56

GitHub Improves Vulnerability Workflows and Becomes CVE Numbering Authority

 5 years ago
source link: https://www.tuicool.com/articles/iE73yin
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Along withSemmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities . This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.

As GitHub senior vice president Shanku Niyogi explains, when a project maintainer or anyone with admin privileges for a repository discovers a vulnerability, they can now create a draft security advisory , which provide a private area to discuss and fix the vulnerability. Security advisories are private for any kind of repository, both private and public, and enable carefully controlling which collaborators can access it .

Most importantly, a security advisory enables the creation of a temporary private fork of the repo to make it possible for developers to work on a fix without the risk of making sensitive information available to external parties in advance. To enforce this guarantee, temporary private forks cannot be accessed by continuous integration tasks or other integrations.

All mentioned features are grouped under a new Security tab in GitHub UI, including creating a security advisory, creating a temporary private fork, creating a pull request, and merging it into the main branch.

1github-cve-authority-1569183058722.jpeg

Another significant workflow improvement GitHub has announced is the possibility to issue CVEs for security advisories opened on GitHub. To make this possible, GitHub has become a CVE numbering authority for open source projects. Operated by the Mitre Corporation , CVEs provide a way to uniquely reference vulnerabilities in all conversations and exchanges related to them. This makes it useful to acquire CVEs as soon as possible, even before a fix for the vulnerability is available &endash;and this is exactly where GitHub is trying to make things easier for developers by integrating this functionality directly in GitHub UI.

It is not the first time GitHub adds features specifically meant to help developers secure their code. A few months ago, GitHub introduced Dependabot-powered automatic security PRs , which can scan all dependencies of a project and automatically submit a PR to update any vulnerable dependencies. Previously, GitHub had introducedvulnerability alerts to warn developers about any known vulnerabilities found among their projects' dependencies. Last but not least, GitHub also supportstoken scanning to prevent developers from inadvertently sharing their token and cryptographic keys when pushing to a public repo.

GitHub maintainer security advisories are currently in public beta.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK