# Gold Open Source (GOS)

## Background

Enterprise applications routinely incorporate hundreds to thousands of open-source packages sourced from public registries such as Maven Central, PyPI, and npmjs.com. Each declared dependency introduces its own transitive dependencies, and every component in this chain can carry vulnerabilities. The resulting dependency graph forms a broad, opaque attack surface that adversaries actively target.

Several incidents illustrate the operational impact of this issue:

• [**Log4Shell (CVE-2021-44228)**](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): A single flaw in the widely deployed Log4j library affected hundreds of thousands of systems worldwide and required extensive remediation across organizations.

• [**Colors / Faker (2022)**](https://www.theregister.com/2022/01/10/npm_fakerjs_colorsjs/): The maintainer of two widely used npm packages intentionally introduced breaking changes, disrupting thousands of downstream builds.

• [**PyTorch supply-chain attack (2022)**](https://pytorch.org/blog/compromised-nightly-dependency/): Threat actors published malicious packages to PyPI that masqueraded as legitimate PyTorch dependencies and exfiltrated data from developer environments.

• [**XZ Utils backdoor (CVE-2024-3094)**](https://nvd.nist.gov/vuln/detail/CVE-2024-3094): A long-running attempt to insert a backdoor into a core Linux compression library nearly resulted in a widespread compromise of SSH authentication.

## **Introduction to Gold Open Source (GOS)?**

Gold Open Source (GOS) is Lineaje's curated catalog of open-source packages and container images — pre-vetted and confirmed free of critical, high, and exploitable vulnerabilities before they ever reach your environment.

GOS covers over 3 million packages and 2,000+ OCI-compliant container images, each evaluated across 100+ attributes including transitive dependencies, with pre-attested lineage included.

Here's what GOS does for your supply chain:

* **Everything is rebuilt from verified source.** Every OSS component is rebuilt from clean, confirmed source code. Upstream tampering, hidden dependencies, and malware are removed before anything enters your pipeline — not patched after the fact.
* **No source code, no binary.** If verified source isn't available, the package isn't included. This removes license risk and eliminates malicious artifacts that lack a public source repository.
* **Only direct dependencies get fixed.** Remediation targets direct dependencies, not the full transitive chain. That keeps changes minimal and reduces fix effort by up to 85%.
* **Continuous and automatic.** Once set up, GOS continuously rebuilds, scans, and enforces policies across your repos and pipelines without manual intervention.

### **What Qualifies as GOS**

A package either meets the gold standard or it doesn't enter the build. Every package in the catalog must satisfy all four of the following:

* **Zero exploitable vulnerabilities (ECH = 0).** No exploitable, critical, or high severity CVEs at the time of consumption. Lineaje monitors National Vulnerability Database (NVD), GitHub Advisories, OSV, and vendor feeds continuously to keep this current.
* **Clean malware scan.** Every artifact is scanned for malware before inclusion.
* **Your policy requirements, met.** Packages must satisfy any custom policies your team has defined — license allowlists/blocklists, provenance requirements, author reputation thresholds, dependency-depth limits, and so on.
* **Acceptable Lineaje risk score.** Lineaje's risk score covers maintainability, provenance, update cadence, and ecosystem health so the package lands within your organization's acceptable band.