GitHub introduces a new feature for Dependabot alerts, which has helped developers resolve approximately 3 million alerts. With the new feature, Depenabot alerts are becoming more insightful. From now on, Dependabot alerts will let users know if their code is calling vulnerable code paths, enabling them to prioritize and remediate alerts.
Vulnerable function calls
GitHub’s precise code navigation engine can determine if a vulnerable function is being called. If so, Dependabot alerts the users via the UI for Dependabot alerts.
Vulnerable package information is curated in GitHub’s Advisory Database. It stores information on affected functions for each source library. With the semantic code graph, GitHub performs static analysis with these functions to be able to generate an affected call graph for the user’s repository, which then surfaced in Dependabot alerts.
GitHub announced that they have details of vulnerable functions for 79 Python advisories from the pip ecosystem. GitHub also aims to allow anyone to view affected functions in GitHub’s advisory database and to suggest vulnerable functions.
GitHub’s new feature is available for supported Dependabot alerts on public repositories and on repositories with GitHub Advanced Security enabled.