GitHub has acquired code analysis company – Semmle, and will make Semmle’s code analysis engine available to all public repositories with this acquisition. GitHub has become a Common Vulnerabilities and Exposures (CVE) Numbering Authority, making it easier to report vulnerabilities directly from your repositories.
QL is also used in Semmle’s other main product, LGTM (Looks Good to Me). which analyses every commit to identify vulnerabilities early. LGTM automatically runs over 1,600 standard analyses on every code change. GitHub plans to make QL available via GitHub Actions. According to Semmle more than 100 open source CVEs have been found using QL.
In a related announcement, GitHub said it has become a CVE Numbering Authority for open source projects. Common Vulnerabilities and Exposures (CVE) Numbering Authorities are authorized to assign CVE IDs to vulnerabilities affecting products in a particular area – open source projects in this case. The CVE IDs are then included in first-time public announcements of new vulnerabilities. The fact that GitHub is a CVE Numbering Authority will make it easier for code maintainers to report vulnerabilities directly from their repositories. GitHub will assign a CVE ID, post to the CVE List, and then to the National Vulnerability Database (NVD) on a developer’s behalf.
Commenting on the announcements, Shanku Niyogi, GitHub SVP, said:
“We believe that fast, unfettered movement of vulnerability data is critical to improving software security”
Credit: I Programmer