|
|
|
|
|
|
by greysteil
1797 days ago
|
|
|
PM for security products at GitHub here. Totally agree. The good news is that I think GitHub is in a position to fix this - expect progress in the next 12 months. One change that's needed here is data for each vulnerability on whether it's ever relevant in development. The advisory database that powers GitHub's security alerts (and npm audit, and NuGet audit) now has a dedicated curation team and is ready to curate more ecosystems and more information. That data then needs to be hooked up with GitHub's security alerting logic. That shouldn't be too difficult - we already detect whether a dependency is used in development or production, and the team here is growing. Finally, for this to work we'd need a new UI concept for vulnerabilities you aren't affected by. We're already working on functionality with a very similar requirement (one that tells you whether you're using the vulnerable function within a dependency). I can't make promises, but I can say that GitHub has an increasing amount of energy. Expect progress :-) |
|
|