GitHub to Warn Users of Vulnerabilities in Their Projects
Contact Us | |
Free Demo | |
Chat | |
GitHub said Thursday it can now help developers find and fix vulnerabilities in their dependencies.
GitHub, the popular development platform/respository hosting service, announced this week that it can now help developers find and fix vulnerabilities in their dependencies.
In programming, dependencies are basically bits of code in software that depend on another one.
The platform, one of world’s the largest code hosting services, said Thursday it will begin tracking public vulnerabilities and notify users if any of their projects’ dependencies are affected. GitHub will track vulnerabilities in Ruby gems and NPM (JavaScipt) packages on MITRE's Common Vulnerabilities and Exposures (CVE) list to start but the company plans to bring support to Python in 2018, according to the company’s Director of Product Miju Han.
The company will offer project managers help through a feature it already offers called a dependency graph. If a user has theirs enabled - something done by default for public repositories - they'll receive alerts for potential vulnerabilities. GitHub says it plans to call out any dependencies it considers vulnerable and whether or not it recommends updating. If there's a safer version of a dependency the company says it will use a combination of machine learning and publicly available data to select one. Users with private repositories meanwhile will have to opt in to receive security alerts.
A .gif the company posted, below, demonstrates the feature in action shows an alert for a known vulnerability in a user's Rails dependency and a suggested fix.
The company admits identifying vulnerabilities can be a difficult, sometimes nebulous thing to do. Some vulnerabilities, even major ones, don't receive CVE IDs from the National Vulnerability Database. With that in mind Han says GitHub will do its best to ferret out vulnerabilities without CVEs and notify coders.
"We'll continue to get better at identifying vulnerabilities as our security data grows..." Han wrote Thursday, "This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work."
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.