{"id":6446,"date":"2019-09-21T11:00:08","date_gmt":"2019-09-21T11:00:08","guid":{"rendered":"https:\/\/gtechbooster.com\/?p=6446"},"modified":"2023-06-21T11:42:54","modified_gmt":"2023-06-21T11:42:54","slug":"github-acquires-code-analysis-company-semmle","status":"publish","type":"post","link":"https:\/\/gtechbooster.com\/github-acquires-code-analysis-company-semmle\/","title":{"rendered":"GitHub acquires code analysis company – Semmle"},"content":{"rendered":"\n

GitHub has acquired code analysis company – Semmle, and will make Semmle’s code analysis engine available to all public repositories with this acquisition. GitHub has become a Common Vulnerabilities and Exposures (CVE) Numbering Authority, making it easier to report vulnerabilities directly from your repositories.<\/p>\n\n\n\n

\"\"<\/a><\/div><\/div>

Semmle’s main product, QL, is a code analysis tool that you can use to find potential vulnerabilities in your code. It has a query language that you can use to write and execute QL queries locally from most IDEs using a QL plugin, or there’s a query console for use in your web browser.\u00a0 The Semmle team says QL performs variant analysis, where a known vulnerability is used as a seed\u00a0to find similar problems in your code. QL ships with libraries to perform control and data flow analysis, taint tracking and explore known threat models. Supported languages include C\/C++, C#, Java, JavaScript, and Python.<\/p>\n\n\n\n

QL is also used in Semmle\u2019s other main product, LGTM (Looks Good to \nMe). which analyses every commit to identify vulnerabilities early. LGTM\n automatically runs over 1,600 standard analyses on every code change. \nGitHub plans to make QL available via GitHub Actions. According to \nSemmle more than 100 open source CVEs have been found using QL.<\/p>\n\n\n\n

In a related announcement, GitHub said it has become a CVE Numbering \nAuthority for open source projects. Common Vulnerabilities and Exposures\n (CVE) Numbering Authorities are authorized to assign CVE IDs to \nvulnerabilities affecting products in a particular area – open source \nprojects in this case. The CVE IDs are then included in first-time \npublic announcements of new vulnerabilities.  The fact that GitHub is a \nCVE Numbering Authority will make it easier for code maintainers to \nreport vulnerabilities directly from their repositories. GitHub will \nassign a CVE ID, post to the CVE List, and then to the National \nVulnerability Database (NVD) on a developer\u2019s behalf.<\/p>\n\n\n\n

Commenting on the announcements, Shanku Niyogi, GitHub SVP, said:<\/p>\n\n\n\n

“We believe that fast, unfettered movement of vulnerability data is critical to improving software security”<\/em><\/p><\/blockquote>\n\n\n\n

More Information<\/h2>\n\n\n\n