GitHub has recently acquired Semmle, which is a code analysis tool. This is a great news for developers and security researchers alike as the tool will help them in looking for potential vulnerabilities in their code.
The reason why Semmle rose to prominence in such a short time is that it reduces the manual work for security testing. Instead the tool comes with a query language (QL), which enables developers and researchers to test their code by using the analysis engine.
Although the financial terms of the acquisition have not been made public by any of the parties, Semmle at the time of its launch had $21 million Series B round. At the time of acquisition, the company had raised around $31 million.
Semmle offers different tools like QL, which codify logical programming errors into queries to discover mistakes in the code, find any variants of the same issue/bug in the same and also prevent the bugs from appearing again.
“According to GitHub, Semmle will be used to investigate, address and propagate security issues in the open-source projects.”
Most of the vulnerabilities in the code actually are a result of the same type of coding mistakes. Typically, it takes developers quite some time to find the errors and fix them but with Semmle, it gets pretty easy. The analysis tool finds all the variations of the code error and then eradiate all the possible vulnerabilities.
The SVP of Product at GitHub, Shanku Niyogi noted during the announcement, “Just as relational databases make it simple to ask very sophisticated questions about data, Semmle makes it much easier for researchers to identify security vulnerabilities in large code bases quickly”.
The current clientele base of Semmle includes big names like Google, Microsoft, Nasa and Uber. Along with that, Semmle (with functionalities such as automated code review, security alerts and project tracking) is also available for open-source projects without any costs.
Moreover, GitHub also announced that it has become a Common Vulnerabilities and Exposures (CVE) Numbering Authority now. The maintainers will be enabled to report any vulnerabilities from their repositories. GitHub will then assign IDs to these issues, which will be added to the National Vulnerability Database (NVD). In simpler words, it means that developers will now be able to uncover more vulnerabilities more easily and that people who will use their code will get security alerts sooner than now too.
About Semmle
Semmle originally came into existence as a research project at Oxford in 2006. Because of its efficiency in finding code vulnerabilities and fixing it, the analysis tool garnered an impressive client base and was able to raise laudable venture capital.
The free version of the tool was offered up till now to open source developers to use in their apps.
About GitHub
GitHub was founded in 2008 and was acquired by Microsoft in 2018 for $7.5 billion. By using Git (an open-source distributed version control system that keeps a track of changes in the source code during development phase), the company offers hosting of software development version control. Along with offering all the features that Git essentially has, GitHub adds more features on top of that including: feature requests, task management, bug tracking, wikis etc.
According to the stats of May 2019, GitHub has more than 37 million users and over 100 million repositories worldwide. GitHub is the largest source code host on the planet.