GitHub Security Alerts For Python
Written by Kay Ewbank   
Monday, 13 August 2018

GitHub has added Python to the list of languages where you can check out security alerts. Python developers can now see problems on a dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.

GitHub security alerts were first announced last October for developers using Ruby and JavaScript packages, and GitHub says four million vulnerabilities have been identified since the launch, prompting the release of many patches.

While this sounds dramatic, what this actually means is not that GitHub has found four million new vulnerabilities. Instead, what they did was to take a list of vulnerable Ruby gems and npm JavaScript packages where vulnerabilities have already been identified and listed in MITRE's Common Vulnerabilities and Exposures list. This list was then compared to the dependency graphs of all public repositories for Ruby and JavaScript, and GitHub found four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages.

In addition to highlighting dependencies that are the source of a potential vulnerability, and their severity on a four-point scale - Low, Moderate, High, or Critical - GitHub aims to provide a solution to the problem.

The GitHub team says:

"Since the launch of security alerts last year, we’ve taken an active role in alerting project maintainers of known-vulnerable libraries in RubyGems for Ruby and npm for Javascript. In almost all cases, there’s a new, patched version of the library we can recommend in the alert."

The dependency graph is a chart that displays the projects your code depends on and projects that depend on your code. It can be enabled by clicking Insights under your repository name then clicking Dependency graph in the left sidebar.

The newly announced Python support means Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities. Python projects have to have their dependencies defined in a requirements.txt or pipfile.lock file in order to enable the dependency graph. 

GitHub says the new platform has been launched with a relatively small set of recent vulnerabilities. Over the coming weeks, more historical Python vulnerabilities will be added to the database so the security alerts will become more useful. As new vulnerabilities in Python libraries are discovered, alerts will be sent to Python repository admins whose repositories show dependencies on those libraries. 

githubdeklogo
 

More Information

GitHub article about security alerts for vulnerable dependencies

GitHub instructions for listing the packages that a repository depends on

Related Articles

GitHub Adds Security Alerts 

GitHub For Unity Now Available

Microsoft Buys GitHub - Get Ready For a Bigger Devil

GitHub Marketplace Now Accepts Free Apps and Offers Free Trials

GitHub Enterprise Adds Team Discussions

Visual Studio Improves Gaming Tools For Unity

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


GitHub Announces Open Source Security Fund
03/12/2024

A new security-focused program, the GitHub Secure Open Source Fund, will invest $1.25M across 125 open source projects. The project is backed by the support of organizations including American Express [ ... ]



The PostgreSQL Extension Repo By Pigsty
09/12/2024

A repository containing any PostgreSQL extension you can imagine for Linux distributions is something that might be valuable if you are trying to save some time.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Monday, 13 August 2018 )