Esta semana, representantes do GitHub anunciou imediatamente um número de inovação, incluindo o fato de que GitHub completou a certificação como um Numeração Autoridade CVE, a empresa agora pode atribuir de forma independente identificadores CVE para vulnerabilidades.First, Dependency Graph will add support for PHP projects on Composer. This means that users will be able to receive automatic security warnings for any vulnerabilities that arise in the dependencies of their PHP projects.
Developers can see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that projects lists in composer.json e composer.lock arquivos, GitHub will send an alert including email or web notifications, depending on user’s preferences.
em segundo lugar, Microsoft acquired a Semmle code analysis tool (the amount of the transaction was not disclosed). It is planned to integrate it with GitHub over time and then use it to improve the vulnerability scanning process. Recall that by now Semmle is already used by Google, Uber, NASA and Microsoft and many other open source projects.
“Semmle QL benefits both developers and maintainers. It has a library of thousands of queries, all open source, that have been defined by some of the industry’s best security researchers”, — reported in GitHub.
Thirdly, this week GitHub completed certification as a CVE Numbering Authority, isso é, now the company will be able independently assign CVE identifiers to vulnerabilities.
“We believe that fast, unfettered movement of vulnerability data is critical to improving software security. This is why we’re excited to share that GitHub has been approved as a CVE Numbering Authority for open source projects. We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry”, — reported GitHub specialists.
GitHub’s authority will extend only to open source projects hosted on the platform, but this means that vulnerabilities in the bug tracker will receive CVE identifiers much faster, since project owners will be able to request a CVE from GitHub, bypassing the time-consuming process of contacting and approving the bug in MITRE.