Using its new dependency graph feature, GitHub is now able to warn you of potential security vulnerabilities in code that a project relies on and to suggest known fixes.

A recent post from Jason Warner on the GitHub blog stated:

There are millions of open source projects on GitHub. If you build software, your code likely depends on at least one of those projects. Now, our data can help you manage increasingly complex dependencies and keep your code safer as you work on connected projects—even for private repositories. 

The innovation he was referring to was the new dependency graph that displays projects your code depends on and projects that depend on your code. To enable it simply click Insights under your repository name and click Dependency graph in the left sidebar.

Warner says:

Now you can see all of the packages and applications you're connected to, without leaving your repository.

This is something of an overstatement as only Ruby and JavaScript dependencies in either a Gemfile or package.json file are currently supported. However, this is only a start. Python dependencies will be the next to be supported.

On the other hand the advantage of identifying dependencies is already coming on-stream - security alerts plus advice as to how to respond to them.

GitHub tracks public vulnerabilities in Ruby gems and NPM packages on MITRE's Common Vulnerabilities and Exposures (CVE) List. As well as highlighting dependencies that are the source of a potential vulnerability, and its severity on a four-point scale - Low, Moderate, High, Critical, GitHub aims to provide a solution to the problem.

In her blog post Introducing security alerts on GitHub Miju Han writes:

... we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion.

Like all recommender systems, this one is expected to improve with use.

Han explains:

Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don't have them. We'll continue to get better at identifying vulnerabilities as our security data grows.

Once your dependency graph is enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts in the dependency graph settings.

Using these new facilities seems like a good idea and the next step in using the world’s largest collection of open source data to help keep code safer.

More Information

Introducing security alerts on GitHub

About security alerts for vulnerable dependencies

Listing the packages that a repository depends on

Related Articles

GitHub's Latest State Of The Octoverse

GitHub Introduces Code Owners

GitHub Platform and Community Improvements

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info