GitHub Dependabot Now Warns Of Vulnerabilities
Tuesday, 19 April 2022

GitHub has updated Dependabot so that the alerts it generates help developers understand how they're affected by a vulnerability. The improvement follows GitHub's recent announcement that Dependabot alerts would be easier to understand and remediate.

Dependabot provides automated dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm projects. Using it, GitHub is able to monitor dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

dependabot

Since GitHub launched Dependabot alerts four years ago, it has alerted users on over 425 million potential vulnerabilities in their open source dependencies.

In February, Dependabot was updated to make it easier to quickly assess, prioritize, and act on Dependabot alerts. The change means that Dependabot alerts are now displayed with one alert per advisory and dependency manifest, rather than being grouped by package. This means the alerts show more useful information about each vulnerability, with more descriptive alert titles, detailed breakdowns on alert severity scoring, and updated information about linked pull requests.

The alerts also have improved searching and tracking, with unique numeric identifiers that GitHub is making available via the GraphQL API.

The most recent improvement is that the alerts now warn if your code is calling vulnerable code paths, so that you can prioritize and remediate alerts more effectively.

GitHub collects information on vulnerable packages in its Advisory Database, and plans to gather information on affected functions for each source library. By using GitHub’s semantic code graph, the team plans to perform static analysis with these functions, and use this to to generate an affected call graph for your repository, which is then made available in a Dependabot alert.This implementation is powered by Stack Graphs, the same framework that powers Precise Code Navigation. The GitHub team say this provides a no-configuration experience that works for any advisories with annotated vulnerable functions.

dependabot

 

More Information

GitHub

Related Articles

GitHub Enterprise Adds Centralized User Accounts

Professional Open Source Software Management

GitHub Security Bug Bounty Milestones

GitHub Adds New Code Security Features

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


A Turing Machine In LEGO
06/10/2024

A Turing Machine is one of those abstract ideas that is much easier to undertand if you can see it working. Now there's a proposal on the LEGO Ideas site for a Working Turing Machine. Lend it your sup [ ... ]



Tcl/Tk 9 Released
01/10/2024

Tcl/Tk 9 has been released with changes including 64-bit capacity, and improvements to the handling of Unicode and encodings.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info