GitHub Adds Security Alerts
GitHub Adds Security Alerts
Written by Alex Armstrong   
Thursday, 23 November 2017

Using its new dependency graph feature, GitHub is now able to warn you of potential security vulnerabilities in code that a project relies on and to suggest known fixes.

A recent post from Jason Warner on the GitHub blog stated:

There are millions of open source projects on GitHub. If you build software, your code likely depends on at least one of those projects. Now, our data can help you manage increasingly complex dependencies and keep your code safer as you work on connected projects—even for private repositories. 

The innovation he was referring to was the new dependency graph that displays projects your code depends on and projects that depend on your code. To enable it simply click Insights under your repository name and click Dependency graph in the left sidebar.

depgraph

Warner says:

Now you can see all of the packages and applications you're connected to, without leaving your repository.

This is something of an overstatement as only Ruby and JavaScript dependencies in either a Gemfile or package.json file are currently supported. However, this is only a start. Python dependencies will be the next to be supported.

On the other hand the advantage of identifying dependencies is already coming on-stream - security alerts plus advice as to how to respond to them.

githubsec2

 

GitHub tracks public vulnerabilities in Ruby gems and NPM packages on MITRE's Common Vulnerabilities and Exposures (CVE) List. As well as highlighting dependencies that are the source of a potential vulnerability, and its severity on a four-point scale - Low, Moderate, High, Critical, GitHub aims to provide a solution to the problem.

In her blog post Introducing security alerts on GitHub Miju Han writes:

... we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion.

Like all recommender systems, this one is expected to improve with use.

Han explains:

Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don't have them. We'll continue to get better at identifying vulnerabilities as our security data grows.

 

Once your dependency graph is enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts in the dependency graph settings.

 

Using these new facilities seems like a good idea and the next step in using the world’s largest collection of open source data to help keep code safer.

github

More Information

Introducing security alerts on GitHub

About security alerts for vulnerable dependencies

Listing the packages that a repository depends on

Related Articles

GitHub's Latest State Of The Octoverse

GitHub Introduces Code Owners

GitHub Platform and Community Improvements

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin.

Banner


Google SLING: An Open Source Natural Language Parser
17/11/2017

Google Research has just released an open source project that might be of interest if you are into natural language processing. SLING is a combination of recurrent neural networks and frame based pars [ ... ]



TensorFlow Lite For Mobiles
20/11/2017

Google has announced a developer preview of TensorFlow Lite, a version of TensorFlow for mobile and embedded devices.


More News

 
 

 

blog comments powered by Disqus

Last Updated ( Thursday, 23 November 2017 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.