GitHub Advisory Database now supports Erlang and Elixir packages!
We’re excited to announce that the GitHub Advisory Database now includes curated security advisories on Erlang, Elixir, and more.
GitHub is on a mission to create a more secure supply chain for all developers and organizations. To do that, we need to empower all developer communities with comprehensive vulnerability information and seamless remediation guidance.
That’s why we’re excited to announce that the GitHub Advisory Database now includes curated security advisories for languages compiled to run on the BEAM virtual machine, including Elixir and Erlang. Elixir is a dynamic, functional language for building scalable and maintainable applications and is great at controlling vast amounts of infrastructure. Erlang is a general-purpose programming language and runtime environment that favors building scalable and concurrent systems. These languages, as well as others compiled to run on the BEAM virtual machine, are managed by the Hex package registry.
The addition of the Erlang ecosystem expands our GitHub Advisory Database coverage to nine supported ecosystems: Composer (PHP), Go, Maven (Java), npm (JavaScript), NuGet (.NET), pip (Python), RubyGems (Ruby), Rust, and now Erlang (Hex). This new coverage ensures that any member of the Erlang and Elixir community can check for security issues in the same place that their code resides—on GitHub.
Advisories
GitHub believes that free and open security data is critical to empowering the industry as a whole to best secure our software supply chains. To support this mission, GitHub’s Advisory Database is an open source database of security advisories focused on high-quality, actionable vulnerability information for developers. It’s licensed under Creative Commons Attribution 4.0, so the data can be used anywhere and is forever free!
Contributing to Erlang advisories
We are also accepting community contributions on Hex packages now that the Advisory Database supports this ecosystem! Security researchers, academics, and enthusiasts can provide additional relevant information to further the community’s understanding and awareness of these security advisories. Contributors can submit their edits following our community guidelines.
Learn more
Jump in, and explore Erlang advisories today, or learn more about our other supply chain security features as follows:
- The GitHub Advisory Database
- GitHub Security Advisories
- Dependency graph
- Dependabot alerts
- Dependabot security updates
Tags:
Written by
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.