GitHub discovers 4 million vulnerabilities in public code libraries

The bug hunt prompted developers and repository admins to get code fixing

GitHub has found four million security vulnerabilities in its public code repository, sparking developers to do some serious spring cleaning.

Having conducted a scan for security bugs in its JavaScript and Ruby libraries, back in November, GitHub soon dug up a mass of known vulnerabilities, spread across some 500,000 of its public code libraries.

Advertisement - Article continues below

The company quickly informed the administrators of those libraries and by 1 December 450,000 known security holes had been plugged, either by shutting down vulnerable code or launching secure versions.

And it appears this process of identifying vulnerabilities and flagging them to developers and repository admins is delivering benefits, as GitHub noted that its users are now rapidly fixing security flaws in code that's freely available for anyone to access and use to create the next popular app.

"Since [December 2017], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. Additionally, 15 percent of alerts are dismissed within seven days that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days," said GitHub.

Advertisement
Advertisement - Article continues below

"In other words, for almost all repositories with recent contributions, we see maintainers patching vulnerabilities in fewer than seven days."

Advertisement - Article continues below

Vulnerabilities in open source code that's regularly accessed and integrated into the other software and firmware, can lead to security exploits spreading to all manner of apps, services and devices. So effectively policing and sanitising readily available code is one way to prevent the spread of known security flaws.

And GitHub has plans to further expand its efforts into ensuring its code repositories are better maintained.

"Security alerts are opening the door to new ways we can improve code checking and generation by combining publicly available data with GitHub's unique data set. And this is just the beginning we've got more ways to help you keep code safer on the way!" it said.

Such efforts should help forge the way to safer public code libraries, though it's always worth proceeding with caution and a focus on security vigilance when using code that's been contributed by an open community.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020