Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 109 (109.0.5414.44) for Android. It's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

Introducing the Google Search Status Dashboard

As we head into 2023, we want to introduce another tool for the public to understand the most current status of systems which impact Search—crawling, indexing, and serving. While system disruptions are extremely rare, we want to be transparent when they do happen, so please welcome our new Google Search Status Dashboard.

Chrome for Android Update

Hi, everyone! We've just released Chrome 108 (108.0.5359.128) for Android: it'll become available on Google Play over the next few days.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Android releases contain the same security fixes as their corresponding Desktop release (Windows: 108.0.5359.124/.125, Mac & Linux: 108.0.5359.124), unless otherwise noted.


Krishna Govind
Google Chrome

Stable Channel Update for Desktop

The Stable channel has been updated to 108.0.5359.124 for Mac and Linux and 108.0.5359.124/.125 for Windowswhich will roll out over the coming days/weeks. A full list of changes in this build is available in the log.


The Extended Stable channel has been updated to 108.0.5359.124 for Mac and 108.0.5359.125 for Windows which will roll out over the coming days/weeks.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.


[$7000][1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15

[$6000][1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30

[$1500][1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07

[$TBD][1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22

[$3000][1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

  • [1400487] Various fixes from internal audits, fuzzing and other initiatives


Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.



Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.


Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.





Srinivas Sista

Google Chrome

Developer Journey: December 2022

Posted by Lyanne Alfaro, DevRel Program Manager, Google Developer Studio

Developer Journey is a new monthly series to spotlight diverse and global developers sharing relatable challenges, opportunities, and wins in their journey. Every month, we will spotlight developers around the world, the Google tools they leverage, and the kind of products they are building.

In December, we are continuing our #DevJourney by providing members of our community with a platform to share their stories through our social platforms. This month, it’s our pleasure to feature three members spanning products, including Google Developer Experts. Enjoy reading through their entries below and be on the lookout on social media platforms, where we will also showcase their work.














Carlos Azaustre

GDE, Web Technologies

Madrid, Spain

YouTube: youtube.com/@CarlosAzaustre

What Google tools have you used?

I usually work as a web frontend developer. My principal tool is JavaScript as a programming language using some frameworks. Due to my job, I work with React.js and in the past, I've worked with AngularJS. And one of my favorite Google technologies is Firebase. I'm a heavy user of Firebase Authentication, Cloud Firestore as Database, and Cloud Functions for making Serverless web apps.

Which tool has been your favorite to use? Why?

I love Firebase because its services allow me to have the functionalities of a backend without the need of a lot of configuration. I'm a primary frontend developer, so the backend is not one of my great skills. Firebase makes it so easy to have a Serverless Backend with all the services that they provide year by year. The last update on Firebase Hosting makes the platform powerful.

Please share something you have built in the past using Google tools.

I built the frontend of my past startup using Angular, and some Firebase Services, Auth, and Database mainly.

What advice would you give someone starting in their developer journey?

My principal advice is to not give up. Some days you can feel frustrated or like an imposter, but it is okay. I used to feel this way every day. Celebrate your small wins and focus on the big picture on your journey.
















Loiane Groner

GDE, Angular

Davenport, FL

Twitter: @loiane

Youtube: https://www.youtube.com/@loianegroner

What Google tools have you used?

I've been working as a software developer for over 15 years. Throughout my journey, I had the opportunity to develop hybrid mobile apps for the Android platform, but my expertise lies in full-stack development, especially using Angular. I've also created projects that use Firebase and Google Cloud services, such as CloudRun.

Which tool has been your favorite to use? Why?

I'm very passionate about Angular. Given my Java background, I enjoyed learning Angular with TypeScript, and it felt very familiar. Angular makes it easier to develop complex frontend applications as it's a complete framework. It provides tools such as the Angular CLI to scaffold a project quickly, create components, services and other file types, and build the project for production deployment. It does not matter if you are building an extensive application or micro-fronts; Angular has you covered with whatever you need. I like Angular Material for the UI part, which provides modern UI components and accessibility features. And last but not least, Firebase. Firebase is a great platform, from hosting web applications to providing direct access to a real-time database and secure authentication, and fast-tracking project development.

Please share something you’ve built in the past using Google tools.

Besides the applications I've developed at work, I've built a training portal using Angular, Angular Material, and Firebase. This training portal collates all the free courses I host on Youtube in Portuguese, and students can track what lessons they've watched. And at the end of the training, they get a certificate of completion so they can use the hours and present at the university or their employer. I've passed the 100k students mark, and it's incredible how easy it is to scale a project in Firebase, from hosting capabilities to access to Firestore. Even with more than 100k users, it costs less than a fast food meal (monthly)!

What advice would you give someone starting in their developer journey?

Be a part of a community. The beauty of working in tech is that we have amazing people willing to help!

Although seeing so many different technologies and acronyms might be scary, don't worry about learning everything immediately. Focus on understanding the basics so that you can have a strong foundation. Also, focus on one topic at a time; once you're done with that topic, incrementally add new concepts or learn the next topic on your list.

And finally, in tech, we're students eternally. So always be curious.











Merve Noyan

GDE, Machine Learning

Paris, France

Twitter: @mervenoyann

What Google tools have you used?

Tools within the TensorFlow ecosystem.

Which tool has been your favorite to use? Why?

TensorFlow with Keras. It's very easy to build machine learning models and take them to production using TensorFlow Extended!

Please share something you have built in the past using Google tools.

I've built an information retrieval model using TensorFlow Keras and Hugging Face Transformers. It was used to extract information from academic papers to automate a repetitive task for researchers.

What advice would you give someone starting in their developer journey?

They should find the nearest Google Developers community. It helps you grow and meet other developers using the same stack as you do.

Chrome Stable for iOS Update

Hi everyone! We've just released Chrome Stable 108 (108.0.5359.112) for iOS; it'll become available on App Store in the next few hours.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Harry Souders
Google Chrome

Announcing OSV-Scanner: Vulnerability Scanner for Open Source

Posted by Rex Pan, software engineer, Google Open Source Security Team

Today, we’re launching the OSV-Scanner, a free tool that gives open source developers easy access to vulnerability information relevant to their project.

Last year, we undertook an effort to improve vulnerability triage for developers and consumers of open source software. This involved publishing the Open Source Vulnerability (OSV) schema and launching the OSV.dev service, the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format.

The OSV-Scanner is the next step in this effort, providing an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them.

OSV-Scanner

Software projects are commonly built on top of a mountain of dependencies—external software libraries you incorporate into a project to add functionalities without developing them from scratch. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required.

Scanners provide this automated capability by matching your code and dependencies against lists of known vulnerabilities and notifying you if patches or updates are needed. Scanners bring incredible benefits to project security, which is why the 2021 U.S. Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development.

The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:

  • Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
  • Anyone can suggest improvements to advisories, resulting in a very high quality database
  • The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages
  • The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them

Running OSV-Scanner on your project will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to your project.

OSV-Scanner is also integrated into the OpenSSF Scorecard’s Vulnerabilities check, which will extend the analysis from a project’s direct vulnerabilities to also include vulnerabilities in all its dependencies. This means that the 1.2M projects regularly evaluated by Scorecard will have a more comprehensive measure of their project security.

What else is new for OSV?

The OSV project has made lots of progress since our last post in June last year. The OSV schema has seen significant adoption from vulnerability databases such as GitHub Security Advisories and Android Security Bulletins. Altogether OSV.dev now supports 16 ecosystems, including all major language ecosystems, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and OSS-Fuzz. This means the OSV.dev database is now the biggest open source vulnerability database of its kind, with a total of over 38,000 advisories from 15,000 advisories a year ago.

The OSV.dev website also had a complete overhaul, and now has a better UI and provides more information on each vulnerability. Prominent open source projects have also started to rely on OSV.dev, such as DependencyTrack and Flutter.

What’s next?

There’s still a lot to do! Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool—something that will also minimize the burden of remediating known vulnerabilities. Here are some of our ideas for achieving this:

  • The first step is further integrating with developer workflows by offering standalone CI actions, allowing for easy setup and scheduling to keep track of new vulnerabilities.
  • Improve C/C++ vulnerability support: One of the toughest ecosystems for vulnerability management is C/C++, due to the lack of a canonical package manager to identify C/C++ software. OSV is filling this gap by building a high quality database of C/C++ vulnerabilities by adding precise commit level metadata to CVEs.
  • We are also looking to add unique features to OSV-Scanner, like the ability to utilize specific function level vulnerability information by doing call graph analysis, and to be able to automatically remediate vulnerabilities by suggesting minimal version bumps that provide the maximal impact.
  • VEX support: Automatically generating VEX statements using, for example, call graph analysis.

Try out OSV-Scanner today!

You can download and try out OSV-Scanner on your projects by following instructions on our new website osv.dev. Or alternatively, to automatically run OSV-Scanner on your GitHub project, try Scorecard. Please feel free to let us know what you think! You can give us feedback either by opening an issue on our Github, or through the OSV mailing list.

Migrating from App Engine pull tasks to Cloud Pub/Sub (Module 19)

Posted by Wesley Chun (@wescpy), Developer Advocate, Google Cloud

Introduction and background

The Serverless Migration Station series is aimed at helping developers modernize their apps running one of Google Cloud's serverless platforms. The preceding (Migration Module 18) video demonstrates how to add use of App Engine's Task Queue pull tasks service to a Python 2 App Engine sample app. Today's Module 19 video picks up from where that leaves off, migrating that pull task usage to Cloud Pub/Sub.

Moving away from proprietary App Engine services like Task Queue makes apps more portable, giving them enough flexibility to:

 

    Understanding the migrations

    Module 19 consists of implementing three different migrations on the Module 18 sample app:

    • Migrate from App Engine NDB to Cloud NDB
    • Migrate from App Engine Task Queue pull tasks to Cloud Pub/Sub
    • Migrate from Python 2 to Python (2 and) 3

    The NDB to Cloud NDB migration is identical to the Module 2 migration content, so it's not covered in-depth in Module 19. The original app was designed to be Python 2 and 3 compatible, so there's no work there either. Module 19 boils down to three key updates:

    • Setup: Enable APIs and create Pub/Sub Topic & Subscription
    • How work is created: Publish Pub/Sub messages instead of adding pull tasks
    • How work is processed: Pull messages instead of leasing tasks

    Aside from these physical changes, a key hurdle to overcome is understanding the differences in terminology between pull tasks and Pub/Sub. The following chart attempts to demystify this so developers can more easily grasp how they differ:
    Table of terminology with related GAE Pull Tasks and Cloud Pub/Sub
    Terminology differences between App Engine pull tasks and Cloud Pub/Sub

    Reflecting the chart, these differences can be summarized like this:
    1. With Pull Queues, work is created in pull queues while work is sent to Pub/Sub topics
    2. Task Queue pull tasks are called messages in Pub/Sub
    3. With Task Queues, workers access pull tasks; with Pub/Sub, subscribers receive messages
    4. Leasing a pull task is the same as pulling a message from a Pub/Sub topic via a subscription
    5. Deleting a task from a pull queue when you're done is analogous to successfully acknowledging a Pub/Sub message
    The video walks developers through the terminology as well as the code changes described above. Below is pseudocode implementing the key changes to the main application (new or updated lines of code bolded):
    Table showing changes in code Before (Module 18) on the left, and After (Module 19) on the right
    Migration from App Engine Task Queue pull tasks to Cloud Pub/Sub

    Observe how most of the code, especially app operations and data models are left relatively unchanged. The only visible changes are switching from App Engine NDB and Task Queue to Cloud NDB and Pub/Sub. Complete versions of the app before and after making the changes can be found in the Module 18 and Module 19 repo folders, respectively. In addition to the video, be sure to check out the Module 19 codelab which leads you step-by-step through the migrations discussed.

    Wrap-up

    Module 19 features a migration of App Engine pull tasks to Cloud Pub/Sub, but developers should note that Pub/Sub itself is not based on pull tasks. It is a fully-featured asynchronous, scalable messaging service that has many more features than the pull functionality provided by Task Queue. For example, Pub/Sub has other features like streaming to BigQuery and push functionality. Pub/Sub push operates differently than Task Queue push tasks, hence why we recommend push tasks be migrated to Cloud Tasks instead (see Module 8). For more information on all of its features, see the Pub/Sub documentation. Because Cloud Tasks doesn't support pull functionality, we turn to Pub/Sub instead for pull task users.

    While we recommend users move to the latest offerings from Google Cloud, neither of those migrations are required, and should you opt to do so, can do them on your own timeline. In Fall 2021, the App Engine team extended support of many of the bundled services to 2nd generation runtimes (that have a 1st generation runtime), meaning you don't have to migrate to standalone Cloud services before porting your app to Python 3. You can continue using Task Queue in Python 3 so long as you retrofit your code to access bundled services from next-generation runtimes.

    If you're using other App Engine legacy services be sure to check out the other Migration Modules in this series. All Serverless Migration Station content (codelabs, videos, source code [when available]) can be accessed at its open source repo. While our content initially focuses on Python users, the Cloud team is working on covering other language runtimes, so stay tuned. For additional video content, check out our broader Serverless Expeditions series.