
Security alerts on GitHub - stablemap
https://github.com/blog/2470-introducing-security-alerts-on-github
======
craigkerstiens
When I ran the languages team at Heroku this was something we'd in some ad-hoc
basis do for customers when there were major vulnerabilities. To see this
fully productized is absolutely awesome! Well done to the GitHub team.

------
BugsJustFindMe
Appears to be only for Ruby gems and Node.js packages. It's a start, though I
was hoping to be able to indicate C++ library dependencies.

The lack of Python requirements.txt support is a bit odd, since it's
conceptually quite similar to the two supported mechanisms.

~~~
sciurus
Yeah, but for proper python support you need to handle setup.py too, which
being python code is more complex.

[https://python-
packaging.readthedocs.io/en/latest/dependenci...](https://python-
packaging.readthedocs.io/en/latest/dependencies.html)

~~~
scrollaway
And setup.cfg!

Example: [https://github.com/HearthSim/python-
hslog/blob/master/setup....](https://github.com/HearthSim/python-
hslog/blob/master/setup.cfg)

~~~
nikcub
and Pipfile - which is what i've switched to in recent projects, example[0]

Altho you can write to one of the other formats or read from it - you'd have
to tell the scanner what the true build source is

[0]
[https://github.com/kennethreitz/pipenv/blob/master/Pipfile](https://github.com/kennethreitz/pipenv/blob/master/Pipfile)

~~~
nerdwaller
I mentioned this elsewhere here, but check out `pipenv check`[0] and just run
it in CI or as a precommit hook.

[0] [https://docs.pipenv.org/advanced.html#detection-of-
security-...](https://docs.pipenv.org/advanced.html#detection-of-security-
vulnerabilities)

------
conradk
Clicked through the link to the security apps on the Github Marketplace and
had a look at Snyk.io's pricing: 119$ through Github, 99$ if you get it
straight from Snyk.io.

And looking deeper into Github Marketplace pricing, I can see that Github
takes a 25% cut ([https://developer.github.com/apps/adding-
integrations/managi...](https://developer.github.com/apps/adding-
integrations/managing-pricing-and-payments-for-a-github-marketplace-
listing/receiving-payment-for-a-github-marketplace-listing/)).

What is the benefit of getting anything via the Github marketplace that can be
subscribed to outside of the marketplace ? What justifies that 25% cut appart
from having a listing of apps ?

~~~
aupright
Hey, I'm one of the cofounders of ZenHub - we're another popular integration
on the marketplace and also sell our product separately through our own
website.

From a company/integration on the marketplace, the marketplace has been great
in terms of building awareness and exposure. Can confidently say that we've
been able to reach new users and customers that we wouldn't have otherwise had
if we weren't on the marketplace.

From the perspective of a GitHub user/team, lots of teams prefer to
consolidate everything together on a single invoice. If you're using GitHub
for software development, you're almost certainly going to need a CI/CD tool
and PM tool, so why not bring everything together on a single bill?

~~~
ssijak
Single bill is not a reason to pay 25 percent more for everything.

~~~
samlewis
If you're a large enterprise, paying an extra $20/month could definitely be
worth not having the pain & cost of having your employees having to manage
paying an extra bill each month.

------
alexlrobertson
Just looked at the "dependencies" for one of my projects and it interprets
"react" as this 5 year old, defunct repo:
[https://github.com/wballard/react](https://github.com/wballard/react).

~~~
caffed
I am thinking that it's because the React package.json does not have
`repository` listed.

[https://github.com/facebook/react/blob/master/package.json](https://github.com/facebook/react/blob/master/package.json)

See Redux:
[https://github.com/reactjs/redux/blob/master/package.json#L3...](https://github.com/reactjs/redux/blob/master/package.json#L36-L39)

~~~
wereHamster
Let's be honest, unless you use a private NPM registry, "react" means
[https://www.npmjs.com/package/react](https://www.npmjs.com/package/react).
GitHub should use the standard resolution algorithm as employed by npm/yarn
(the CLI tools).

------
throwaway2016a
Well this is frustrating. There is an issue with one of my projects apparently
(actually saw it before I saw this on HN) and it is because of one of my
indirect dependencies.

I presume in this scenario I need to either wait for a patch from the direct
dependency or fork and submit a PR myself.

It's a great idea. I like it quite a bit. I just feel like the floodgates just
got opened.

Would be great to see PHP and Python in there.

~~~
jacobra2
There is now an incentive for that vulnerability to be addressed that didn't
exist before. Seems like a security win overall.

------
benrubydev
It seems like GitHub is slowly moving towards building their own static code
analysis and security scanning. CI is probably coming up. This will bury many
3rd party services, but will be more convenient for end users.

~~~
sdesol
I've said this in the past, but you really have to focus on the more difficult
things, if you want to stay competitive in Git hosting. If it is easy to
implement and is useful, one of your competitors, is going to copy you.

Right now GitHub, GitLab, Bitbucket, Microsoft, Gogs/Gitea, etc. all have
something unique to them, but none of them, have the lock in power, like it
was in the past with Perforce, ClearCase and other SCMs.

GitLab and other open source solutions, has turned core Git hosting
functionality, into commodity features, that people expect to be good and
cheap. So it only makes sense to start focusing on the not so hard things to
do, which can't be easily duplicated.

------
colemickens
(Meta: That GIF should have been two small screenshots. No animation, no
looping, no racing to understand before it switches frames. Stop making things
GIFs that don't need to be GIFs. It hurts accessibility and adds nothing.)

~~~
minus7
Or at least a WebM. But not a fucking 2.8 MiB large GIF.

------
maaaats
Retire.js does this for JS locally, we have a nightly check for our apps.
[https://retirejs.github.io/](https://retirejs.github.io/)

------
danjoc
Have had this for years.

mvn org.owasp:dependency-check-maven:check

Java FTW again :)

------
dmitriid
> Social Network for Children

Lego forums (I don't know if they still exist though). Apparently they went to
great lengths to make them safe and accessible for children.

That said though, if anyone can crack this problem, it will be awesome.
Children are already social, and are increasingly on the internet. And there
are very few, if any, kid-friendly (not kid-condescending, or kids-as-
afterthought) resources.

Most of the other problems listed look like first-world problems.

~~~
icebraining
Wrong thread.

------
LukeB42
I love whoever's responsible for this.

------
solatic
> With your dependency graph enabled, we’ll now notify you when we detect a
> vulnerability in one of your dependencies and suggest known fixes from the
> GitHub community.

Why not go one step further and automatically open a pull request fixing the
issue? If you can build a model of the dependency graph, then changing the
version to an up-to-date version should be trivial.

Of course, there's no guarantee that the commit in the pull request will
successfully build, and you'd still need a project maintainer to fix issues in
the build caused by the version change. But the data you get is invaluable. If
the security alert is unfixable (from the project maintainer's perspective,
since upstream hasn't released a fix yet), then why are you alerting a
maintainer about something unfixable? If the proposed fix's build is green,
then the alert should have a "higher volume" (so to speak), and if the
proposed fix's build is red, then the "volume" of the alert should be turned
down so that the team can focus on fixing the build so that the security patch
should be applied.

~~~
theflow
We do exactly that at Depfu (for Ruby):
[https://depfu.com/blog/2017/09/28/depfu-now-flags-
security-u...](https://depfu.com/blog/2017/09/28/depfu-now-flags-security-
updates)

But I'm also pretty sure Github is going to do that soon, it's an obvious next
step.

------
kylecordes
This is both brilliant and frustrating. The brilliant part is much discussed
here already, so...

The frustration is that my projects, and I suspect the bulk of projects the
get these alerts, get them because of transitive dependency. At least from my
first look I did not see the transitive dependency path mentioned, so although
I didn't need to know anything to read the alert, I had to dig through NPM
features to figure it out.

As the maintainer of "end-user" projects that depend on various big pieces of
tooling, it turns out that I'm not really much of a position to do anything
about the transitive dependencies anyway, other than manually track down the
dependency path and then go open issues in each thing along the way.

Something like the following seems like it would help focus attention toward
the points where things have to be fixed: a kind of leaderboard, a (gentle and
friendly) "wall of shame". Projects would earn their way to the top of this
wall by depending on vulnerable things themselves, and then being depended on
by other projects directly or indirectly.

------
burntrelish1273
This is awesome! I found a security issue in an Elixir/Erlang project that was
a dependency of many other projects and it was manual and complicated to
coordinate amongst them. IIRC I suggested this to one of the other parties,
although it seems trivial and obvious to other people, but it's good that GH
also came upon this independently and shipped it.

------
RickHull
I've been using [https://hakiri.io/](https://hakiri.io/) for this on my ruby
github projects[1].

[1]
[https://github.com/rickhull?tab=repositories&type=source&lan...](https://github.com/rickhull?tab=repositories&type=source&language=ruby)

------
thesmallestcat
Think carefully about the consequences of this automated scan info leaking
before enabling it in your private repositories.

~~~
fanon
Are the consequences significantly different than having private repos on
Github to begin with?

I realize this is one more Github service with access to metadata about your
code, so the attack surface is technically larger, but is the probability of
leak that much greater from this service than it already is by having your
code on their servers (which, I assume, are protected by the same security
team)?

Maybe it's an oversimplification but my expectation is that any project with
such sensitivity wouldn't be hosted on an external service at all.

------
SEJeff
How long before this makes github enterprise I wonder.

~~~
CaliforniaKarl
I think the answer will be: Once it has been on github.com long enough for
people to find any issues that GitHub themselves missed in their internal
testing.

------
braunshizzle
I noticed this yesterday. Too bad there's no Composer support (PHP)

~~~
gonzoyumo
[https://gemnasium.com](https://gemnasium.com) has composer support, you can
give it a try!

------
dreamdu5t
You don't need to pay anyone for this service. GitHub and Snyk use free public
vulnerability lists to check your dependencies.

There are plenty of open source alternatives such as
[https://github.com/RetireJS/retire.js](https://github.com/RetireJS/retire.js)
for JavaScript.

It's absurd that companies are charging $100/mo just to run your dependency
list against another public list of vulnerabilities. This service should be
offered for free by GitHub.

~~~
newsgeek12
This _is_ free from GitHub. At least there's no mention of price in the blog
post. I seem to have this feature.

------
fuzzygroup
While its not hard to setup, Github doesn't cover how to do so for private
repositories. I put the steps for setting this up on a per repositor basis
here:

[http://fuzzyblog.io/blog/github/2017/11/17/enabling-
github-s...](http://fuzzyblog.io/blog/github/2017/11/17/enabling-github-
security-alerts-on-your-private-repositories.html)

------
iRobbery
I'd like it if github shows which projects had to be reminded of
vulnerabilities this way instead of the developers knowing/addressing things
themselves.

------
gravis
(Hint: Gemnasium founder here) If you like this feature, you may want to try
[https://gemnasium.com](https://gemnasium.com) then. We have a lot more
advisories in db, for Java, Python, Ruby, PHP and JavaScript. Please feel free
if you have any question, I’ll be glad to help!

------
humblebee
Does it work in a mono repo, or where the Gemfile / package.json are not in
the root of the project?

~~~
holman
Yup. I have a monorepo with 5-6 Gemfiles/package.jsons in subdirectories and
it picks 'em all up.

------
qmachu
Just like Clair
([https://github.com/coreos/clair](https://github.com/coreos/clair)), only,
for GitHub

------
tomschlick
Hopefully PHP (composer.json) support makes it in soon! :)

~~~
gonzoyumo
[https://gemnasium.com](https://gemnasium.com) has composer support, you can
give it a try!

------
gbrown_
This is nice but I really hope people don't become complacent with this and
rely on GitHub to notify them of such things.

~~~
jrochkind1
I don't know of any way to keep up with vulnerabilities _except_ an automated
system. I use `bundle audit` in ruby-land. I don't know why github's automated
system will be worse than anyone elses.

What alternative is there? Hoping you notice something on a listserv and
realize its' one of your (possibly indirect) dependencies? That does not seem
better. Automated monitoring and alert is the way to go.

And _everyone_ should _always_ be filing CVE's for their vulnerabilities, to
make automated detection so much easier.

~~~
tkadlec
Automated tooling is a must, yes. The riskiest part about relying on ONLY GH's
solution (IMO) is the NVD/CVE limitation.

I agree, CVE would be _awesome_ in theory. In reality, very few file for CVE's
and so the coverage is iffy (~11% of npm package vulns and about ~67% of
rubygem vulns
[https://snyk.io/stateofossecurity/](https://snyk.io/stateofossecurity/)).

But it goes beyond that. There was a great paper earlier this year
([https://arxiv.org/abs/1705.05347](https://arxiv.org/abs/1705.05347)) that
highlighted many other issues: lag between CVE and NVD (which is where all the
useful info comes from), mismatched CPE's, nonexistent CPE's, etc.

I would love to see us get to a point where the CVE/NVD was enough, but we're
far from it right now.

~~~
jrochkind1
github's announcement made clear they don't plan to only rely on CVE/NVD
database, but yeah, you've got to pick a tool you think is good.

I think a great many people at non-large companies are using free tools that I
think are unlikely to be better than github's. Or no tool at all.

------
isarat
iOS projects with Fastlane automatically looks for vulnerabilities with the
gems installed.

------
Sephr
I wonder how this interacts with submodule-style dependencies.

------
lhinds
No python support :*(

~~~
hugo19941994
The post mentions it will be coming in 2018

------
partycoder
node.js security is hard to get correctly. Even if you keep your dependencies
up to date, your application might be pretty vulnerable unless you know what
you are doing.

This is because:

1) frameworks are minimalistic and they give you some large room for error.

2) javascript is very dynamic, and it is time consuming to validate types...
unless you are using something like typescript.

3) people tend to use node for orchestration layers/api gateways... and focus
their security on the underlying API. But exfiltrating at the orchestration
layer is as severe.

------
tty7
I hope github moves into static analysis!

------
emceestork
This is great! Looking for to using it.

------
hartator
Not sure about this. I can see this as an "added stress" if we can't update a
dependency for whatever reason and alerts keep popping in.

~~~
comboy
With this kind of reasoning you don't need any logging on your servers.

