This week, representatives of GitHub immediately announced a number of innovation, including the fact that GitHub has completed certification as a CVE Numbering Authority, the company can now independently assign CVE identifiers to vulnerabilities.First, Dependency Graph will add support for PHP projects on Composer. This means that users will be able to receive automatic security warnings for any vulnerabilities that arise in the dependencies of their PHP projects.
Developers can see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that projects lists in composer.json and composer.lock files, GitHub will send an alert including email or web notifications, depending on user’s preferences.
Secondly, Microsoft acquired the Semmle code analysis tool (the amount of the transaction was not disclosed). It is planned to integrate it with GitHub over time and then use it to improve the vulnerability scanning process. Recall that by now Semmle is already used by Google, Uber, NASA and Microsoft and many other open source projects.
“Semmle QL benefits both developers and maintainers. It has a library of thousands of queries, all open source, that have been defined by some of the industry’s best security researchers”, — reported in GitHub.
Thirdly, this week GitHub completed certification as a CVE Numbering Authority, that is, now the company will be able independently assign CVE identifiers to vulnerabilities.
“We believe that fast, unfettered movement of vulnerability data is critical to improving software security. This is why we’re excited to share that GitHub has been approved as a CVE Numbering Authority for open source projects. We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry”, — reported GitHub specialists.
GitHub’s authority will extend only to open source projects hosted on the platform, but this means that vulnerabilities in the bug tracker will receive CVE identifiers much faster, since project owners will be able to request a CVE from GitHub, bypassing the time-consuming process of contacting and approving the bug in MITRE.