GitHub pauses Dependabot malware notifications: Too many false positives

Supply chain security
Supply chain security

GitHub has paused alerting developers of malware via its Dependabot service, which analyzes project dependencies in order to report on issues and optionally generate automatic pull requests to fix them.

The reason given is that “some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.”

Maintaining the security of dependencies is a big issue for developers, who may not even be aware of all the software libraries consumed by their code. Tools like npm (Node Package Manager) automatically download packages with their dependencies and place them in subdirectories such as node_modules in order to avoid distracting developers from the code they are writing.

The downside is that this is somewhat hidden and over-reliance on this kind of automation can lead to unknowingly including insecure software in a project. Another issue is out of date dependencies, perhaps even in libraries that are no longer maintained so that security issues are not fixed.

Dependabot is a GitHub feature that automatically scans a repository to discover such issues. The service uses a database called the GitHub Advisory Database and last month this was expanded to include malware advisories though GitHub also noted that “Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.”

Ideally malware would not find its way into package repositories but they are an attractive target for criminals since the prize is automated inclusion into the victim’s applications.

Repository maintainers are making progress with protections like mandatory MFA for publishers but this is a long way from full implementation for the most popular repositories. User account compromise is one common cause of malware, as happened with the ctx package in PyPI at the end of May.

Why the false positives? The problem, according to the GitHub team, is related to a type of attack called substitution, where malicious users publish packages with the same name as one that developers may rely on in a third-party or private registry. Dependabot was finding that package name in a private repository and alerting of malware even when the package actually used was the one intended, not the malware of the same name. The alert was little use as there was no action to take, other than to be aware.

The problem was severe enough for some users, generally Enterprise Server customers, that GitHub is offering “a script for you to run that will delete all malware advisories and alerts.”

The solution for the time being is that GitHub “will be pausing all Dependabot notifications on malware advisories.”

Pausing the alerts does not fix the malware risk though and developers will hope that GitHub finds a better solution soon – though note that malware advisories are also described as “in beta and subject to change.”