GitHub Dependabot Now Warns Of Vulnerabilities
Tuesday, 19 April 2022

GitHub has updated Dependabot so that the alerts it generates help developers understand how they're affected by a vulnerability. The improvement follows GitHub's recent announcement that Dependabot alerts would be easier to understand and remediate.

Dependabot provides automated dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm projects. Using it, GitHub is able to monitor dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

dependabot

Since GitHub launched Dependabot alerts four years ago, it has alerted users on over 425 million potential vulnerabilities in their open source dependencies.

In February, Dependabot was updated to make it easier to quickly assess, prioritize, and act on Dependabot alerts. The change means that Dependabot alerts are now displayed with one alert per advisory and dependency manifest, rather than being grouped by package. This means the alerts show more useful information about each vulnerability, with more descriptive alert titles, detailed breakdowns on alert severity scoring, and updated information about linked pull requests.

The alerts also have improved searching and tracking, with unique numeric identifiers that GitHub is making available via the GraphQL API.

The most recent improvement is that the alerts now warn if your code is calling vulnerable code paths, so that you can prioritize and remediate alerts more effectively.

GitHub collects information on vulnerable packages in its Advisory Database, and plans to gather information on affected functions for each source library. By using GitHub’s semantic code graph, the team plans to perform static analysis with these functions, and use this to to generate an affected call graph for your repository, which is then made available in a Dependabot alert.This implementation is powered by Stack Graphs, the same framework that powers Precise Code Navigation. The GitHub team say this provides a no-configuration experience that works for any advisories with annotated vulnerable functions.

dependabot

 

More Information

GitHub

Related Articles

GitHub Enterprise Adds Centralized User Accounts

Professional Open Source Software Management

GitHub Security Bug Bounty Milestones

GitHub Adds New Code Security Features

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


GitHub Introduces New Features At Universe 2022
10/11/2022

GitHub has announced a number of improvements for developers, including Copilot for Business, voice based interaction, and the availability of Codespaces for all users. 



A Giant of Computer Science - Fred Brooks
22/11/2022

Fred Brooks, who managed the development of software for IBM's System/360 family of computers and based his book The Mythical Man-Month on that experience, has died at the age of 91.


More News

picobook

 



 

Comments




or email your comment to: comments@i-programmer.info