GitHub relies on machine learning to detect vulnerabilities


GitHub extends the capabilities of its automatic vulnerability detection tools and offers JavaScript or TypeScript project developers the opportunity to test a new vulnerability detection feature based on machine learning.

The code-sharing platform has been offering this new feature in public beta since last week.

The new feature focuses on four types of vulnerabilities, among the most common identified in JavaScript and Typescript projects: SQL and NoSQL injections, cross-site scripting vulnerabilities and Path Traversal vulnerabilities. According to GitHub, these four categories of vulnerabilities represent the bulk of vulnerabilities identified in JavaScript/Typescript projects over the past few years.

An ML model to identify potential vulnerabilities

To limit their impact, GitHub has therefore decided to train a machine learning model to enable it to automatically identify this type of vulnerability in the projects analyzed.

This is based on the code scanning tool developed by Microsoft, CodeQL. This automated tool makes it possible to test the presence of vulnerabilities in a source code, by analyzing it. By leveraging data compiled by CodeQL, GitHub was able to train its machine learning model to identify a large number of vulnerabilities and identify conditions that could lead to a vulnerability.

When the model identifies these types of conditions, it notifies the administrator via a series of alerts indicating potential vulnerabilities in certain pieces of code, and offers him the possibility to go to analyze the code in question or to fix the error if any.

Beta version available

However, GitHub indicates that the model is prone to false positives, more so than traditional code analysis tools such as CodeQL.

Nevertheless, the organization hopes that the model will benefit from its large-scale use to refine its functioning and its detections over time.

This feature is currently available in experimental beta for all repositories using JavaScript or TypeScript, and developers who wish to enable it can follow the instructions given by GitHub.





Source link -97