[ad_1]
After launching a JavaScript and Ruby security warning program a year ago, the GitHub code hosting site, now owned by Microsoft, extends alerts to projects using the Python language,
. dependencies written and shared in JavaScript and Ruby. The GitHub dependency graph helped locate bugs in some dependencies and pointed developers to known patches.
Public repositories automatically get security alerts, while private repositories must opt for the security appliance.
Uncommon vulnerabilities in open source libraries written in Ruby, JavaScript, Python and other languages are a widespread problem according to open-Snyk, which analyzed 1,000 projects on GitHub and found that 64% were vulnerable to at least a flaw. One of the main problems was that the shared code propagated the same vulnerabilities to several projects.
The extension of service to Python could have a big impact. One of the most popular projects written in Python is Google's open source Tensorflow framework.
The Security Alert Initiative has revealed a large number of vulnerabilities – specifically four million vulnerabilities – in more than half a million repositories. project dependencies written in Ruby and JavaScript.
In a month of launch, the service found 450,000 vulnerabilities that repository owners have removed or updated
Python is probably a good target for this program given its rapid rise among data scientists and, according to Stackoverflow, Python is the fastest language used by developers.
The alert service starts small with "some recent vulnerabilities" but in the coming weeks, older Python bugs will join the program, allowing for an ever-increasing flow of vulnerability alerts than the older ones. developers with Python dependencies can correct.
More: Bot Chat Opens the Door to the Ticketmaster Hack Payment Card
As with the existing program for Ruby and JavaScript, public repositories will automatically have the dependency graph and alerts activated security, while private deposits will need to be activated.
The source of the vulnerability information comes from MIT's Comms Vulnerabilities and Exposures (CVE) list.
"When GitHub receives a notification of a newly announced vulnerability, we identify public repositories (and private repositories that have opted for vulnerability detection) that use the affected version of the dependency. Security alerts to owners and to those with administrator access to the repositories involved You can also configure security alerts for other people or teams working in repositories belonging to the organization. " says GitHub.
[ad_2]
Source link
