GitHub's new security mechanism: security alerts will appear when developers introduce insecure libraries

Others 2022-04-28 05:03:51 views: 0
Published on: 11-21


Code hosting service GitHub has added a new feature that now warns developers of vulnerable software repositories in their projects and suggests fixes to resolve the issue.


GitHub recently introduced dependency graphs, a feature that lists all the libraries used by a project. The new features support JavaScript and Ruby, and the company plans to add support for Python next year.

The new security feature is designed to alert developers when a project's dependencies are vulnerable. GitHub has automatically enabled dependency graphs and security alerts for public repo, but not for private repo.


Dependency graphs can alert project owners when they use vulnerable libraries, notify project owners, and get fixes from GitHub.

"Over 75% of GitHub projects today have dependencies, and we need to do more than help people see these important projects. With your dependency graph enabled, when we detect one of your dependencies We will now notify you when there are vulnerabilities and suggest fixes accordingly," GitHub said.

JavaScript and Ruby projects are currently supported.
Currently , dependency graph supports package.json files (for JavaScript projects) and gemfiles (for Ruby projects), and support for Python is expected to be added next year.


A new security feature added to the dependency graph is an alert system that will warn users when one of the dependent libraries loaded through these manifest files is affected by a publicly known vulnerability. The GIF below shows how these alerts work.



Dependency Graph also sends email notifications that a project updates information using vulnerable dependencies (libraries) or GitHub to update its database with new vulnerabilities.



Miju Han, GitHub's director of product, said GitHub's engineers would first use the CVE vulnerability identification system to track known security vulnerabilities, but they also committed to sending out vulnerability alerts where known security researchers failed to obtain CVE ID numbers.


Users looking for a (somewhat) similar vulnerability scanner for the dependency graph used by PHP Composer based projects can use Roave's SecurityAdvisories project.

For more information, please refer to: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

[This post was re-edited by Zhenghe at 2017-11-21 09:47

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326111106&siteId=291194637
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com