GitHub warns developers when their projects include vulnerable libraries

The code hosting service GitHub warns developers when including certain flawed software libraries in their projects and suggest fixes to solve the issues.

The code hosting service warns developers when including certain flawed software libraries in their projects and provides advice on how to address the issue.

GitHub has recently introduced the Dependency Graph, a feature that lists all the libraries used by a project. The new feature supports JavaScript and Ruby, and the company also plans to add the support for Python next year.

The new security feature is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows to notify the owners of the projects when it detects a Known security vulnerability in one of the dependencies and suggest known fixes from the GitHub community.

“Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.” states GitHub on the introduction of the security alerts.

GitHub provides developers the type of flaw, the associated severity, and affected versions, the user interface includes a link that points to a page where additional details are available.

Administrators can also choose the form of warnings, including email alerts, web notifications, and warnings via the user interface, selecting also the final recipient of the message (individuals or groups).

The code hosting service relies on both Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list in order to determine if a project is using flawed libraries.

“Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them.” continues GitHub.

“This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work. The dependency graph and security alerts currently support Javascript and Ruby—with Python support coming in 2018.”

Since many publicly disclosed vulnerabilities don’t have CVEs, GitHub will also try to warn users of flaws that still haven’t received the code.

“We’ll continue to get better at identifying vulnerabilities as our security data grows,” GitHub added.

In the presence of a security patch for a vulnerability discovered by GitHub, the service advises the developers to update or adopt a fix provided by the community.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Dependency Graph, security)

[adrotate banner=”5″]

[adrotate banner=”13″]