科技回声

15 条评论

eatonphil超过 5 年前

The linked blog post [0] and the new security marketing page [1] both have a little more detail on what this actually means.Basically, Semmle offers a static analysis tool that operates on your source code as a graph (from what I understand) and points out bugs and security holes in your code. Github is now offering that for free on repos at all tiers.[0] <a href="https://github.blog/2019-09-18-securing-software-together/" rel="nofollow">https://github.blog/2019-09-18-securing-software-together/</a>[1] <a href="https://github.com/features/security" rel="nofollow">https://github.com/features/security</a>

评论 #21008463 未加载

评论 #21010272 未加载

评论 #21009748 未加载

评论 #21008701 未加载

评论 #21012197 未加载

igammarays超过 5 年前

I hate that these kinds of Orwellian phrases "Welcoming X to the Y Family" have now become idiomatic of corporate English. Ugh, no. There is no "family" involved here, not by any stretch of the word.

评论 #21008977 未加载

评论 #21010025 未加载

评论 #21010447 未加载

评论 #21011156 未加载

xvilka超过 5 年前

Free hint for the GitLab - they can integrate a similar but open source tool - Infer[1]. Essentially it provides the similar features, just lacks a good interface to do so. They also have a query language, called AL[2]. It is way less polished than Semmle, but opensource and with a good potential.[1] <a href="https://github.com/facebook/infer" rel="nofollow">https://github.com/facebook/infer</a>[2] <a href="https://fbinfer.com/docs/linters.html" rel="nofollow">https://fbinfer.com/docs/linters.html</a>

chuckgreenman超过 5 年前

Interesting to see the differences between Github and Gitlab's strategy in this arena.Github appears to be going the aqui-hire route with Semmle, dependabot, pullpanda etc, where as I don't think Gitlab's made an acquisition for a year or two.

评论 #21008870 未加载

评论 #21008673 未加载

评论 #21009203 未加载

archon810超过 5 年前

Semmle's post: <a href="https://blog.semmle.com/secure-software-github-semmle/" rel="nofollow">https://blog.semmle.com/secure-software-github-semmle/</a>.

pja超过 5 年前

Github has been really working on their source code analysis toolkit recently & this acquisition makes perfect sense as part of that strategy. Congratulations to Oege & the team.

fnord123超过 5 年前

First project I look up on lgtm.com is rust.. Second alert I find is this:<a href="https://lgtm.com/projects/g/rust-lang/rust/snapshot/f5aa590b8ca98e925e5b1b975d7aef07e0c7a028/files/src/ci/docker/scripts/android-sdk-manager.py#x2e8f6c458bb40362:1" rel="nofollow">https://lgtm.com/projects/g/rust-lang/rust/snapshot/f5aa590b...</a>exist_ok is available from python 3.2, so this isn't a good impression.<a href="https://docs.python.org/3.7/library/os.html#os.makedirs" rel="nofollow">https://docs.python.org/3.7/library/os.html#os.makedirs</a>

dazbradbury超过 5 年前

Huge congrats to Oege and the team at Semmle - couldn't be happier for a hugely passionate and smart individual (and a previous professor of mine!)Am sure this will bring some amazing advances to Github and thus a huge % of the developer community.

rishicomplex超过 5 年前

"Human progress depends on the open source community."What a way to begin an article.

评论 #21013369 未加载

tom-jh超过 5 年前

I've just tested their lgtm.com on our codebase:1) identified str.replace('[ABC]+', '') correctly as a bug (looks like a regex but is string literal)2) identified various unnecessary code that TypeScript overlooked3) identified double-unescaping of html (this one would have probably gone unnoticed for years)And a bunch of other stuff. No actual vulnerability in our case, but still very useful. I'm enabling their checks on every future PR.This was TypeScript but they support the rest of our stack too (Python, Java). I wonder if this includes Kotlin - will try.

评论 #21015087 未加载

throwaway744678超过 5 年前

> Human progress depends on the open source community.(Non native speaker here). Am I misunderstanding something, or is the author explaining that humanity can not progress without the open source community?

评论 #21010040 未加载

评论 #21010645 未加载

评论 #21009999 未加载

rishicomplex超过 5 年前

I've used semmle's tools at Google, they seemed pretty powerful.

notus超过 5 年前

I spent way too long thinking that Semmie was just a badass programmer

z3t4超过 5 年前

Would be cool if the tools would be made open source in order for everyone to get more security.

robbystk超过 5 年前

So this is the excuse they're using to build infrastructure to scan through everyone's code to find whatever they want.

15 条评论

eatonphil超过 5 年前

评论 #21008463 未加载

评论 #21010272 未加载

评论 #21009748 未加载

评论 #21008701 未加载

评论 #21012197 未加载

igammarays超过 5 年前

I hate that these kinds of Orwellian phrases "Welcoming X to the Y Family" have now become idiomatic of corporate English. Ugh, no. There is no "family" involved here, not by any stretch of the word.

评论 #21008977 未加载

评论 #21010025 未加载

评论 #21010447 未加载

评论 #21011156 未加载

xvilka超过 5 年前

chuckgreenman超过 5 年前

评论 #21008870 未加载

评论 #21008673 未加载

评论 #21009203 未加载

archon810超过 5 年前

Semmle's post: <a href="https://blog.semmle.com/secure-software-github-semmle/" rel="nofollow">https://blog.semmle.com/secure-software-github-semmle/</a>.

pja超过 5 年前

Github has been really working on their source code analysis toolkit recently & this acquisition makes perfect sense as part of that strategy. Congratulations to Oege & the team.

fnord123超过 5 年前

dazbradbury超过 5 年前

rishicomplex超过 5 年前

"Human progress depends on the open source community."What a way to begin an article.

评论 #21013369 未加载

tom-jh超过 5 年前

评论 #21015087 未加载

throwaway744678超过 5 年前

评论 #21010040 未加载

评论 #21010645 未加载

评论 #21009999 未加载

rishicomplex超过 5 年前

I've used semmle's tools at Google, they seemed pretty powerful.

notus超过 5 年前

I spent way too long thinking that Semmie was just a badass programmer

z3t4超过 5 年前

Would be cool if the tools would be made open source in order for everyone to get more security.

robbystk超过 5 年前

So this is the excuse they're using to build infrastructure to scan through everyone's code to find whatever they want.

Welcoming Semmle to GitHub

15 条评论

Welcoming Semmle to GitHub

15 条评论