From 075119babc30d23d795584b82010e29c9398cd2e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Tue, 16 Feb 2021 17:18:55 +0000 Subject: [PATCH] add link in dependabot article + polish some content --- .../about-dependabot-security-updates.md | 3 +++ .../about-github-security-advisories.md | 13 ++++++------- .../github-reviews-security-advisories.md | 2 +- .../repositories/security-advisory-edit-cwe-cve.md | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md index 45755b6c02..6473fd7f2a 100644 --- a/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md +++ b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md @@ -12,6 +12,9 @@ versions: {% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." +GitHub may send {% data variables.product.prodname_dependabot %} alerts to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories#dependabot-alerts-for-published-security-advisories)." + + {% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)." {% note %} diff --git a/content/github/managing-security-vulnerabilities/about-github-security-advisories.md b/content/github/managing-security-vulnerabilities/about-github-security-advisories.md index 83161eb1b6..a4bb501f7e 100644 --- a/content/github/managing-security-vulnerabilities/about-github-security-advisories.md +++ b/content/github/managing-security-vulnerabilities/about-github-security-advisories.md @@ -34,15 +34,13 @@ It's seen as fine for security researchers to disclose a vulnerability publicly Here at {% data variables.product.company_short %}, the process for disclosing vulnerabilities is as follows: - If you are a security researcher who would like report a vulnerability: - - First check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." - - If there is one, follow it to understand the process before contacting the security team for that repository. + If you are a security researcher who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. If you are a maintainer, it's likely that a security researcher will email you or otherwise privately contact you. This can be, for example, based on information in your _security.md_ file. Alternatively, someone may open a (public) issue with details of a security issue. {% note %} -**Note**: For npm only—if you report a vulnerability to npm, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see "[Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package)" in the npm Docs website. +**Note**: _For npm only_ If you report a vulnerability to npm, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see "[Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package)" in the npm Docs website. {% endnote %} @@ -74,7 +72,9 @@ You can give credit to individuals who contributed to a security advisory. For m ### CVE identification numbers -{% data variables.product.prodname_security_advisories %} builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. The security advisory form on {% data variables.product.prodname_dotcom %} is a standardized form that matches the CVE description format. {% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "[About CVE](https://cve.mitre.org/about/index.html)" and "[CVE Numbering Authorities](https://cve.mitre.org/cve/cna.html)" on the CVE website. +{% data variables.product.prodname_security_advisories %} builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. The security advisory form on {% data variables.product.prodname_dotcom %} is a standardized form that matches the CVE description format. + +{% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "[About CVE](https://cve.mitre.org/about/index.html)" and "[CVE Numbering Authorities](https://cve.mitre.org/cve/cna.html)" on the CVE website. When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %} @@ -83,5 +83,4 @@ For more information, see "[Publishing a security advisory](/github/managing-sec ### {% data variables.product.prodname_dependabot_alerts %} for published security advisories -{% data reusables.repositories.github-reviews-security-advisories %} - +{% data reusables.repositories.github-reviews-security-advisories %} \ No newline at end of file diff --git a/data/reusables/repositories/github-reviews-security-advisories.md b/data/reusables/repositories/github-reviews-security-advisories.md index 1740261048..302e6e67de 100644 --- a/data/reusables/repositories/github-reviews-security-advisories.md +++ b/data/reusables/repositories/github-reviews-security-advisories.md @@ -1,3 +1,3 @@ {% data variables.product.prodname_dotcom %} will review each published security advisory, add it to the {% data variables.product.prodname_advisory_database %}, and may use the security advisory to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. If the security advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. This process can take up to 72 hours and {% data variables.product.prodname_dotcom %} may contact you for more information. -For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependenciesabout-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies) and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-dependabot-security-updates)." For more information about {% data variables.product.prodname_advisory_database %}, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)." +For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependenciesabout-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)" and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-dependabot-security-updates)." For more information about {% data variables.product.prodname_advisory_database %}, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)." diff --git a/data/reusables/repositories/security-advisory-edit-cwe-cve.md b/data/reusables/repositories/security-advisory-edit-cwe-cve.md index 1549f0a30d..cabbafc52e 100644 --- a/data/reusables/repositories/security-advisory-edit-cwe-cve.md +++ b/data/reusables/repositories/security-advisory-edit-cwe-cve.md @@ -1,2 +1,2 @@ 1. Add common weakness enumerators (CWEs) for the kinds of security weaknesses that this security advisory addresses. For a full list of CWEs, see the "[Common Weakness Enumeration](https://cwe.mitre.org/index.html)" from MITRE. -1. If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from {% data variables.product.prodname_dotcom %} later. +1. If you have an existing CVE identifier, select "I have an existing CVE identifier" and type the CVE identifier in the text box. Otherwise, you can request a CVE from {% data variables.product.prodname_dotcom %} later. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories#cve-identification-numbers)."