“Semmle’s revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants,” GitHub explains Semmle develops code analysis tools that can be leveraged by organizations. Among the companies working with Semmle are Google, NASA, and Microsoft itself. Microsoft says Semmle will now be folded into GitHub, allowing security researchers to “quickly find vulnerabilities in code with simple declartive queries,” Microsoft says. Current Semmle users will not see a disruption in their service, the company says. Semmle was founded in 2006 and aimed to treat code as a dataset that can be analyzed. “GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source. We’ll also continue our open source security research, which to date has yielded 107 CVEs in high-profile projects like UBoot, Apache Struts, the Linux Kernel, Memcached, VLC, and Apple’s XNU.”
Acquisition Blitz
This year, Microsoft has acquired services to boost the capabilities of GitHub. In July, Pull Panda was purchased to boost analytics and remainders. The purchase came shortly after the purchase of Dependabot in June, and changes to enable unlimited free public repositories. Dependabot is an open source service that allows users to automate dependency updates in their solutions. The tool has been integrated into GitHub for dev’s to use. The company says the new app searches dependencies in a project for security vulnerabilities and updates them automatically to newer versions.