GitHub security alerts now support PHP projects

GitHub is now also a CVE CNA and can issue its own CVE numbers for bugs disclosed in projects hosted on the platform.

php.png

Code hosting website GitHub announced today plans to add support for a Dependency Graph for Composer-based PHP projects.

Since the Dependency Graph feature is intertwined with the Security Alerts (Vulnerability Alerts) feature, this also means GitHub users will also be eligible to receive automatic security alerts for any vulnerabilities that crop up in the dependencies of their PHP projects.

How Security Alerts works

The Security Alerts feature is one of GitHub's most useful services. It works by (GitHub) scanning the dependency tree (generated by the Dependency Graph feature) for a user's project.

The scanner looks at the dependency's name and version number and compares it to a list of known vulnerabilities that GitHub pools from various sources.

If GitHub finds a vulnerability in any of the dependencies, the Security Alerts feature warns the project owner through various methods, such as:

  • A banner in the GitHub interface
  • Web notifications on the GitHub domain
  • Email notifications for each new vulnerability
  • Daily or weekly email digests of all new vulnerabilities

GitHub launched the Security Alerts feature to great success in November 2017 for JavaScript and Ruby projects and later expanded it to Python projects in July 2018. In October 2018, it expanded the feature further to Java and .NET projects.

PHP support had been a long time coming, since PHP has been a popular programming language for GitHub hosted projects for years, ranking third and fourth in recent years.

github-language-ranking.png

Image: GitHub

But the Dependency Graph and the Security Alerts feature won't work for all PHP projects. It will only work for PHP projects coded to work with Composer projects. Composer is a package manager for automatically importing PHP libraries into a PHP project.

After today's announcements, the current support scheme for the Dependency Graph and integrated Security Alerts feature is as follows:

Package managerLanguagesRecommended formatsSupported formats
MavenJava, Scalapom.xmlpom.xml
npmJavaScriptpackage-lock.jsonpackage-lock.json, package.json
YarnJavaScriptyarn.lockpackage.json, yarn.lock
Nuget.NET languages (C#, C++, F#, VB).csproj, .vbproj, .nuspec, .vcxproj, .fsproj.csproj, .vbproj, .nuspec, .vcxproj, .fsproj, packages.config
Python PIPPythonrequirements.txt, pipfile.lockrequirements.txt, pipfile.lock, setup.py*
RubyGemsRubyGemfile.lockGemfile.lock,Gemfile, *.gemspec
ComposerPHPcomposer.lockcomposer.json, composer.lock

GitHub users who'd like to enable Dependency Graph and Security Alerts for their repos can find more info here.

GitHub buys Semmle and becomes a CVE CNA

In other GitHub news, the Microsoft-owned code-hosting site also announced a new toy today, with the acquisition of Semmle, a security analysis platform.

In a lengthy post, Microsoft said it planned to use Semmle's code scanning features to improve GitHub's vulnerability scanning process.

In addition, GitHub also announced today that it received a certification as a CVE Numbering Authority (CNA), which means GitHub will be able to automatically assign CVE numbers -- identifiers for security flaws -- on its own.

This certification is only valid for open source projects hosted on the platform, which means bugs reported on an open source project's bug tracker will receive a CVE identifier much faster, as the project owner can request a CVE from GitHub, rather than go through the more crowded and time-consuming approval process over at MITRE.