|GitHub Adds Security Alerts|
|Written by Alex Armstrong|
|Thursday, 23 November 2017|
Using its new dependency graph feature, GitHub is now able to warn you of potential security vulnerabilities in code that a project relies on and to suggest known fixes.
A recent post from Jason Warner on the GitHub blog stated:
There are millions of open source projects on GitHub. If you build software, your code likely depends on at least one of those projects. Now, our data can help you manage increasingly complex dependencies and keep your code safer as you work on connected projects—even for private repositories.
The innovation he was referring to was the new dependency graph that displays projects your code depends on and projects that depend on your code. To enable it simply click Insights under your repository name and click Dependency graph in the left sidebar.
Now you can see all of the packages and applications you're connected to, without leaving your repository.
On the other hand the advantage of identifying dependencies is already coming on-stream - security alerts plus advice as to how to respond to them.
GitHub tracks public vulnerabilities in Ruby gems and NPM packages on MITRE's Common Vulnerabilities and Exposures (CVE) List. As well as highlighting dependencies that are the source of a potential vulnerability, and its severity on a four-point scale - Low, Moderate, High, Critical, GitHub aims to provide a solution to the problem.
In her blog post Introducing security alerts on GitHub Miju Han writes:
... we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion.
Like all recommender systems, this one is expected to improve with use.
Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don't have them. We'll continue to get better at identifying vulnerabilities as our security data grows.
Once your dependency graph is enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts in the dependency graph settings.
Using these new facilities seems like a good idea and the next step in using the world’s largest collection of open source data to help keep code safer.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 23 November 2017 )|