Last year, added security scanning to its dependency graph and flicked the lid off a can absolutely crawling with bugs.

The -sharing site kicked off vulnerability scanning late last year, focussing on known CVEs (Common Vulnerabilities and Exposures, an announcement list maintained by Carnegie-Mellon University) in Ruby and Javascript libraries.

GitHub runs the libraries through its Dependency Graph announced last year, to match the libraries to the CVEs.

When a vulnerable library is identified, the system an alert to a project’s admin in their dependency graphs and repository pages.

GitHub announced the first run of the security checker turned up “over four vulnerabilities in over 00,000 repositories”.

On that first pass, GitHub’s post said, 450,000 of the vulns were resolved by December 1, 2017. In the since then, “our rate of vulnerabilities resolved in the first seven days of detection has been about 30 per cent. Additionally, 15 per cent of alerts are dismissed within seven days”.

More active projects get patched quicker, but that’s not quantified in the post. GitHub’s post noted that the seven-day fix metric was met by “for almost all repositories with recent contributions”.

If you’re the admin of a GitHub account and want to add security alerts to your repository, the instructions explaining how to do so are here. ®

Sponsored:
Continuous Lifecycle London 2018 – Early Bird Tickets Now Available



Source link

thanks you RSS link
( https://packetstormsecurity.com/news/view/28781/GitHub-Vuln-Scanner-Turns-Up-4-Million-Flaws.html)

LEAVE A REPLY

Please enter your comment!
Please enter your name here