Instead of just raising the alarm, automated code-scold will flag where the fire is
GitHub’s Dependabot is becoming more dependable thanks to its newfound ability to tell developers whether its security alerts are relevant or not. GitHub acquired Dependabot, a tool for finding vulnerable open source package dependencies in software projects, in 2019. Since then, Dependabot has helped developers address more than three million vulnerabilities by presenting automated notifications when it finds unsafe software packages. Flagging packages with vulnerable code is worthwhile but software developers would prefer a better signal-to-noise ratio. They want to know whether their application code is actually affected by the inclusion of a flawed library. This issue surfaced last year when Dan Abramov, a software engineer at Facebook, criticized the implementation of npm audit, a CLI tool for identifying outdated or vulnerable packages in web apps that fetch their libraries via GitHub’s npm Registry. Abramov’s concern was that 99 percent of the vulnerabilities flagged by the tool were false alarms – an imported package may contain vulnerabilities, but that’s not necessarily a problem if the app importing it doesn’t call the unsafe code.
