Google has pledged support for OpenSSF’s Package Analysis Project for open source packages uploaded to popular repositories. It has also published the results which paint a rather interesting picture.
Although the nature of open source software dictates that code should be verifiable by anyone, its open nature also means that malicious actors or those with other intentions can sometimes slip in bad code without anyone realizing. To combat this problem, Google has pledged support for the Open Source Security Foundation’s (OpenSSF) Package Analysis Project. Essentially, Google will help the OpenSSF in the dynamic analysis of open source packages on scale, with the results saved to BigQuery.
