Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Checkout / 17 Dec 2020
GitHub / GitHub Checkout / 17 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Dependabot alerts for a given vulnerability - GitHub Checkout

Description

Show Notes

From software composition reports, we know that most applications rely on dozens or even hundreds of open source dependencies. Sometimes, adding a single library to your manifest file can result in bringing in a massive dependency tree. How can we make sure that we stay on top of any known vulnerabilities, and update our dependency versions as needed?

In this video, Maya Kaczorowski and Sasha Rosenbaum discuss how Dependabot works behind the scenes to help you identify and remediate known vulnerabilities, and show us a demo of the feature.

5:13 - demo: leveraging Dependabot
12:01 - demo continued

Dependabot alerts: https://github.co/security-alerts
Dependabot security updates: https://github.co/security-updates

Maya Kaczorowski:
GitHub - https://github.com/mayakacz
Twitter - https://twitter.com/MayaKaczorowski

Sasha Rosenbaum:
GitHub - https://github.com/DivineOps
Twitter - https://twitter.com/DivineOps

As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub

Thanks!

Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github

About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com

A

Hi and welcome to github checkout today we're going to talk about exciting feature um of github, which is called dependable and my guest today is maya, kocharkovsky maya. Would you like to introduce yourself.

B

Yeah, thank you so much for having me uh my name is maya kaczorowski, I'm a product manager at github, working on software supply chain, security.

A

Sorry, I definitely screwed up your name every time we've had a conversation, and I apologize for that. um So dependable is not super new, but I think some of our viewers might still not know what it is all about. So would you like to describe it for sure.

B

So dependabot is basically your friendly update bot for your for your environment that lets. You know when you have a security vulnerability in one of your dependencies and helps you update that dependency and dependable does a couple of different things. It alerts you when you have a vulnerability in a dependency.

B

It also sends you a pull request for vulnerabilities and dependencies, and you can also enable the pentabot to send you pull requests for general updates. So when there's a new version of a dependency out that you want to update to.

A

Okay, this all sounds really useful. So actually, you have been working primarily on software supply chain security features. Since you came over to github- and I think this work is really really important, because we know from software composition reports that over 90 of all applications in the world use uh open source software, and this is a good thing because, like no one needs to re-implement simple math in their application over and over again, but it also means that we're all having open source dependencies. So how does it impact project security, yeah.

B

That's that's completely right. I mean from the latest uh state of the october report. We know that anywhere from 65 to 94 of active repos on github rely on open source code and the variability there is coming from different ecosystems and exactly you're saying everyone has a huge dependency on open source. You know the median active repo might only have a handful of direct dependencies, but it has many hidden indirect dependencies as well, with javascript being the clear winner with a median 683 transitive dependencies now wow. We want people to keep using open source right.

B

This is not telling you to use less open source, but rather be aware of what you're using because if one of your dependencies has a vulnerability, then chances are that you have the vulnerability as well.

B

So as a software developer, what you really need to know is know what's in your environment, so you know know what dependencies you use and then manage your dependencies, so knowing about vulnerabilities in those dependencies, knowing the latest versions of those um and being able to patch them. So when there is a new vulnerability, you can quickly discover it and react to it by patching your environment.

A

Yeah and so in terms of patching, we know from in various reports differ by numbers, but we know that it takes quite a long time for software projects to remediate vulnerabilities once the known vulnerability is announced. How can dependable help me take care of that problem? Yeah.

B

Dependent bot sends you an alert as soon as we ingest data about vulnerabilities so and then sends you a pr. So it's very fast. You know automation for the win and exactly we're just saying from the latest state of the october's report.

B

We know that people who use automation to find and address vulnerabilities, such as dependable security updates, remediate those vulnerabilities faster whenever, when a repository automatically generated a pull request to update to the fixed version, they patched their software in 33 days, which is 13 days faster than those who did not that's 1.4 times faster remediation of security issues with with automation,.

A

That's actually amazing that I just enable a tool, and then I get 1.4 times faster in terms of securing my code, that that's a huge win um in some cases. Dependable dependable, sends me an alert and in some cases it creates an automated pr and I'm kind of a little bit lost in what case triggers. What.

B

Yeah, we will always try to generate a pr and send it to you, but there's a few cases where that's not possible and there's, hopefully helpful error messages to tell you what's going on. Some of the common cases include, for example, invalid graphs. So what I mean by that is, you might have dependency a depending on dependency versions. You know one or two and dependency b needs versions, two or more, and then, if you have to upgrade to version three, for example, because of uh vulnerability, then a will no longer work.

B

So dependable will not send you a pr in that case, because we don't want to cause a breaking change in your environment.

B

Another situation, for example, where a dependent bot might not send you a pr for an alert, is if you already have an open, pull request that will fix the version. We're not going to send you another pull request to then have to close it. If you already have one open that would address the issue.

A

Oh, that's really cool, so it actually recognizes that I already have a pr in my environment that rema that that's cool. I didn't know that um so we're talking about quite an exciting thing. um Would you like to show us a demo how it all works yeah? I would love.

B

To so let me just share my screen, so we are looking at my repository here. I have a manifest file in my repository and I have a handful of dependencies that are that are explained in that manifest file. So far, so good, not a whole lot going on. So let me actually go enable these security features. First, so I'll go over to my settings.

B

Tab and my security analysis options and I'll enable what I really want to enable is depend about alerts and append security updates and those require the dependency graph to know what your dependencies are. If I'm lazy- and I just hit enable you can actually get all of them at once.

B

So let's enable all three of those features, and now we have dependabot dependency graph, dependable alerts, independent security updates enabled so I'll go over to my security tab in my security tab, you'll see, there's already depend about alerts sent to me, so it was very, very fast and it automatically worked in that environment and I have four alerts and they tell me you know what severity the alerts are. It tells me what manifest file is affecting and what the issue is.

B

So I click through that and I can get some details on what that vulnerability is. uh So I have an issue in jackson: data bind, I should upgrade to version 2.9.10.4 or later, and actually what I saw was that there was you know, critical severity, but there's lots of different security issues in this in this given alert. So we've combined a lot of information about this one dependency into all the the vulnerabilities that you're affected by for that one dependency today,.

A

This looks very human readable and it looks like something that I can consume. Even if I'm not super deep into security, I can understand what the severity of this is. What's the impact and how I best can remediate this issue correct.

B

Yeah, all of these will have remediation information kind of right at the top. That tells you what you need to do to fix that in your environment, and so um you know we alert open the alert 22 seconds ago and dependibots trying to generate for us a security update. So that's a pull request actually to address the issue that we have in our environment.

B

Let me just go back and see if we have a security, a pull request already generated, in fact the one that I was just looking at. We do and I'll click on that pull request and that pull request addresses a security vulnerability. So you have that information right there. If you have the permissions to see that- and it tells you what it's working on- it's upgrading jackson, databind from 2.8.11.0 to 2.9.10.5, I can go over and see.

B

What's changed, see yep, it's actually making that change in my environment and if I feel comfortable about that and if I've uh you know, my checks have passed. That's a very important part of reviewing pull requests. If my checks have passed, I can go ahead and merge that pr so.

A

You bring me to an important question which is like how do I make sure that I'm not introducing the breaking changes to my environment and it sounds like run your tests.

B

Run your tests, it's a very accurate statement. Like I said we, a dependent bot, will not send you um something that would result in an invalid graph.

B

We will send you a major version upgrade for dependable security updates, because if that's what you need to fix the vulnerability, that's what you mean, but you should always review you know the change, log or release notes of your dependencies before making changes between dependencies and test them in your environment to make sure that you're going to be good, understood, great um and so that fixed the vulnerability that I had that actually updated kind of.

B

While we were chatting and if I go over to security, I should now see that I still have a couple of alerts, open, yep and in fact my other dependency. Sorry, my other vulnerabilities and dependencies now all have pull requests generate as well. So dependibot is working hard for me today and I have lots of work to go. Merge these in as well.

A

That sounds great, and so there is a separate, separate pull request for every vulnerability that needs to get updated. There.

B

Is a pull request right now per dependency in your repo? That needs an update, so it's not per vulnerability. If there are multiple vulnerabilities in a dependency it'll, send you only one for the dependency.

A

Sounds good, is there any other um demo stuff that you wanted to show us.

B

Well, so I've been talking only about depend about security alerts and dependable security updates, but I think maybe we'll save for another. Another conversation depend upon uh version updates, which also let you keep your keep your dependencies up to date.

A

Nice yeah that sounds like uh we could have a whole different conversation about it. um So I I guess I have one last question which is interesting and that's how do how does depend about learn about new vulnerabilities? Where do we get that information.

B

Yeah um dependabot gets information about vulnerabilities from github's advisory database, so that's information that maintainers have submitted to github about security issues and their own repositories, as well as information that we import to github from other other registries. Other vulnerability information, so that we can tell you what's going on in in your environment, um dependable, will then send you an alert and a pr and all that kind of information in basically two cases, if you think about it that way.

B

The first case is where you have an existing dependency that has a new vulnerability, so you're newly affected by something that's happened, we'll let you know. The second case is where you have in a new new dependency that you're introducing where you're introducing a dependency that already has a vulnerability in it.

B

Now, if you're, using something like dependency review, hopefully you can catch that before it happens, but otherwise we'll send you a dependable alert once you introduce that to your environment,.

A

Yeah that depends. The review here is very useful because it prevents you from even committing that code. I guess yep. um So if I wanted to get started with the pen about today- and I know there's a little bit of a difference for public versus private repos, how do I get started? The easiest.

B

Way to get started is to enable the features like I showed at the beginning of the demo. They are enabled on public repos by default and you can go enable them on private repos in that settings. Tab.

A

Sounds good so we're obviously going to add some documentation links to this, and you know you can all get started, reviewing the blogs and the docs and obviously taking advantage of this amazing feature. So thank you, maya for uh working on these features and helping us make the web more secure, and- and also thank you for being here with me today. This has been get up check out and please hit subscribe for more interesting videos about github features. Thank you and bye.