GitHub’s Dependabot is becoming more dependable thanks to its newfound ability to tell developers whether its security alerts are relevant or not.
GitHub acquired Dependabot, a tool for finding vulnerable open source package dependencies in software projects, in 2019. Since then, Dependabot has helped developers address more than three million vulnerabilities by presenting automated notifications when it finds unsafe software packages.
Flagging packages with vulnerable code is worthwhile but software developers would prefer a better signal-to-noise ratio. They want to know whether their application code is actually affected by the inclusion of a flawed library.
This issue surfaced last year when Dan Abramov, a software engineer at Facebook, criticized the implementation of npm audit, a CLI tool for identifying outdated or vulnerable packages in web apps that fetch their libraries via GitHub’s npm Registry. Abramov’s concern was that 99 percent of the vulnerabilities flagged by the tool were false alarms – an imported package may contain vulnerabilities, but that’s not necessarily a problem if the app importing it doesn’t call the unsafe code.
Dependabot, which can be set to scan GitHub users’ projects and present similar alerts about vulnerable packages, has a lot in common with npm audit because both rely on the same GitHub Advisory Database to identify problematic packages. Now – for Python code initially – the bot has become a bit more savvy in its security reporting by informing developers if their code actually calls insecure functions within a dependency.
“Dependabot alerts will now use GitHub’s precise code navigation engine to determine if a repository directly calls a vulnerable function,” explains Erin Havens, GitHub open source project manager, in a blog post. “That information will then be surfaced to developers via the UI for Dependabot alerts.”
The result, hopefully, will be less unnecessary angst about bugs that aren’t immediately relevant. GitHub users checking Dependabot alerts in their Python repos will see not just a problematic dependency but, if their app really is vulnerable, a portion of the file(s) containing code that invokes the vulnerability. This information will be presented through a “vulnerable call” label and code snippet in the Dependabot alerts interface, and these alerts can be filtered using the has:vulnerable-calls search field constraint.
Presently, this works for direct calls – where a function is invoked by a fixed identifier. The plan is to add support eventually for indirect calls – where a function is invoked by a variable.
GitHub is implementing this by curating details of affected functions in its Advisory Database. According to Havens, the company has currently incorporated 79 Python advisories from the pip ecosystem and intends to add more data on vulnerable functions associated with Python advisories as beta testing progresses.
The more reliable Dependabot is enabled for supported alerts on public repos and on repos with GitHub Advanced Security activated. Eventually, GitHub aims to expand Dependabot’s more precise advice for other programming languages. ®