GitHub Buys Semmle, Becomes CVE Numbering Authority
Written by Kay Ewbank   
Thursday, 19 September 2019

GitHub has acquired code analysis company Semmle and will make Semmle's code analyis engine available to all public repositories. GitHub has also become a Common Vulnerabilities and Exposures (CVE) Numbering Authority, making it easier to report vulnerabilities directly from your repositories.

Semmle's main product, QL, is a code analysis tool that you can use to find potential vulnerabilities in your code. It has a query language that you can use to write and execute QL queries locally from most IDEs using a QL plugin, or there's a query console for use in your web browser.  The Semmle team says QL performs variant analysis, where a known vulnerability is used as a seed to find similar problems in your code. QL ships with libraries to perform control and data flow analysis, taint tracking and explore known threat models. Supported languages include C/C++, C#, Java, JavaScript, and Python.

githubdeklogo

QL is also used in Semmle’s other main product, LGTM (Looks Good to Me). which analyses every commit to identify vulnerabilities early. LGTM automatically runs over 1,600 standard analyses on every code change. GitHub plans to make QL available via GitHub Actions. According to Semmle more than 100 open source CVEs have been found using QL.

In a related announcement, GitHub said it has become a CVE Numbering Authority for open source projects. Common Vulnerabilities and Exposures (CVE) Numbering Authorities are authorized to assign CVE IDs to vulnerabilities affecting products in a particular area - open source projects in this case. The CVE IDs are then included in first-time public announcements of new vulnerabilities.  The fact that GitHub is a CVE Numbering Authority will make it easier for code maintainers to report vulnerabilities directly from their repositories. GitHub will assign a CVE ID, post to the CVE List, and then to the National Vulnerability Database (NVD) on a developer’s behalf.

Commenting on the announcements, Shanku Niyogi, GitHub SVP, said:

"We believe that fast, unfettered movement of vulnerability data is critical to improving software security"

githubdeklogo.

More Information

Semmle Homepage

GitHub Homepage

Related Articles

GitHub Adds New Code Security Features

GitHub Acquires Pull Panda

Counting Vulnerabilities In Open Source Projects and Programming Languages

Don't Neglect Open Source Security

GitHub Sponsors - Money For Open Source

GitHub Bug Bounty Program Expanded In Scope and Reward 

Microsoft GitHub - What's Different  

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Google Intensive AI Course - Free On Kaggle
05/11/2024

Google is offering a 5-Day Gen AI Intensive Course designed to equip data scientists with the knowledge and skills to tackle generative AI projects with confidence. It runs on the Kaggle platform from [ ... ]



Flutter Forked As Flock
05/11/2024

One of developers who worked on the Flutter team at Google has created an open-source form of the framework. Matt Carroll says Flock will be "Flutter+", will remain constantly up to date with Flutter, [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 19 September 2019 )