GitHub to Pythonistas: Let us save you from vulnerable code
GitHub’s added Python to the list of programming languages it can auto-scan for known vulnerabilities.
In March, the social code-host added Ruby and Javascript libraries to the dependency graph service it announced last year.
Your code is RUBBISH, says GitHub. Good thing we’re here to save you
At the time, GitHub claimed those two languages alone yielded “over four million vulnerabilities in 500,000 repositories”, and said alerting the repositories’ owners resulted in a 30 per cent fix-rate within a week of detection.
Now, Python developers have the same lack of excuse for fixing flawed code. In this post, GitHub quality engineer Robert Schultheis explained that “a few recent vulnerabilities” are covered in the current version of the scanner.
It’s hard to work out which vulnerabilities, if they’re public, have spurred GitHub to action. Python generates only light traffic in the Mitre CVE (Common Vulnerabilities and Exposures) database: four entries so far this year, and one of those is disputed.
“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database,” he wrote. “Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”
The Python scanner is enabled by default on public repositories.
Owners of private repositories need to opt into security alerts (in security settings), or by giving the dependency graph access to the repo (in the “Insights” tab). ®
Sponsored: Minds Mastering Machines – Call for papers now open
READ MORE HERE