Wednesday, May 31, 2023
HomeUncategorizedGitHub targets vulnerable open source components

GitHub targets vulnerable open source components

Thousands of vulnerabilities exist in open source code – GitHub aims to help developers see if their projects are affected

  • Cliff Saran

    Cliff Sarango through

    • Cliff Saran,

    Published: 2022年8月10日12:56 Cliff Saran

    GitHub has introduced an automatic alert mechanism that enables developers to address vulnerabilities in the open source components used by their code. Cliff Saran According to GitHub, the new feature, called Dependabot Siren t for Vulnerable GitHub Actions, which will make it easier for developers to stay up-to-date and fix security holes using their Actions workflow.

    Vulnerabilities like Log4j put open source security weaknesses in focus, U.S. President Joe Biden makes software security a national priority. His executive order on cybersecurity requires that only companies that use secure software development lifecycle practices and comply with specific federal security guidance can sell to the federal government.

    The advantage of open source code is that you can transfer external code modules from GitHub, etc. The public repository is pulled into the project. This allows developers to easily integrate functionality without having to write all the code themselves. Open source modules are maintained by third-party developers.

    But as Computer Weekly previously reported, if in If a security risk is found in an open source module, then projects that depend on that module will also be at risk. In many cases, developers whose code requires such modules may be unaware that the open source code they have incorporated into their own projects is a security risk.

    This is a vulnerability that GitHub wants to address via Dependabot alerts The case of GitHub Actions.

    GitHub consultation database shows , there are over 173,000 vulnerabilities in GitHub uncensored

GitHub Senior Product Manager In a blog post discussing Dependabot’s vulnerable GitHub Actions alerts, Kate Catlin and GitHub blogger Brittany O’Shea said the alerts will be powered by the GitHub advisory database.

“When security breaches are reported in action, our security A team of researchers will create an advisory to document the v vulnerability, which will trigger an alert on affected repositories,” they wrote. At the time of writing, the GitHub consulting database has 8,543 recommendations reviewed, of which 1,560 have been classified as ‘critical’. However, to show the scale of the problem facing the open source community, the database shows that there are more than 173,000 vulnerabilities in GitHub that have yet to be reviewed.

Global cooperation is required to keep open source universal consensus code secure. In January, a number of big tech companies, including Google and IBM, attended the White House Open Source Software Security Summit.

In conjunction with the summit, released by Kent Walker, President of Global Affairs, Google and Alphabet wrote a blog discussing the need to effectively protect open source code.

Cliff Saran “Increasing reliance on open source means that industry and It’s time for governments to make a concerted effort to establish baseline standards for security, maintenance, provenance and testing — to ensure that the nation’s infrastructure and other vital systems can rely on open source projects,” he wrote.

IBM Enterprise Security Director Jamie Thomas also attended the summit, He said: “Today’s meeting made clear that government and industry can work together to improve secure open source practices. We can start by encouraging widespread adoption of open and reasonable security standards, identifying key open source assets that should meet the most stringent security requirements, and Promote nationwide collaboration to expand skills training and education in open source security and reward developers who make important contributions

Dependabot may alert on vulnerable operations can be linked to continuous integration and deployment (CI/CD) processes, enabling development teams to prioritize developer work and Faster resolution of security issues.

Read more about application security and coding requirements

  • Open Source Status: Computer downtime every week to upload guests StephanieGlen


    go through: Cliff Saran

  • AlexScroxton
    The open source community has developed a safe road software CliffSaran

    go through: Alex Scroxton

  • BethPariseau
    GitHub Desktop 3.0 received a cold reception BethPariseau Cliff Saran

    Cliff Saran Cliff Saran

    go through: Stephanie Glenn

  • BethPariseau AlexScroxton Software Supply Chain Security Risks Around Kubernetes AlexScroxton

    go through: Beth Pariso



    Please enter your comment!
    Please enter your name here


    Featured NEWS