back to article Your code is RUBBISH, says GitHub. Good thing we're here to save you

Last year, GitHub added security scanning to its dependency graph – and this month flicked the lid off a can absolutely crawling with bugs. The code-sharing site kicked off vulnerability scanning in late 2017, focussing on known Ruby and Javascript library vulnerabilities designated CVE numbers by MITRE. GitHub ran the …

  1. This post has been deleted by its author

  2. AMBxx Silver badge
    Coat

    Hello World

    I guess the tutorial excercise has a vulnerability?

  3. Joseph Haig

    Ambiguous headline

    "Your code is RUBBISH, says GitHub"?

    No, more like "your code uses a particular version of a library that has a security vulnerability which is fixed in a later version."

    Personally, I think that what GitHub has done is fantastic.

    1. Def Silver badge

      Re: Ambiguous headline

      No, most code on GitHub is rubbish. Just like SourceForge before it, and countless other open repositories.

      It's not all rubbish, obviously, but let's be honest there's a lot of shit out there written by people who simply don't know what they're doing half the time. Mostly due to lack of experience as much as anything else - which highlights another point - GitHub is where hobby developers dump their stuff because they heard backups are teh cool, bro.

      1. JDX Gold badge

        Re: Ambiguous headline

        Way to be an arrogant douche.

        What a surprise, hobbyist and amateur coders don't write very good code. We definitely should criticise them for using version control - they should keep all their ugly code on c:\codez so us professionals don't have to see it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ambiguous headline

          > Way to be an arrogant douche.

          A complete twat, more like.

        2. Def Silver badge

          Re: Ambiguous headline

          I wasn't criticising anyone - at least not intentionally. I was merely pointing out facts.

          As for people not using GitHub to spare us the grief, I certainly never suggested that. I merely pointed out that GitHub, along with other repositories, have made it easy for hobbyists and amateur developers to maintain backups of their work. This is, generally speaking, a good thing. But it does have the side effect that statistics such as the ones mentioned in the article will be skewed, and it can make it harder to find quality work when searching for something.

          As for my own work, download and install the Oso Memory Profiler and take a look at the SDK. Constructive feedback is always welcome.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ambiguous headline

        > No, most code on GitHub is rubbish. Just like SourceForge before it, and countless other open repositories.

        Cool. Now show your code and let us have a little code review fun.

  4. WibbleMe

    Yes, and it flagged up a reference to a slightly outdated node version in my package.json, not what I would call a high level "CVEs" so perhaps a threat level could be introduced.

  5. Doctor Syntax Silver badge

    The code-sharing site

    Given the context I read that as "The code-shaming site"

    1. Anonymous Coward
      Anonymous Coward

      Re: The code-sharing site

      > Given the context I read that as "The code-shaming site"

      Why? Are you saying that it is justifiable to hide your code from scrutiny, thereby potentially exposing your users to abuse, just because you have thin skin?

      Getting vulnerability scans and other code criticism (and sometimes even patches!) for free is something that directly benefits everyone, apart from being of great educational value.

      1. Doctor Syntax Silver badge

        Re: The code-sharing site

        "Why?"

        Maybe you didn't actually read the article's headline. It's the context for what follows.

  6. Chewi

    It's worth pointing out that this probably applies more to private projects than open source ones on the Ruby side. It's considered bad practise to commit Gemfile.lock in open source projects and you're not supposed to lock down dependencies to exact versions in your gemspec either. The gemspec may have something like ~> 1.2 and the whole of 1.x may be vulnerable and unmaintained but it's not clear whether this checks for that. Such cases often involve more than a simple "bump" too.

  7. tiggity Silver badge

    JavaScriptLibraries

    Well of course they are insecure, they are JS..

    The language encourages bad practices & how many places run static analysis on JS code (whereas any compiled code will (at bare minimum) have compiler warnings and (you would hope) they would have used a LINT style tool for their language(s) of choice).

    1. Anonymous Coward
      Anonymous Coward

      Re: JavaScriptLibraries

      > The language encourages bad practices

      Where are your research papers on the topic? Blog posts, even. Or are we just parroting stuff we read on the internet?

  8. Matthew Brasier

    Vulnerabilities in libraries are not vulnerabilities in applications

    We have a number of customers that do their own dependency scans for CVE vulnerabilities using the OWASP dependency checker plugin, it finds vulnerabilities all the time, but having a vulnerability in a library does not mean the application is subject the that vulnerability. It may be in part of a library that is not used, or it may only be exploitable under a specific set of circumstances which will never occur in the application.

    Even if you are exposed to a vulnerability, it is often in a 2nd or 3rd tier dependency and you are dependent on the frameworks you are using updating their dependencies, rather than it being anything you can fix yourself.

    The key thing is to be aware of what vulnerabilities you are exposed to, and have mitigations in place (or be prepared to accept the risk), it is not feasible to aim for zero reported CVE vulnerabilities.

    1. Sgt_Oddball Silver badge
      Megaphone

      Re: Vulnerabilities in libraries are not vulnerabilities in applications

      Sanity checking is there for a reason.

      Code can be open to exploits of a nature yet considered secure.

      Nothing is set in stone.

      And finally everyone is an idiot.

      Words to develop by. Code repository open to all or not, on the great scheme of things this is a good thing if only to stop stupid mistakes and it's better than not having it at all.

  9. Anonymous Coward
    Anonymous Coward

    Rubbish is everywhere

    Come on, Lads! There is as much rubbish in proprietary source as in open source.

    1. Joseph Haig

      Re: Rubbish is everywhere

      Yes, but I am free to contribute my own rubbish to open source software!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021