GitHub Dependabot Now Warns Of Vulnerabilities
Tuesday, 19 April 2022

GitHub has updated Dependabot so that the alerts it generates help developers understand how they're affected by a vulnerability. The improvement follows GitHub's recent announcement that Dependabot alerts would be easier to understand and remediate.

Dependabot provides automated dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm projects. Using it, GitHub is able to monitor dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

dependabot

Since GitHub launched Dependabot alerts four years ago, it has alerted users on over 425 million potential vulnerabilities in their open source dependencies.

In February, Dependabot was updated to make it easier to quickly assess, prioritize, and act on Dependabot alerts. The change means that Dependabot alerts are now displayed with one alert per advisory and dependency manifest, rather than being grouped by package. This means the alerts show more useful information about each vulnerability, with more descriptive alert titles, detailed breakdowns on alert severity scoring, and updated information about linked pull requests.

The alerts also have improved searching and tracking, with unique numeric identifiers that GitHub is making available via the GraphQL API.

The most recent improvement is that the alerts now warn if your code is calling vulnerable code paths, so that you can prioritize and remediate alerts more effectively.

GitHub collects information on vulnerable packages in its Advisory Database, and plans to gather information on affected functions for each source library. By using GitHub’s semantic code graph, the team plans to perform static analysis with these functions, and use this to to generate an affected call graph for your repository, which is then made available in a Dependabot alert.This implementation is powered by Stack Graphs, the same framework that powers Precise Code Navigation. The GitHub team say this provides a no-configuration experience that works for any advisories with annotated vulnerable functions.

dependabot

 

More Information

GitHub

Related Articles

GitHub Enterprise Adds Centralized User Accounts

Professional Open Source Software Management

GitHub Security Bug Bounty Milestones

GitHub Adds New Code Security Features

 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Feel Your Way Through VR Spider's Webs
02/05/2022

The mouth comes a close second to the fingertips in terms of tactile sensitivity. This led researchers from the Future Interfaces Group of the Human-Computer Interaction Institute at Carnegie Mellon U [ ... ]



CanIPHP - Like CanIUse But For PHP
10/05/2022

A new tool called CanIPHP has been released. As the name suggests, the tool is like caniuse.com but for PHP features.


More News

pythondata

 



 

Comments




or email your comment to: comments@i-programmer.info