Story image

GitHub amps up vulnerability reporting capabilities

20 Sep 2019

GitHub has announced new capabilities that make it easier for developers to report vulnerabilities directly from their repositories.

GitHub is now an official CVE Numbering Authority, which means it can assign a CVE ID to a reported vulnerability, add it to the CVE List, and then on to the National Vulnerability Databased (NVD) on behalf of the developer.

“We believe that fast, unfettered movement of vulnerability data is critical to improving software security… We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry,” explains GitHub SVP product, Shanku Niyogi.

GitHub says the CVE reporting tool is part of newly-acquired Semmle, which is a tool that security researchers use to conduct declarative queries and find vulnerabilities in code.

The company believes Semmle integration will allow developers to disclose more vulnerabilities, and faster alerts to those affected by the vulnerabilities.

So far Semmle has uncovered more than 100 CVEs in open source projects such as Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot, and VLC.

Semmle CEO and founder Oege De Moore explains that the integration will change how software is developed because it allows every developer to benefit from work done by top security researchers.

“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks. GitHubs recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub,” says De Moore.

Every CVE comes with a Semmle query, De Moore continues. Those queries are shared via open source, and open to the community.

“Every commit on every open source project is analysed with this curated body of crowd-sourced queries. Together, maintainers and security researchers make the entire ecosystem much safer than before.”

GitHub’s VP of APAC Sam Hunt adds that these security improvements have benefits for those in Asia Pacific.

“APAC has a large degree of enterprises subcontracting software development, so security is even more top of mind across almost every organisation and the ecosystem in the region,” says Hunt.

“Our commitment to secure the worlds code and continue to improve the security capabilities of our platform will enable forward looking enterprises to drive innovation and leverage secure software development powered by open source.”