Github Will Warn Developers About Vulnerable Dependencies in Their Projects

[LASER_oneXM]

GitHub — the Internet largest code hosting service — is rolling out a new security feature through which it hopes to reduce the number of vulnerable projects hosted and distributed through its platform.

This new security feature has no special name, but it's being added to a GitHub feature known as the Dependency Graph.

The Dependency Graph is a section in each GitHub project's "Insights" tab. The graph shows a tree-like structure of all the libraries that are loaded inside a coding project based on manifest files included in each project.

Currently supporting JavaScript & Ruby projects. Python in 2018.
Currently, the Dependency Graph supports package.json files (for JavaScript projects) and gemfiles (for Ruby projects), and is slated to add support for Python next year.

The new security feature added to Dependency Graph is an alerting system that will warn users when one of the dependent libraries loaded through these manifests files are affected by publicly known vulnerabilities. The GIF below shows how these alerts work.

The Dependency Graph will also send email notifications whenever a project is updated to use a vulnerable dependency (library) or GitHub updates its database with info on new vulnerabilities.

GitHub ‎Director of Product Miju Han says GitHub engineers will first use the CVE vulnerabilities identification system to keep track of known security bugs, but they also promise to send alerts for well-known vulnerabilities for which security researchers have failed to obtain a CVE ID number.

Users looking into a (somewhat) similar vulnerabilities scanner for dependency graphs used with PHP Composer-based projects can use the SecurityAdvisories project by Roave.

A welcomed feature

GitHub's new feature, announced yesterday, was a hit with both security researchers and developers, who welcomed it with open arms.