Github announced the discovery of more than 4 million vulnerabilities located in 500,000 plus repositories.
In 2017, the code sharing site started vulnerability scanning for known Common Vulnerabilities and Exposures in its Ruby and JavaScript libraries, according to a March 21 blog post. The libraries are operated through the company's Dependency Graph which matches the code against the vulnerabilities.
Shortly after the program was launched, Github said 450,000 of the identified flaws had been resolved by Dec. 1, 2017 and its rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week,” the company said. “Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”
The company is seeing maintainers patching vulnerabilities in fewer than seven days for almost all repositories with recent contributions. Github emphasized that it never publicly discloses identified vulnerabilities for any repository and that it detects vulnerable dependencies in public repositories by default. Owners and admins of these repositories have the option to opt into vulnerability detection for the repository.
