How it works

Each time you push an image to Artifact Registry, Container Analysis creates a dependency record to describe the contents of that image. Container Analysis supports dependency record generation for OS, Java (Maven) and Go packages in your container images.

Your dependency data includes:

  • package names
  • package types
  • version numbers

Once Container Analysis generates the dependency information for you, you can query the API to examine details. For example, you can find out:

  • Which images depend on a specified package by name
  • Which images depend on a package with a specific name and version number

You can use queries like these to search your dependencies and respond quickly when security issues arise.

You can also use Container Analysis to scan and continuously update vulnerability information for your images stored in Artifact Registry.

Responding to vulnerabilities

Using vulnerability scanning and SBOM together lets you track issues and assess impact. The following scenario provides an overview of the setup steps and workflow:

  1. To get started with automatic vulnerability scanning for OS, Java (Maven) and Go vulnerabilities, enable the Container Analysis API.

  2. Next, create a Docker repository in Artifact Registry.

  3. Push your container image to your repository. Container Analysis scans your packages for vulnerabilities when you upload them to Artifact Registry.

  4. View vulnerability occurrences for your images using Google Cloud console, Google Cloud CLI, or the Container Analysis API.

  5. You can examine dependencies to trace further with your SBOM data. For example, if your vulnerability scan results note an issue with Perl, you can use the following API call to get images that depend on the Perl package:

    $ gcurl --data-urlencode "filter=(kind=\"PACKAGE\" AND noteProjectId=\"goog-analysis\" AND dependencyPackageName=\"perl\" )"     https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/occurrences
  6. You can also make your search more granular. For example, if the vulnerability only affects Perl versions 5.32.1 and higher, you can use the following API call to get a list of images that use Perl with a version number greater than 5.32.0:

    $ gcurl --data-urlencode "filter=(kind=\"PACKAGE\" AND noteProjectId=\"goog-analysis\" AND dependencyPackageName=\"perl\" AND dependencyPackageVersion>version(\"5.32.0\"))" https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/occurrences

Protect your software supply chain on Google Cloud

Container Analysis is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Container Analysis with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next