Using the usual pull request to edit the document, Microsoft will allow community members to submit information and code samples to security advisories. The GitHub Advisory Database has now been released under an open source licence, allowing contributors to add technical details to the gathered security advisories of open source projects hosted on the service.
GitHub’s automatic dependency checking system, Dependabot, is powered by the GitHub Advisory Database, which the business says has the largest collection of vulnerabilities detected in software dependencies. In addition, the warnings are now used as part of the audits that look for vulnerable code in the Node Package Manager (NPM) repository for JavaScript components and the NuGet repository for.NET components.
GitHub, Apple, Amazon, Microsoft, Meta, Red Hat, and other companies met with White House officials in January to discuss software ecosystem security policies. After problems in a widely used Java component, Log4j, necessitated a large global effort to locate and patch the issues in impacted programmes, some of which contained the component in a dependency nine levels deep, the summit was held.
The company’s decision builds on its policy of seeking feedback and material from developers. GitHub made its full advice database available as a public repository, thereby turning it into another project managed by the firm. Additionally, the company has developed a user interface for community contributions, which should allow the database to hold more information. While a dedicated team within GitHub maintains the collection of advisories, allowing other programmers to offer revisions would likely expand the detail in the advisories.
“GitHub has teams of security researchers that review all changes and help keep security advisories up to date, but often there are community members with additional insights and intelligence on CVEs that do not have a place to share this knowledge,” the company wrote in its February 22 blog post.
According to the company, GitHub has more than 73 million users contributing to 200 million projects. The company hopes to improve the global software supply chain by using the community-supported advisory database, the Copilot machine-learning pair programming feature for developers, and the Dependabot code scanner. In 2021, the firm will add support for software from the Rust and Go ecosystems, and earlier this month, it launched better Dependabot notifications.
The corporation registered 1,091 vulnerabilities to the Common Vulnerability Enumeration (CVE) programme in 2021, making it the largest CVE Numbering Authority (CNA) with the exception of MITRE Corp., which operates the program.
