
Welcoming Semmle to GitHub - johns
https://github.blog/2019-09-18-github-welcomes-semmle/
======
eatonphil
The linked blog post [0] and the new security marketing page [1] both have a
little more detail on what this actually means.

Basically, Semmle offers a static analysis tool that operates on your source
code as a graph (from what I understand) and points out bugs and security
holes in your code. Github is now offering that for free on repos at all
tiers.

[0] [https://github.blog/2019-09-18-securing-software-
together/](https://github.blog/2019-09-18-securing-software-together/)

[1]
[https://github.com/features/security](https://github.com/features/security)

~~~
DannyBee
Semmle is basically datalog over source code.

For what it works for, it works nice. But it is not a pancaea.

Security vulnerability finding is almost certainly the wrong target for Semmle
- I am unsure why they are trying to push that angle. There are much better
stories in things like refactoring and understanding. (I say this having
overseen a number of deployments for various reasons, some successful, some
not)

~~~
sneak
Nothing is a panacea. Things that help move the needle without requiring tons
of time or effort are useful and valuable. I'm really glad to see more efforts
in this area.

~~~
DannyBee
While it's true that there is no pancaea, Semmle will not move the needle on
vulnerability finding. This I have extensive data on.

(I mean this in terms of capability, not sudden popularity)

It would move the needle on a bunch else. It is a good tool for sure (and im
very happy for them), i just think they will disappoint people by pressing
this particular narrative, and wouldn't do so with a different narrative

~~~
lvh
The Datalog part is interesting! Do they have a bunch of rules to make graph
queries work nicely, like Datomic pull syntax or maybe some pattern matching
syntactic sugar? Is the underlying thing still an EAVT store? Is any of that
information publicly available?

~~~
dantiberian
It looks like they have reasonable docs on their query language, in particular
[https://help.semmle.com/QL/learn-ql/about-
ql.html#properties...](https://help.semmle.com/QL/learn-ql/about-
ql.html#properties-of-ql) has some info on the QL language.

[https://help.semmle.com/lgtm-
enterprise/user/help/generate-d...](https://help.semmle.com/lgtm-
enterprise/user/help/generate-database.html) says "LGTM generates a database
for each commit stored in a repository. Each database is a relational database
that represents the structure of the codebase for a specific revision, or
snapshot, of the code.", though a triple store could qualify as relational
here. I couldn't find much more than that about the implementation details
though.

~~~
lvh
Right. I found those docs but they didn’t look like datalog queries at all. Of
course that doesn’t mean they don’t compile down to datalog :)

------
igammarays
I hate that these kinds of Orwellian phrases "Welcoming X to the Y Family"
have now become idiomatic of corporate English. Ugh, no. There is no "family"
involved here, not by any stretch of the word.

~~~
javagram
To be fair, if a “parent corporation” is a thing, then logically it has
children and can be a corporate family.

~~~
igammarays
Intent matters. The phrase "parent corporation" has no PR or emotional intent.
"Welcoming X to Y family" has a clear emotive intent.

~~~
andyfleming
Maybe the intent of the writer was to make the new hires feel welcome aboard
to their new company.

That's also not mutually exclusive of the emotive intent you are describing.
What makes that Orwellian though?

~~~
devmunchies
The parent comment seems to be criticizing the higher-level corporate trend to
use this lingo, and isn't talking about Friedman or Github specifically.

------
xvilka
Free hint for the GitLab - they can integrate a similar but open source tool -
Infer[1]. Essentially it provides the similar features, just lacks a good
interface to do so. They also have a query language, called AL[2]. It is way
less polished than Semmle, but opensource and with a good potential.

[1] [https://github.com/facebook/infer](https://github.com/facebook/infer)

[2]
[https://fbinfer.com/docs/linters.html](https://fbinfer.com/docs/linters.html)

------
chuckgreenman
Interesting to see the differences between Github and Gitlab's strategy in
this arena.

Github appears to be going the aqui-hire route with Semmle, dependabot,
pullpanda etc, where as I don't think Gitlab's made an acquisition for a year
or two.

~~~
troydavis
GitLab published what they're interested in:
[https://about.gitlab.com/handbook/acquisitions/](https://about.gitlab.com/handbook/acquisitions/).
It's an amazing, one-of-a-kind doc. One of their constraints
([https://about.gitlab.com/handbook/acquisitions/#what-we-
offe...](https://about.gitlab.com/handbook/acquisitions/#what-we-offer)) is
quite limiting, though:

> The total purchase price of the deal, paid in cash, will not exceed $1M and
> will be the total and only compensation for the entire deal.

~~~
andrewprock
They are looking at companies that: "Raised under $10M total investment funds,
last round being over 3 years ago"

This implies that in addition to self-funded ventures, they are looking for
fire sales from failed start-ups.

------
archon810
Semmle's post: [https://blog.semmle.com/secure-software-github-
semmle/](https://blog.semmle.com/secure-software-github-semmle/).

------
pja
Github has been really working on their source code analysis toolkit recently
& this acquisition makes perfect sense as part of that strategy.
Congratulations to Oege & the team.

------
fnord123
First project I look up on lgtm.com is rust.. Second alert I find is this:

[https://lgtm.com/projects/g/rust-
lang/rust/snapshot/f5aa590b...](https://lgtm.com/projects/g/rust-
lang/rust/snapshot/f5aa590b8ca98e925e5b1b975d7aef07e0c7a028/files/src/ci/docker/scripts/android-
sdk-manager.py#x2e8f6c458bb40362:1)

exist_ok is available from python 3.2, so this isn't a good impression.

[https://docs.python.org/3.7/library/os.html#os.makedirs](https://docs.python.org/3.7/library/os.html#os.makedirs)

------
dazbradbury
Huge congrats to Oege and the team at Semmle - couldn't be happier for a
hugely passionate and smart individual (and a previous professor of mine!)

Am sure this will bring some amazing advances to Github and thus a huge % of
the developer community.

------
rishicomplex
"Human progress depends on the open source community."

What a way to begin an article.

~~~
chromeguy66
Especially considering M$ owns GitHub

------
tom-jh
I've just tested their lgtm.com on our codebase:

1) identified str.replace('[ABC]+', '') correctly as a bug (looks like a regex
but is string literal)

2) identified various unnecessary code that TypeScript overlooked

3) identified double-unescaping of html (this one would have probably gone
unnoticed for years)

And a bunch of other stuff. No actual vulnerability in our case, but still
very useful. I'm enabling their checks on every future PR.

This was TypeScript but they support the rest of our stack too (Python, Java).
I wonder if this includes Kotlin - will try.

~~~
tom-jh
Tested, Kotlin is not supported, nor is Swift.

------
throwaway744678
> Human progress depends on the open source community.

(Non native speaker here). Am I misunderstanding something, or is the author
explaining that humanity can not progress without the open source community?

~~~
mytailorisrich
That's right. That's called hyperbole (with a 'e').

------
rishicomplex
I've used semmle's tools at Google, they seemed pretty powerful.

------
notus
I spent way too long thinking that Semmie was just a badass programmer

------
z3t4
Would be cool if the tools would be made open source in order for everyone to
get more security.

------
robbystk
So this is the excuse they're using to build infrastructure to scan through
everyone's code to find whatever they want.

