After launching a JavaScript and Ruby security alert program a year ago, the now Microsoft-owned GitHub code hosting site is expanding the alerts to projects using the popular Python language,
The project’s aim was to help developers identify vulnerabilities in dependencies written and shared in JavaScript and Ruby. GitHub’s dependency graph helped spot bugs in certain dependencies and pointed developers to known fixes.
Public repositories automatically get the security alerts while private repositories need to opt into the security device.
Un-noticed vulnerabilities in open source libraries written in Ruby, JavaScript, Python and other languages is a widespread problem according to open-source vulnerability tracker Snyk, which scanned 1,000 projects on GitHub and found 64 percent were vulnerable to at least one flaw. One of the main problems was that shared code spread the same vulnerabilities to multiple projects.
The expansion of the service to Python could have a big impact. One of the most popular projects written in Python is Google’s open source deep leaning framework Tensorflow.
The security alert initiative has turned up a huge number of vulnerabilities — four million to be precise — in over half a million repositories with project dependencies written in Ruby and JavaScript.
Within a month of launching, the service found 450,000 vulnerabilities that repository owners removed or updated.
Python is probably a good target for this program given its rapid ascent among data scientists and, according to coding community site Stackoverflow, Python is the fastest growing language used by developers.
The alert service is starting small with a “few recent vulnerabilities” however over the coming weeks older Python bugs will join the program, allowing an ever greater feed of vulnerability alerts that developers with Python dependencies can fix.
As with the existing program for Ruby and JavaScript, public repositories will automatically have the dependency graph and security alerts enabled, while private repositories will need to opt-in.
The source of the vulnerability information is from MITRE’s Comms Vulnerabilities and Exposures (CVE) List.
“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories. You can also configure security alerts for additional people or teams working in organization-owned repositories,” GitHub says.
Read more: GitHub now warns devs about bugs that led to Equifax breach