GitHub acquires Semmle to help developers spot code exploits
Microsoft-owned GitHub today announced that it’s acquired Semmle, a San Francisco startup developing an engineering analytics solution for software development process management. The terms of the purchase weren’t disclosed, but GitHub says it’ll make Semmle’s code analysis engine available across public and enterprise repositories through its GitHub Actions tool.
GitHub also revealed this morning that it’s now a Common Vulnerabilities and Exposures (CVE) Numbering Authority. (For the uninitiated, the CVE system provides a reference for publicly disclosed information about security vulnerabilities and exposures.) Going forward, GitHub says it’ll become easier for code contributors to report vulnerabilities directly from repositories, after which they’ll be assigned a CVE ID, posted to the CVE List, and then uploaded to the National Vulnerability Database (NVD).
“Open source has had a remarkable run over the past 20 years. Today almost every software product from any vendor or community includes open source code in its supply chain. We all benefit from the open source model, and we all have a role to play in making open source successful for the next 20 years,” wrote GitHub in a blog post. “Both of these announcements are part of our larger strategy to secure the world’s code.”
Semmle originally spun out of research at Oxford in 2006, and soon after attracted clients like Microsoft, Google, Credit Suisse, NASA, and Nasdaq and raised over $31 million in venture capital. (In the last year alone, it saw a two time uptick in new customers.) It provided a free version of its technology to open source programmers to use with their apps, which prior to the acquisition analyzed the commits of tens of thousands of projects.
As GitHub SVP of product Shanku Niyogi explained in a blog post, Semmle’s unique approach to code analysis enables it to make sense of complex data structures and quickly spot all variations of a coding mistake. Researchers using Semmle leverage a declarative, object-oriented query language dubbed QL to suss out vulnerabilities in large codebases, and to share and run searches over many codebases. (Helpfully, Semmle ships with 2,000 queries covering a number of known exploits and their variants.)
Niyogi says that to date, over 100 CVEs in repositories have been discovered using its approach, including in high-profile projects like U-Boot, Apache Struts, the Linux Kernel, Memcached, VLC, and Apple’s XNU. “We are excited to bring Semmle to all open source communities and our Enterprise customers,” he added. “As the community grows and contributes their queries, we all help to make software more secure.”
These latest developments come months after GitHub revealed that it had acquired Dependabot, a third-party tool that automatically opens pull requests to update dependencies in popular programming languages. Around the same time, GitHub made dependency insights generally available to GitHub Enterprise Cloud subscribers, and it broadly launched security notifications that flag exploits and bugs in dependencies for GitHub Enterprise Server customers.