Monday, October 22, 2018

Integrated security vulnerability alerts on GitHub - Why it matters

How GitHub's integrated security vulnerabilities could help developers using the platform?
Last week during GitHub Universe 2018, GitHub announced support for security vulnerability alerts for Java and .NET platforms. It's a significant contribution for the .Net and Java communities on GitHub because it simplifies, clarifies and alerts organizations and project owners about vulnerabilities on dependencies used on their code base.

Sounds complicated? Let's review what the announcement says:
With security vulnerability alerts, organization owners and repository admins receive a notification when any of their projects has a dependency with a known vulnerability.

How it works

By tracking public vulnerabilities in packages from supported languages on MITRE's Common Vulnerabilities and Exposures (CVE) List, GitHub notifies repo owners and alerts them of the risk.  By default, security alerts will be sent to owners and people with admin access in the affected repositories.

Apart from alerts, you should also see on your dashboard something like the below on the Insights tab, Alerts navigation menu of your GitHub repository:

GitHub now alerts about public vulnerabilities on your project

Apart from the above, other nice additions were added:
  • You will get weekly emails summarizing security alerts for up to 10 of your repositories
  • Most of that is configurable within GitHub
  • Works for both public and private repos
  • More importantly, GitHub never publicly discloses identified vulnerabilities for any repository.

Fixing the vulnerability

But knowing of potential vulnerabilities is just the first step. The next step is to address the issue and update the packages. Since .Net users usually update their packages using the Nuget package manager with packages located on Nuget.org, let's look at a concrete example: how to fix a recent vulnerability on Microsoft.Data.OData.

Microsoft.Data.OData is a very popular package. With 33+ Million downloads, it's being used in multiple 3rd party packages and probably you're using it on your projects too. Here's what I see on Nuget.org:

According to GitHub, CVE-2018-8269 was opened just last month and includes a vulnerability on every version < 5.8.4. Here's what the issue says:
A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.

So let's update the dependency and patch the vulnerability.

Updating Microsoft.Data.OData

As you know, the update of a package can be done in multiple ways. Using Visual Studio or from the command line with:

Using the Package Manager:
Install-Package Microsoft.Data.OData -Version 5.8.4

Using the .NET CLI:
dotnet add package Microsoft.Data.OData --version 5.8.4

Once you've done that, rebuilt and redeployed, you're protected from CVE-2018-8269 at least =) .

Conclusion

Bugs security issues are always being found and fixed on libraries that we use. Reason why we should always try to keep our packages up to date.

But it's not trivial to scan all packages we use against the CVE database. Note that the CVE above does not state which version it applies to. Imagine how difficult and time-consuming it would be monitoring all the dependency chain ourselves. That's why this service from GitHub is very much appreciated!

Let's leverage this very useful feature for our benefit and keep our code secure.

And please, spread the word!

About the Author

Bruno Hildenbrand      
Principal Architect, HildenCo Solutions.