News

GitHub Adds Security Alerts for Java and .NET

• By John K. Waters
• October 17, 2018

GitHub today announced that it has expanded its security vulnerability alerts feature to cover both Java and .NET code. The popular code repository and social coding platform recently acquired by Microsoft launched the feature last year, initially covering JavaScript and Ruby. Python coverage was added earlier this year.

Kathy Simpson, senior director of product management at GitHub, announced the expanded security coverage at the annual GitHub Universe conference, held this week at the Palace of Fine Arts in San Francisco. The security alerts are designed to make it easier for developers to keep track of the projects their code depends on via a dependency graph. With the dependency graph enabled, GitHub notifies developers when a vulnerability is detected in one of those dependencies. And it suggests known fixes from the GitHub community.

GitHub defines "vulnerability" as "a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code."

Vulnerabilities that have publicly disclosed vulnerabilities from the National Vulnerability Database (CVE IDs) are included in security alerts. "However, Miju Han, Engineering Manager, Data Science and Analytics at GitHub, warned in a blog post, not all vulnerabilities have CVE IDs. "Even many publicly disclosed vulnerabilities don't have them," she wrote. "We'll continue to get better at identifying vulnerabilities as our security data grows .... This is the next step in using the world's largest collection of open source data to help you keep code safer and do your best work."

GitHub scans data in public commits and uses a combination of machine learning and human review to detect vulnerabilities that are not published in the CVE list.

The company also introduced the GitHub Security Advisory API, which collects data about software vulnerabilities and makes that data available in a machine-readable format, so developers get information about bugs and patches for projects that are part of their code base.

GitHub rolled out a number of major platform enhancements at the event, including: GitHub Actions, which allows GitHub users to automate the process of moving code among the different steps in their software workflows; and Suggested Changes, which allows collaborators to suggest code changes via inline comments in pull requests, and pull request authors to apply, reject, or edit these suggestions as an integrated part of the code review process. It also released releasing three new Learning Lab courses, covering secure development workflows with GitHub, reviewing a pull request, and getting started with GitHub.

Microsoft announced plans to acquire GitHub, which claims its platform is used by 31 million developers, this summer for $7.5 billion. When the acquisition is completed the code-hosting organization will become part of the Microsoft Intelligent Cloud unit. Microsoft CEO, Satya Nadella, has promised GitHub will not favor Microsoft, and will continue to be an open platform that works with all public clouds.