|GitHub Dependabot Now Warns Of Vulnerabilities|
|Tuesday, 19 April 2022|
GitHub has updated Dependabot so that the alerts it generates help developers understand how they're affected by a vulnerability. The improvement follows GitHub's recent announcement that Dependabot alerts would be easier to understand and remediate.
Since GitHub launched Dependabot alerts four years ago, it has alerted users on over 425 million potential vulnerabilities in their open source dependencies.
In February, Dependabot was updated to make it easier to quickly assess, prioritize, and act on Dependabot alerts. The change means that Dependabot alerts are now displayed with one alert per advisory and dependency manifest, rather than being grouped by package. This means the alerts show more useful information about each vulnerability, with more descriptive alert titles, detailed breakdowns on alert severity scoring, and updated information about linked pull requests.
The alerts also have improved searching and tracking, with unique numeric identifiers that GitHub is making available via the GraphQL API.
The most recent improvement is that the alerts now warn if your code is calling vulnerable code paths, so that you can prioritize and remediate alerts more effectively.
GitHub collects information on vulnerable packages in its Advisory Database, and plans to gather information on affected functions for each source library. By using GitHub’s semantic code graph, the team plans to perform static analysis with these functions, and use this to to generate an affected call graph for your repository, which is then made available in a Dependabot alert.This implementation is powered by Stack Graphs, the same framework that powers Precise Code Navigation. The GitHub team say this provides a no-configuration experience that works for any advisories with annotated vulnerable functions.
or email your comment to: firstname.lastname@example.org