To help organizations better understand the scope of software vulnerabilities in their supply chains, GitHub is opening up its internal database of security advisories to the public, enabling community members to contribute to and inspect the company’s massive collection of advisories.
GitHub has a dedicated team of researchers who maintain the advisory database and the collection serves as the basis for several of the security tools the company offers, including Dependabot. That tool, which GitHub acquired in 2019, automatically generates pull requests for any packages used in a given project whenever an update is available and will merge the updated package into the project once it’s accepted. The goal is to remove from developers some of the burden of keeping up with vulnerabilities in all of the dependent packages in their projects.
“Today, we are excited to announce that the GitHub Advisory Database is now open to community contributions! GitHub is publishing the full contents of the Advisory Database to a new public repository to make it easier for the community to benefit from this data. We’ve also built a user interface for making contributions,” said Kate Catlin, senior product manager at GitHub.
“By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”
The security and dependability of the software supply chain has become a serious concern in the last couple of years, as attacks on software makers such as SolarWinds and Kaseya have had massive downstream effects for thousands of customers. The SolarWinds attack in 2020 is perhaps the most glaring example of how an issue with one software supplier can affect an untold number of other software makers, customers, and end users. But there are many other incidents in which a flaw in a small package or library has caused mayhem, with the recent Log4j vulnerabilities being the best example. Those flaws in the Apache logging library had a massive ripple effect, thanks to the huge number of packages and apps that include Log4j. The remediation process for the library itself was relatively straightforward, but it will take months or years for all of the dependencies in other apps to be found and fixed.
By opening the Advisory Database to members of the community, GitHub will enable any community member to contribute new research, additions, and clarifications to security advisories.
“With community contributions, security researchers, academics, and enthusiasts will now be able to provide additional information and context to further the community’s understanding and awareness of security advisories,” Catlin said.
The Advisory Database uses the Open Source Vulnerability format.