Microsoft’s GitHub today announced that it has acquired Semmle, a code analysis tool that helps developers and security researchers discover potential vulnerabilities in their code. Semmle takes a lot of the manual work out of security testing and instead offers a query language that allows researchers to test their code, using the service’s analysis engine. Over time, the GitHub team plans to integrate Semmle closely into the GitHub workflow.
GitHub did not disclose the price of the acquisition, but Semmle, which was originally spun out of research done at Oxford University, officially launched last year, with a $21 million Series B round led by Accel. In total, the company raised $31 million before this acquisition.
“Just as relational databases make it simple to ask very sophisticated questions about data, Semmle makes it much easier for researchers to identify security vulnerabilities in large code bases quickly,” writes Shanku Niyogi, GitHub’s SVP of Product, in today’s announcement.” Many vulnerabilities have the same type of coding mistake as their root cause. With Semmle, you can find all variations of a mistake, eradicating a whole class of vulnerabilities. Furthermore, this approach makes Semmle far more effective, finding dramatically more issues and with far fewer false positives.”
Current Semmle users include the likes of Uber, Nasa, Microsoft and Google and the company’s core analysis platform, with automated code reviews, project tracking and, of course, security alerts, is available for free for open-source projects.
“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks,” says Semmle CEO and co-founder Oege De Moor. “GitHub’s recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub.”
GitHub CEO Nat Friedman echoes this in a blog post today and notes that he believes that GitHub has a “unique opportunity and responsibility to provide the tools, best practices, and infrastructure to make software development secure.”
As part of this overall mission, GitHub also today announced that it is now a Common Vulnerabilities and Exposures (CVE) Numbering Authority. With this, maintainers will now be able to report vulnerabilities from their repositories and GitHub will handle assigning IDs and adding the issues to the National Vulnerability Database (NVD). Ideally, this should mean that developers will disclose more vulnerabilities (since it’s now significantly easier) and that others who use this code will get alerts sooner.