informa
4 min read
article

GitHub Opens Security Database to Community Contributions

The Microsoft company will allow community members to add information and code samples to security advisories using the standard pull request to change the document.

Software platform provider GitHub has now published its GitHub Advisory Database under an open-source license, giving contributors the ability to add technical information to the collected security advisories of the open-source projects hosted on the service.

The GitHub Advisory Database, which the company claims contains the largest collection of vulnerabilities found in software dependencies, is used by GitHub to power its automated dependency checking system, Dependabot. In addition, the Node Package Manager (NPM) repository for JavaScript components and the NuGet repository of .NET components currently use the advisories as part of their audits that look for vulnerable code.

Containing more than 6,400 reviewed and 5,200 unreviewed advisories, the database will quickly grow as community members add more details and information, says Kate Catlin, a senior product manager at GitHub.

"We believe that free and open security data is critical to empowering the industry to secure our software supply chains, and by making it easier to contribute to and consume this information, we will help further improve the security of all software," she says. "Contributions can make us aware of additional products that the community didn't initially realize were affected by a vulnerability, or help to improve the description of how to fix a vulnerability we already knew about."

In January, GitHub, Apple, Amazon, Microsoft, Meta, Red Hat, and other companies met with government officials at the White House to discuss strategies for securing the software ecosystem. The summit came after vulnerabilities in a widely used Java component, Log4j, required a massive global effort to find and patch the flaws in affected applications, some of which included the component in a dependency nine levels deep.

The company's move extends its strategy of looking to developers for guidance and content. GitHub published its entire advisory database as a public repository, essentially making it another project managed on the company's service. In addition, the company has added a user interface for community contributions which should allow more details to be captured in the database. While the collection of advisories is maintained by a dedicated team within GitHub, allowing other programmers to suggest changes will likely expand the detail in the advisories.

"GitHub has teams of security researchers that review all changes and help keep security advisories up to date, but often there are community members with additional insights and intelligence on CVEs that do not have a place to share this knowledge," the company stated in its February 22 blog post.

GitHub currently has more than 73 million users contributing to 200 million projects, according to the company, which aims to use the community-supported advisory database, the Copilot machine-learning pair programming feature for developers, and the Dependabot code scanner to improve the global software supply chain. The company has steadily expanded the coverage of its advisory database, adding support for software from the Rust and Go ecosystems in 2021, and announced improved Dependabot alerts earlier this month.

The result has impacted the overall software-vulnerability ecosystem, with the company registering 1,091 vulnerabilities to the Common Vulnerability Enumeration (CVE) program in 2021, which made GitHub the largest CVE Numbering Authority (CNA) with the exception of MITRE Corp., which runs the program.

GitHub expects this number to grow quickly, as developer become accustomed to submitted vulnerability reports, Catlin says.

"When we added support for requesting security advisories directly within every open source GitHub repository in 2019, we heard a lot of feedback from maintainers that they weren't aware of how to attain a CVE," she says. "This is less of a problem than it used to be, but a vast majority of open source projects have never reported a single CVE, so there is a lot of potential for growth here."

Supply Chain Security
While opening up the GitHub Advisory Database is not a major move for the company, which was acquired by Microsoft in 2018, the additional features are part of long-term trend for the company that could improve the overall reliability of the software on which many enterprise applications rely.

"Overall, we hope that this empowers maintainers and users with accurate, free, and trusted security data to help them protect their innovations with enriched intel from the community," Catlin says. "Additionally, as this data powers our Dependabot alerts, we are excited for the downstream benefits this enriched intel will have for users managing their supply chain security."