GitHub Security Alerts For Python
Written by Kay Ewbank   
Monday, 13 August 2018

GitHub has added Python to the list of languages where you can check out security alerts. Python developers can now see problems on a dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.

GitHub security alerts were first announced last October for developers using Ruby and JavaScript packages, and GitHub says four million vulnerabilities have been identified since the launch, prompting the release of many patches.

While this sounds dramatic, what this actually means is not that GitHub has found four million new vulnerabilities. Instead, what they did was to take a list of vulnerable Ruby gems and npm JavaScript packages where vulnerabilities have already been identified and listed in MITRE's Common Vulnerabilities and Exposures list. This list was then compared to the dependency graphs of all public repositories for Ruby and JavaScript, and GitHub found four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages.

In addition to highlighting dependencies that are the source of a potential vulnerability, and their severity on a four-point scale - Low, Moderate, High, or Critical - GitHub aims to provide a solution to the problem.

The GitHub team says:

"Since the launch of security alerts last year, we’ve taken an active role in alerting project maintainers of known-vulnerable libraries in RubyGems for Ruby and npm for Javascript. In almost all cases, there’s a new, patched version of the library we can recommend in the alert."

The dependency graph is a chart that displays the projects your code depends on and projects that depend on your code. It can be enabled by clicking Insights under your repository name then clicking Dependency graph in the left sidebar.

The newly announced Python support means Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities. Python projects have to have their dependencies defined in a requirements.txt or pipfile.lock file in order to enable the dependency graph. 

GitHub says the new platform has been launched with a relatively small set of recent vulnerabilities. Over the coming weeks, more historical Python vulnerabilities will be added to the database so the security alerts will become more useful. As new vulnerabilities in Python libraries are discovered, alerts will be sent to Python repository admins whose repositories show dependencies on those libraries. 

githubdeklogo
 

More Information

GitHub article about security alerts for vulnerable dependencies

GitHub instructions for listing the packages that a repository depends on

Related Articles

GitHub Adds Security Alerts 

GitHub For Unity Now Available

Microsoft Buys GitHub - Get Ready For a Bigger Devil

GitHub Marketplace Now Accepts Free Apps and Offers Free Trials

GitHub Enterprise Adds Team Discussions

Visual Studio Improves Gaming Tools For Unity

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


Microsoft Aims For Better Visual Studio Extensions
30/10/2020

Microsoft says it is creating a new extensibility model for the Visual Studio IDE. The aim is to make extensions more reliable, easier to write, and supported locally and in the cloud.



SIGGRAPH ASIA 2020 -The Trailer
04/11/2020

SIGGRAPH ASIA is increasingly important and this year it is running 4-13 December - but as an online event. This means more of us can join in. See the technical paper video - you won't regret the time [ ... ]


More News

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Monday, 13 August 2018 )