The danger of known vulnerabilities is growing. The recent outbreaks of destructive malware such as WannaCry and NotPetya showed that many organizations allow publicly disclosed Windows bugs to persist on business-critical systems for months. In March, Microsoft released a fix for the notorious SMB bug. However, when the WannaCry epidemic broke out in June, it affected over 300,000 PCs.
Major operating system makers at least notify users and administrators when updates are available. The situation is worse for applications that depend on dozens of shared libraries, many of which do not inform developers about the problem they have discovered.
A recent survey of developers conducted by 16.3% of japan mobile database do not update dependencies and less than half use tools that warn them about discovered vulnerabilities.
GitHub's new security alerts could help address this issue. Snyk helps GitHub scan for known vulnerabilities in open source code, focusing initially on JavaScript and Ruby. Python will be added next year. GitHub will also provide patches suggested by its developer community.
Microsoft's new Sonar project and Google's tools in Chrome Lighthouse also use the Snyk database to help web developers find and fix known flaws in JavaScript libraries as part of a broader audit of website performance issues.