GitHub Hardens Supply Chain with a Query Engine
The GitHub code repository hosting service has moved to shore up its supply chain with a deal to acquire Semmle, creator of a semantic code analysis engine that allows developers to scan large codebases for vulnerabilities.
GitHub also announced this week it will assist in reporting vulnerabilities through a clearinghouse known as the Common Vulnerabilities and Exposures database. GitHub becomes a CVE “numbering authority,” meaning it can assign vulnerability IDs, then post IDs to a list and database on behalf of developers.
Through the new authority, “more vulnerabilities will be disclosed, and then alerted to affected teams more quickly,” GitHub said.
Semmle’s code analysis engine helps developers write declarative queries to spot patterns in large codebases, then search for vulnerabilities and variants. The tool addresses long-standing security gaps in open source software that is increasingly being used in vulnerable production environments.
The Linux Foundation launched a security effort in 2015 that includes a certification program and development tools used to promote secure coding practices. That moved came in response to high-profile breaches such as the Heartbleed bug, the vulnerability in the OpenSSL cryptographic library.
Semmle previously worked with security teams at Google (NASDAQ: MSFT), GitHub owner Microsoft (NASDAQ: MSFT), Uber and NASA. The San Francisco-based emerged from stealth mode in August 2018.
“No single company can find every vulnerability or secure the open source supply chain behind everyone’s code,” GitHub CEO Nat Friedman noted in announcing the acquisition. “Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the very best way forward.”
Semmle noted in a blog post that developers currently work with security researchers on a “modest scale” to refine vulnerability queries. The goal is to add crowd-sourced queries to vulnerability reports used to plug security gaps in open-source code, the company said.
Semmle’s query engine has so far helped identify more than 100 code vulnerabilities and fixes, including the Apache Struts vulnerability at the center of massive security breaches at consumer credit reporter Equifax Inc. It has also help spot security holes in the Linux kernel.
Meanwhile, GitHub’s new CVE authority will allow it to quickly issue security advisories on GitHub projects, identifying severity and quickly issuing fixes to a broader base of users.
As the Equifax breach showed, a large percentage of vulnerabilities go unpatched for months. Another challenge for harried developers is updating project dependencies. With that in mind, GitHub earlier this year acquired Dependabot to help automate dependency updates.
“Updating dependencies needs to be as easy as possible,” said Shanku Niyogi, GitHub’s senior vice president for products. “With automatic security fixes, developers no longer need to manually patch their dependencies.”
The big test for these and other efforts to secure the software supply chain will come as more open-source software is used in production settings.