Dependabot, a tool for discovering weak open source package dependencies in software projects, was bought by GitHub in 2019. Since then, Dependabot has assisted developers in addressing over three million vulnerabilities by sending out automated notifications when it discovers potentially dangerous software packages. Thanks to its enhanced capacity to tell developers whether or not its security alerts are relevant, GitHub’s Dependabot is getting more dependable.
While it is worthwhile to flag packages with susceptible code, software developers would prefer a higher signal-to-noise ratio. They want to determine if the addition of a faulty library has any impact on their application code.
Last year, Dan Abramov, a Facebook software engineer, criticised the design of npm audit, a CLI tool for spotting obsolete or risky packages in web projects that use GitHub’s npm Registry to get their libraries. Abramov was concerned that 99 percent of the vulnerabilities detected by the tool were false alarms – an imported package may have vulnerabilities, but this isn’t necessarily a problem if the app that imports it doesn’t call the unsafe code.
Because both rely on the same GitHub Advisory Database to discover problematic packages, Dependabot, which can be enabled to monitor GitHub users’ projects and deliver comparable notifications about insecure packages, has a lot in common with npm audit. The bot has now grown a little more clever in its security reporting, initially for Python code, by telling developers whether their code actually uses vulnerable functions within a dependency.
“Dependabot alerts will now use GitHub’s precise code navigation engine to determine if a repository directly calls a vulnerable function,” explains Erin Havens, GitHub open source project manager, in a blog post. “That information will then be surfaced to developers via the UI for Dependabot alerts.”
As a result, there should be less anxiety about defects that aren’t immediately important. Checking Dependabot alerts in their Python repos will reveal not only a problematic dependency, but also a section of the file(s) containing code that exploits the vulnerability if their project is truly susceptible. This information will be displayed in the Dependabot alerts UI as a “vulnerable call” title and code snippet, and these alerts may be filtered using the has:vulnerable-calls search field constraint.
This is now only applicable to direct calls, in which a function is called using a fixed identifier. Indirect calls – where a function is called via a variable – will eventually be supported.
GitHub is doing so by curating information about affected functions in its Advisory Database. According to Havens, the company has incorporated 79 Python advisories from the pip ecosystem so far, with more data on susceptible functions connected with Python advisories to be added as beta testing develops. Supported alerts on public repos and repos with GitHub Advanced Security turned on are handled by the more reliable Dependabot. GitHub hopes to expand Dependabot’s more accurate suggestions to other programming languages in the future.
