The code hosting service warns developers when including certain flawed software libraries in their projects and provides advice on how to address the issue.
The new security feature is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.
The availability of a dependency graph allows to notify the owners of the projects when it detects a Known security vulnerability in one of the dependencies and suggest known fixes from the GitHub community.
“Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.” states GitHub on the introduction of the security alerts.
GitHub provides developers the type of flaw, the associated severity, and affected versions, the user interface includes a link that points to a page where additional details are available.
Administrators can also choose the form of warnings, including email alerts, web notifications, and warnings via the user interface, selecting also the final recipient of the message (individuals or groups).
The code hosting service relies on both Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list in order to determine if a project is using flawed libraries.
“Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them.” continues GitHub.
Since many publicly disclosed vulnerabilities don’t have CVEs, GitHub will also try to warn users of flaws that still haven’t received the code.
“We’ll continue to get better at identifying vulnerabilities as our security data grows,” GitHub added.
In the presence of a security patch for a vulnerability discovered by GitHub, the service advises the developers to update or adopt a fix provided by the community.
(Security Affairs – Dependency Graph, security)