Microsoft subsidiary GitHub announced today that it has become a CVE Numbering Authority and that it completed its acquisition of Semmle code-analysis platform.
Semmle’s analysis engine, QL, simplifies the process of finding variations of the same coding mistake over large codebases, allowing faster discovery of security vulnerabilities.
GitHub to improve bug scanning process
GitHub plans to add the Semmle technology into its services and improve code development and vulnerability disclosure process for its users.
Semmle treats source code as data and makes it possible to identify entire vulnerability classes at a much quicker rate than traditional code analysis methods. The product is now used by big organizations like Google, Uber, Microsoft, and NASA.
“Security researchers identify vulnerabilities and their variants with a QL query. This query can be shared and run over many codebases, freeing up security researchers to do what they love and do best: hunt for new classes of vulnerability.” – Shanku Niyogi, GitHub SVP of Product
GitHub plans to integrate Semmle into its services and provide the 36 million developers on the platform the possibility to check their code for bugs before releasing the product. This is currently in the early stages.
Easier bug reporting, tracking, and fixing
Starting today, GitHub is a Common Vulnerabilities and Exposures (CVE) Numbering Authority, or a CNA, in short, which means that it can assign identifiers for vulnerabilities.
Security advisories opened on the platform can now be tracked easier and researchers, maintainers, and developers can better collaborate towards fixing security problems.
It is worth noting that GitHub already triaged vulnerabilities from the reports it received, to confirm impact and affected users before releasing alerts.
With these changes, GitHub strengthens its role in cybersecurity offering its huge developer base services for discovering vulnerabilities in their projects at a faster rate, for tracking bugs, and for automating dependency patching.