Earlier this year, GitHub acquired Dependabot, which has enabled it to provide automatic security fixes natively within its platform.
Ten years ago, GitHub introduced the pull request that created a standard process for managing contributions. Now the team is focussed on building better-defined processes for managing vulnerabilities in open source code.
Along with Semmle acquisition, the code hosting platform has disclosed a number of improvements making it easier for maintainers and developers to fix and protect against vulnerabilities.
Semmle joins Github
GitHub has announced the acquisition of Semmle, a code analysis tool that helps developers and security researchers discover potential vulnerabilities in their code.
“Their code analysis engine—named QL—combines the latest research in compiler optimization with insights in database implementation. It understands the complex data structures inherent in code, and makes analysis available to researchers using a declarative, object-oriented query language” – Github writes in a blog post.
According to Github, over 100 CVEs in open source projects have been found using Semmle, including high-profile projects like Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot and VLC.
“No other code analysis tool has a similar success rate,” it claimed.
GitHub says that it is in the early stages of bringing the Semmle technology to its users.
Security policies
After a researcher or developer finds a vulnerability, the next step is to coordinate disclosure with the project maintainer. GitHub has introduced security policies to enable its users to report security vulnerabilities safely for any OSS project.
“Once a vulnerability is reported for a project, the project’s maintainers can create a security advisory so the researcher, maintainer and development team can privately coordinate on how best to address the vulnerability,” Github explains in its blog post.
GitHub will review each published advisory and may use the advisory to send security alerts to affected repositories.
GitHub currently issues alerts for advisories that were reported directly on GitHub, as well as vulnerabilities from other sources, such as the National Vulnerability Database, MITRE and WhiteSource.
GitHub is now a CVE Numbering Authority
GitHub has been approved as a Common Vulnerabilities and Exposures (CVE) Numbering Authority for open source projects. This means GitHub will be able to issue CVEs for security advisories opened on GitHub.
Earlier this year, GitHub acquired Dependabot, which has enabled it to provide automatic security fixes natively within its platform.
With automatic security fixes, developers no longer need to manually patch their dependencies: when a vulnerability is found in a dependency, GitHub will automatically issue a pull request on downstream repositories with the information needed to accept the patch.