Welcoming Semmle to GitHub (opens in new tab)

(github.blog)

256 pointsjohns6y ago104 comments

104 comments

48 comments · 15 top-level

eatonphil6y ago· 14 in thread

The linked blog post [0] and the new security marketing page [1] both have a little more detail on what this actually means.

Basically, Semmle offers a static analysis tool that operates on your source code as a graph (from what I understand) and points out bugs and security holes in your code. Github is now offering that for free on repos at all tiers.

[0] https://github.blog/2019-09-18-securing-software-together/

[1] https://github.com/features/security

DannyBee6y ago

Semmle is basically datalog over source code.

For what it works for, it works nice. But it is not a pancaea.

Security vulnerability finding is almost certainly the wrong target for Semmle - I am unsure why they are trying to push that angle. There are much better stories in things like refactoring and understanding. (I say this having overseen a number of deployments for various reasons, some successful, some not)

muricula6y ago

I've seen coworkers run semmle queries across the entire Windows OS codebase and find hundreds of issues which were/could result in security vulnerabilities. They've also leveraged it for variant analysis. If I'm not mistaken, the security teams are the largest internal users of Semmle at Microsoft.

You're right though, it's not a panacea, and it could probably be great for other uses too.

1 more reply

sneak6y ago

Nothing is a panacea. Things that help move the needle without requiring tons of time or effort are useful and valuable. I'm really glad to see more efforts in this area.

2 more replies

tru3_power6y ago

I was looking at it earlier and the query syntax seems awesome. I’ve spent the last few months writing custom rules (queries) for fortify sca- which is another static code analysis tool and I must say, Semmle seems like it’s a lot easier to use.

Static code analysis tooling is never the end all be all for vulnerability research, but it does let you express vulnerability patterns for implementation type vulnerabilities and find them at a mass scale (that is if your rules/queries are legit).

psygnisfive6y ago

> Security vulnerability finding is almost certainly the wrong target for Semmle

CVE-2019-5876

CVE-2019-16230

CVE-2019-16231

CVE-2019-16232

CVE-2019-16233

CVE-2019-16234

CVE-2019-15026

CVE-2019-14192

CVE-2019-14193

CVE-2019-14194

CVE-2019-14195

CVE-2019-14196

CVE-2019-14197

CVE-2019-14198

CVE-2019-14199

CVE-2019-14200

CVE-2019-14201

CVE-2019-14202

CVE-2019-14203

CVE-2019-14204

CVE-2019-14437

CVE-2019-14438

CVE-2019-14498

CVE-2019-14535

CVE-2019-14534

CVE-2019-14533

CVE-2019-14776

CVE-2019-14778

CVE-2019-14779

CVE-2019-14777

CVE-2019-14970

CVE-2019-15119

CVE-2019-14524

CVE-2019-14523

CVE-2019-7307

CVE-2019-11476

CVE-2019-13115

CVE-2019-3570

CVE-2019-13110

CVE-2019-13112

CVE-2019-13113

CVE-2019-13108

CVE-2019-13109

CVE-2019-13111

CVE-2019-13114

CVE-2019-3560

CVE-2019-9721

CVE-2019-9718

CVE-2019-9717

CVE-2019-9720

CVE-2019-9719

CVE-2018-20222

CVE-2019-3828

CVE-2019-6986

CVE-2019-5414

CVE-2018-4460

CVE-2018-16491

CVE-2018-16489

CVE-2018-16490

CVE-2018-19476

CVE-2018-19477

CVE-2018-19475

CVE-2018-19134

CVE-2018-16472

CVE-2018-18820

CVE-2018-4407

CVE-2018-16487

CVE-2018-4259

CVE-2018-4286

CVE-2018-4287

CVE-2018-4288

CVE-2018-4291

CVE-2019-5413

CVE-2018-16461

CVE-2018-16469

CVE-2018-16486

CVE-2018-16460

CVE-2018-16492

CVE-2018-11776

CVE-2018-8018

CVE-2018-8294

CVE-2018-4249

CVE-2018-8013

CVE-2018-5388

CVE-2018-1295

CVE-2018-4136

CVE-2018-4160

CVE-2018-1000140

CVE-2017-15692

CVE-2017-15693

CVE-2017-13904

CVE-2017-15089

CVE-2018-6834

CVE-2018-6835

CVE-2017-15713

CVE-2017-12634

CVE-2017-13782

CVE-2017-7545

CVE-2017-14949

CVE-2017-14868

CVE-2017-8046

CVE-2017-8045

CVE-2017-9805

CVE-2017-1000207

CVE-2017-1000208

CVE-2017-12612

CVE-2017-0141

https://lgtm.com/security/

2 more replies

lawnchair_larry6y ago

You’re wrong on that, security teams at the major tech companies love it, especially for variant analysis. Ask your coworkers at Google! One of which recently left to become Semmle’s Chief Security Officer.

2 more replies

nickpsecurity6y ago

The funny thing is I was working on a pitch to get Atlassian to buy them so they don't end up in Microsoft's hands. I thought integration with a repo company would be good since they could cross-sell it for code understanding and maintenance. Then I see this article. (sighs) At least I got it right on the type of company that would grab them.

I'd push something else for security, though, to complement it. RV-Match is my favorite commercial one because they built on a formal semantics for C, it's set for low false positives, and they open source a lot of stuff. They have something for Java and smart contracts, too. Past that, what's good depends on what language you use.

tptacek6y ago

Just a small fraction of the industry's ongoing software development is done in C. Obvious, Google, Microsoft, Apple, and Mozilla still write a lot of it, but you don't acquire a whole company to address 4-and-change customers.

1 more reply

iainmerrick6y ago

Why would Atlassian be better?

1 more reply

tensor6y ago

Am I reading that right that it's only on public repositories though? For private repositories I guess you have to buy through Semmle directly (via call us pricing)?

hanniabu6y ago

This would make sense since Semmle would likely need access.

1 more reply

Dirlewanger6y ago

So I'm guessing they'll be merging what they have now with Semmie's tool? Because they've had the free vulnerability check for a while now.

tptacek6y ago

Different things. Github has features that scan repos for "known-vulnerable" dependencies. They do not have features that scan for new vulnerabilities.

1 more reply

braindongle6y ago

Thank you for the zero-indexed reference list. Brought a smile.

_xnmw6y ago· 7 in thread

I hate that these kinds of Orwellian phrases "Welcoming X to the Y Family" have now become idiomatic of corporate English. Ugh, no. There is no "family" involved here, not by any stretch of the word.

javagram6y ago

To be fair, if a “parent corporation” is a thing, then logically it has children and can be a corporate family.

_xnmw6y ago

Intent matters. The phrase "parent corporation" has no PR or emotional intent. "Welcoming X to Y family" has a clear emotive intent.

2 more replies

Dirlewanger6y ago

Welp, guess it's time to bust out the "I'm offended and we need to change this lingo" card because corporations aren't people and we should stop referring to them that way

1 more reply

mytailorisrich6y ago

It actually took me a while to understand that the announcement likely meant that they had acquired Semmle...

spjt6y ago

They have to say that anyway, because Microsoft is acquiring Semmle, not GitHub. It is joining the GitHub "product family".

_xnmw6y ago

If they had said "Welcoming Semmle to the Github Family of Products" instead, that would've been much more tolerable.

smitop6y ago

When I read the headline I assumed it meant that GitHub was hiring an employee named Semmle, which confused me until I realized Semmle was a business.

chuckgreenman6y ago· 7 in thread

Interesting to see the differences between Github and Gitlab's strategy in this arena.

Github appears to be going the aqui-hire route with Semmle, dependabot, pullpanda etc, where as I don't think Gitlab's made an acquisition for a year or two.

troydavis6y ago

GitLab published what they're interested in: https://about.gitlab.com/handbook/acquisitions/. It's an amazing, one-of-a-kind doc. One of their constraints (https://about.gitlab.com/handbook/acquisitions/#what-we-offe...) is quite limiting, though:

> The total purchase price of the deal, paid in cash, will not exceed $1M and will be the total and only compensation for the entire deal.

andrewprock6y ago

They are looking at companies that: "Raised under $10M total investment funds, last round being over 3 years ago"

This implies that in addition to self-funded ventures, they are looking for fire sales from failed start-ups.

pnako6y ago

It looks like they're buying (big) features, not complete solutions or companies. That's actually an interesting approach; I'm sure others do that, but maybe not as explicitly.

It would allow a small team of hackers to have a decent exit without having to go through the whole startup road.

claytonjy6y ago

Gitlab hasn't generally seemed interested in these sorts of free scanning tools. I wonder if that's because their users are much more weighted towards private/self-hosted than Github's are? Because so little open source happens on Gitlab, they can't buy good PR through this kind of strategy like Github can.

leblancfg6y ago

I've been looking quite a bit into this recently, and even though they might not be screaming it from the rooftops, Gitlab offers quite a few security-related features. There are code scanning, dependency tracking, etc. features at various levels of readiness.

https://about.gitlab.com/devops-tools/ https://about.gitlab.com/stages-devops-lifecycle/secure/

1 more reply

andyljones6y ago

Microsoft has $130bn cash-on-hand.

The surprise is really that they're not being more aggressive in their acquisitions.

pbhjpbhj6y ago

They should be like Yahoo was and buy everything they see? (for billions, only to sell it at a massive loss later)

I've not heard from Yahoo in a year at least, do they still exist ...

1 more reply

throwaway7446786y ago· 3 in thread

> Human progress depends on the open source community.

(Non native speaker here). Am I misunderstanding something, or is the author explaining that humanity can not progress without the open source community?

mytailorisrich6y ago

That's right. That's called hyperbole (with a 'e').

sounds6y ago

As the other comments point out, it's hyperbole. It's also an aspirational statement.

Aspirational, as in, they wish that github would be the key factor in human progress. Maybe I can say that even plainer: to the leadership at github, the progress of the human race depends on github.

The open source community depends on github.

That's what it's implying.

(The reader is left to identify that as wishful thinking.)

networkimprov6y ago

That's the meaning I took from it (USA native).

rishicomplex6y ago· 1 in thread

"Human progress depends on the open source community."

What a way to begin an article.

chromeguy666y ago

Especially considering M$ owns GitHub

tom-jh6y ago· 1 in thread

I've just tested their lgtm.com on our codebase:

1) identified str.replace('[ABC]+', '') correctly as a bug (looks like a regex but is string literal)

2) identified various unnecessary code that TypeScript overlooked

3) identified double-unescaping of html (this one would have probably gone unnoticed for years)

And a bunch of other stuff. No actual vulnerability in our case, but still very useful. I'm enabling their checks on every future PR.

This was TypeScript but they support the rest of our stack too (Python, Java). I wonder if this includes Kotlin - will try.

tom-jh6y ago

Tested, Kotlin is not supported, nor is Swift.

xvilka6y ago

Free hint for the GitLab - they can integrate a similar but open source tool - Infer[1]. Essentially it provides the similar features, just lacks a good interface to do so. They also have a query language, called AL[2]. It is way less polished than Semmle, but opensource and with a good potential.

[1] https://github.com/facebook/infer

[2] https://fbinfer.com/docs/linters.html

archon8106y ago

Semmle's post: https://blog.semmle.com/secure-software-github-semmle/.

pja6y ago

Github has been really working on their source code analysis toolkit recently & this acquisition makes perfect sense as part of that strategy. Congratulations to Oege & the team.

fnord1236y ago

First project I look up on lgtm.com is rust.. Second alert I find is this:

https://lgtm.com/projects/g/rust-lang/rust/snapshot/f5aa590b...

exist_ok is available from python 3.2, so this isn't a good impression.

https://docs.python.org/3.7/library/os.html#os.makedirs

dazbradbury6y ago

Huge congrats to Oege and the team at Semmle - couldn't be happier for a hugely passionate and smart individual (and a previous professor of mine!)

Am sure this will bring some amazing advances to Github and thus a huge % of the developer community.

rishicomplex6y ago

I've used semmle's tools at Google, they seemed pretty powerful.

notus6y ago

I spent way too long thinking that Semmie was just a badass programmer

z3t46y ago

Would be cool if the tools would be made open source in order for everyone to get more security.

robbystk6y ago

So this is the excuse they're using to build infrastructure to scan through everyone's code to find whatever they want.

j / k navigate · click thread line to collapse

104 comments

48 comments · 15 top-level

eatonphil6y ago· 14 in thread

The linked blog post [0] and the new security marketing page [1] both have a little more detail on what this actually means.

[0] https://github.blog/2019-09-18-securing-software-together/

[1] https://github.com/features/security

DannyBee6y ago

Semmle is basically datalog over source code.

For what it works for, it works nice. But it is not a pancaea.

muricula6y ago

You're right though, it's not a panacea, and it could probably be great for other uses too.

1 more reply

sneak6y ago

Nothing is a panacea. Things that help move the needle without requiring tons of time or effort are useful and valuable. I'm really glad to see more efforts in this area.

2 more replies

tru3_power6y ago

psygnisfive6y ago

> Security vulnerability finding is almost certainly the wrong target for Semmle

CVE-2019-5876

CVE-2019-16230

CVE-2019-16231

CVE-2019-16232

CVE-2019-16233

CVE-2019-16234

CVE-2019-15026

CVE-2019-14192

CVE-2019-14193

CVE-2019-14194

CVE-2019-14195

CVE-2019-14196

CVE-2019-14197

CVE-2019-14198

CVE-2019-14199

CVE-2019-14200

CVE-2019-14201

CVE-2019-14202

CVE-2019-14203

CVE-2019-14204

CVE-2019-14437

CVE-2019-14438

CVE-2019-14498

CVE-2019-14535

CVE-2019-14534

CVE-2019-14533

CVE-2019-14776

CVE-2019-14778

CVE-2019-14779

CVE-2019-14777

CVE-2019-14970

CVE-2019-15119

CVE-2019-14524

CVE-2019-14523

CVE-2019-7307

CVE-2019-11476

CVE-2019-13115

CVE-2019-3570

CVE-2019-13110

CVE-2019-13112

CVE-2019-13113

CVE-2019-13108

CVE-2019-13109

CVE-2019-13111

CVE-2019-13114

CVE-2019-3560

CVE-2019-9721

CVE-2019-9718

CVE-2019-9717

CVE-2019-9720

CVE-2019-9719

CVE-2018-20222

CVE-2019-3828

CVE-2019-6986

CVE-2019-5414

CVE-2018-4460

CVE-2018-16491

CVE-2018-16489

CVE-2018-16490

CVE-2018-19476

CVE-2018-19477

CVE-2018-19475

CVE-2018-19134

CVE-2018-16472

CVE-2018-18820

CVE-2018-4407

CVE-2018-16487

CVE-2018-4259

CVE-2018-4286

CVE-2018-4287

CVE-2018-4288

CVE-2018-4291

CVE-2019-5413

CVE-2018-16461

CVE-2018-16469

CVE-2018-16486

CVE-2018-16460

CVE-2018-16492

CVE-2018-11776

CVE-2018-8018

CVE-2018-8294

CVE-2018-4249

CVE-2018-8013

CVE-2018-5388

CVE-2018-1295

CVE-2018-4136

CVE-2018-4160

CVE-2018-1000140

CVE-2017-15692

CVE-2017-15693

CVE-2017-13904

CVE-2017-15089

CVE-2018-6834

CVE-2018-6835

CVE-2017-15713

CVE-2017-12634

CVE-2017-13782

CVE-2017-7545

CVE-2017-14949

CVE-2017-14868

CVE-2017-8046

CVE-2017-8045

CVE-2017-9805

CVE-2017-1000207

CVE-2017-1000208

CVE-2017-12612

CVE-2017-0141

https://lgtm.com/security/

2 more replies

lawnchair_larry6y ago

2 more replies

nickpsecurity6y ago

tptacek6y ago

1 more reply

iainmerrick6y ago

Why would Atlassian be better?

1 more reply

tensor6y ago

Am I reading that right that it's only on public repositories though? For private repositories I guess you have to buy through Semmle directly (via call us pricing)?

hanniabu6y ago

This would make sense since Semmle would likely need access.

1 more reply

Dirlewanger6y ago

So I'm guessing they'll be merging what they have now with Semmie's tool? Because they've had the free vulnerability check for a while now.

tptacek6y ago

Different things. Github has features that scan repos for "known-vulnerable" dependencies. They do not have features that scan for new vulnerabilities.

1 more reply

braindongle6y ago

Thank you for the zero-indexed reference list. Brought a smile.

_xnmw6y ago· 7 in thread

I hate that these kinds of Orwellian phrases "Welcoming X to the Y Family" have now become idiomatic of corporate English. Ugh, no. There is no "family" involved here, not by any stretch of the word.

javagram6y ago

To be fair, if a “parent corporation” is a thing, then logically it has children and can be a corporate family.

_xnmw6y ago

Intent matters. The phrase "parent corporation" has no PR or emotional intent. "Welcoming X to Y family" has a clear emotive intent.

2 more replies

Dirlewanger6y ago

Welp, guess it's time to bust out the "I'm offended and we need to change this lingo" card because corporations aren't people and we should stop referring to them that way

1 more reply

mytailorisrich6y ago

It actually took me a while to understand that the announcement likely meant that they had acquired Semmle...

spjt6y ago

They have to say that anyway, because Microsoft is acquiring Semmle, not GitHub. It is joining the GitHub "product family".

_xnmw6y ago

If they had said "Welcoming Semmle to the Github Family of Products" instead, that would've been much more tolerable.

smitop6y ago

When I read the headline I assumed it meant that GitHub was hiring an employee named Semmle, which confused me until I realized Semmle was a business.

chuckgreenman6y ago· 7 in thread

Interesting to see the differences between Github and Gitlab's strategy in this arena.

Github appears to be going the aqui-hire route with Semmle, dependabot, pullpanda etc, where as I don't think Gitlab's made an acquisition for a year or two.

troydavis6y ago

> The total purchase price of the deal, paid in cash, will not exceed $1M and will be the total and only compensation for the entire deal.

andrewprock6y ago

They are looking at companies that: "Raised under $10M total investment funds, last round being over 3 years ago"

This implies that in addition to self-funded ventures, they are looking for fire sales from failed start-ups.

pnako6y ago

It looks like they're buying (big) features, not complete solutions or companies. That's actually an interesting approach; I'm sure others do that, but maybe not as explicitly.

It would allow a small team of hackers to have a decent exit without having to go through the whole startup road.

claytonjy6y ago

leblancfg6y ago

https://about.gitlab.com/devops-tools/ https://about.gitlab.com/stages-devops-lifecycle/secure/

1 more reply

andyljones6y ago

Microsoft has $130bn cash-on-hand.

The surprise is really that they're not being more aggressive in their acquisitions.

pbhjpbhj6y ago

They should be like Yahoo was and buy everything they see? (for billions, only to sell it at a massive loss later)

I've not heard from Yahoo in a year at least, do they still exist ...

1 more reply

throwaway7446786y ago· 3 in thread

> Human progress depends on the open source community.

(Non native speaker here). Am I misunderstanding something, or is the author explaining that humanity can not progress without the open source community?

mytailorisrich6y ago

That's right. That's called hyperbole (with a 'e').

sounds6y ago

As the other comments point out, it's hyperbole. It's also an aspirational statement.

Aspirational, as in, they wish that github would be the key factor in human progress. Maybe I can say that even plainer: to the leadership at github, the progress of the human race depends on github.

The open source community depends on github.

That's what it's implying.

(The reader is left to identify that as wishful thinking.)

networkimprov6y ago

That's the meaning I took from it (USA native).

rishicomplex6y ago· 1 in thread

"Human progress depends on the open source community."

What a way to begin an article.

chromeguy666y ago

Especially considering M$ owns GitHub

tom-jh6y ago· 1 in thread

I've just tested their lgtm.com on our codebase:

1) identified str.replace('[ABC]+', '') correctly as a bug (looks like a regex but is string literal)

2) identified various unnecessary code that TypeScript overlooked

3) identified double-unescaping of html (this one would have probably gone unnoticed for years)

And a bunch of other stuff. No actual vulnerability in our case, but still very useful. I'm enabling their checks on every future PR.

This was TypeScript but they support the rest of our stack too (Python, Java). I wonder if this includes Kotlin - will try.

tom-jh6y ago

Tested, Kotlin is not supported, nor is Swift.

xvilka6y ago

[1] https://github.com/facebook/infer

[2] https://fbinfer.com/docs/linters.html

archon8106y ago

Semmle's post: https://blog.semmle.com/secure-software-github-semmle/.

pja6y ago

Github has been really working on their source code analysis toolkit recently & this acquisition makes perfect sense as part of that strategy. Congratulations to Oege & the team.

fnord1236y ago

First project I look up on lgtm.com is rust.. Second alert I find is this:

https://lgtm.com/projects/g/rust-lang/rust/snapshot/f5aa590b...

exist_ok is available from python 3.2, so this isn't a good impression.

https://docs.python.org/3.7/library/os.html#os.makedirs

dazbradbury6y ago

Huge congrats to Oege and the team at Semmle - couldn't be happier for a hugely passionate and smart individual (and a previous professor of mine!)

Am sure this will bring some amazing advances to Github and thus a huge % of the developer community.

rishicomplex6y ago

I've used semmle's tools at Google, they seemed pretty powerful.

notus6y ago

I spent way too long thinking that Semmie was just a badass programmer

z3t46y ago

Would be cool if the tools would be made open source in order for everyone to get more security.

robbystk6y ago

So this is the excuse they're using to build infrastructure to scan through everyone's code to find whatever they want.

j / k navigate · click thread line to collapse