GitHub has updated Dependabot so that the alerts it generates help developers understand how they're affected by a vulnerability. The improvement follows GitHub's recent announcement that Dependabot alerts would be easier to understand and remediate.

Dependabot provides automated dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm projects. Using it, GitHub is able to monitor dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

Since GitHub launched Dependabot alerts four years ago, it has alerted users on over 425 million potential vulnerabilities in their open source dependencies.

In February, Dependabot was updated to make it easier to quickly assess, prioritize, and act on Dependabot alerts. The change means that Dependabot alerts are now displayed with one alert per advisory and dependency manifest, rather than being grouped by package. This means the alerts show more useful information about each vulnerability, with more descriptive alert titles, detailed breakdowns on alert severity scoring, and updated information about linked pull requests.

The alerts also have improved searching and tracking, with unique numeric identifiers that GitHub is making available via the GraphQL API.

The most recent improvement is that the alerts now warn if your code is calling vulnerable code paths, so that you can prioritize and remediate alerts more effectively.

GitHub collects information on vulnerable packages in its Advisory Database, and plans to gather information on affected functions for each source library. By using GitHub’s semantic code graph, the team plans to perform static analysis with these functions, and use this to to generate an affected call graph for your repository, which is then made available in a Dependabot alert.This implementation is powered by Stack Graphs, the same framework that powers Precise Code Navigation. The GitHub team say this provides a no-configuration experience that works for any advisories with annotated vulnerable functions.

More Information

GitHub

Related Articles

GitHub Enterprise Adds Centralized User Accounts

Professional Open Source Software Management

GitHub Security Bug Bounty Milestones

GitHub Adds New Code Security Features

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info