diff --git a/assets/images/help/security/advisory-database-dependabot-alerts-filters.png b/assets/images/help/security/advisory-database-dependabot-alerts-filters.png new file mode 100644 index 0000000000..1b2fcb7e75 Binary files /dev/null and b/assets/images/help/security/advisory-database-dependabot-alerts-filters.png differ diff --git a/assets/images/help/security/advisory-database-dependabot-alerts.png b/assets/images/help/security/advisory-database-dependabot-alerts.png new file mode 100644 index 0000000000..43d32a07d2 Binary files /dev/null and b/assets/images/help/security/advisory-database-dependabot-alerts.png differ diff --git a/assets/images/help/security/advisory-database-dropdown-filters.png b/assets/images/help/security/advisory-database-dropdown-filters.png index 717e105c6a..cd7d896060 100644 Binary files a/assets/images/help/security/advisory-database-dropdown-filters.png and b/assets/images/help/security/advisory-database-dropdown-filters.png differ diff --git a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md index 1be5ca75ca..feb34c4070 100644 --- a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md @@ -72,7 +72,7 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc ### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts -You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %} +You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)." @@ -84,6 +84,10 @@ We send security alerts to people with admin permissions in the affected reposit {% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.21" %} For more information, see "[Choosing the delivery method for your notifications](/github/receiving-notifications-about-activity-on-github/choosing-the-delivery-method-for-your-notifications)."{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %} For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."{% endif %} +{% if currentVersion == "free-pro-team@latest" %} +You can also see all the {% data variables.product.prodname_dependabot_alerts %} that correspond to a particular vulnerability in the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database#viewing-your-vulnerable-repositories)." +{% endif %} + {% if currentVersion == "free-pro-team@latest" %} ### Further reading diff --git a/content/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database.md b/content/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database.md index 4b58d7b897..3594a9f3ac 100644 --- a/content/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database.md +++ b/content/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database.md @@ -24,7 +24,7 @@ The severity level is one of four possible levels defined in the [Common Vulnera - High - Critical -The {% data variables.product.prodname_advisory_database %} uses CVSS version 3.0 standards and the CVSS levels described above. {% data variables.product.product_name %} doesn't publish CVSS scores. +The {% data variables.product.prodname_advisory_database %} uses CVSS version 3.0 standards and the CVSS levels described above. {% data reusables.repositories.github-security-lab %} @@ -42,7 +42,8 @@ The database is also accessible using the GraphQL API. For more information, see {% endnote %} ### Searching the {% data variables.product.prodname_advisory_database %} -You can search the database, and use qualifiers to narrow your search to advisories created on a certain date, in a specific ecosystem, or in a particular library. + +You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library. {% data reusables.time_date.date_format %} {% data reusables.time_date.time_format %} @@ -50,16 +51,32 @@ You can search the database, and use qualifiers to narrow your search to advisor | Qualifier | Example | | ------------- | ------------- | +| `GHSA-ID`| [**GHSA-49wp-qq6x-g2rf**](https://github.com/advisories?query=GHSA-49wp-qq6x-g2rf) will show the advisory with this {% data variables.product.prodname_advisory_database %} ID. | +| `CVE-ID`| [**CVE-2020-28482**](https://github.com/advisories?query=CVE-2020-28482) will show the advisory with this CVE ID number. | | `ecosystem:ECOSYSTEM`| [**ecosystem:npm**](https://github.com/advisories?utf8=%E2%9C%93&query=ecosystem%3Anpm) will show only advisories affecting NPM packages. | | `severity:LEVEL`| [**severity:high**](https://github.com/advisories?utf8=%E2%9C%93&query=severity%3Ahigh) will show only advisories with a high severity level. | | `affects:LIBRARY`| [**affects:lodash**](https://github.com/advisories?utf8=%E2%9C%93&query=affects%3Alodash) will show only advisories affecting the lodash library. | +| `cwe:ID`| [**cwe:352**](https://github.com/advisories?query=cwe%3A352) will show only advisories with this CWE number. | +| `credit:USERNAME`| [**credit:octocat**](https://github.com/advisories?query=credit%3Aoctocat) will show only advisories credited to the "octocat" user account. | | `sort:created-asc`| [**sort:created-asc**](https://github.com/advisories?utf8=%E2%9C%93&query=sort%3Acreated-asc) will sort by the oldest advisories first. | | `sort:created-desc`| [**sort:created-desc**](https://github.com/advisories?utf8=%E2%9C%93&query=sort%3Acreated-desc) will sort by the newest advisories first. | | `sort:updated-asc`| [**sort:updated-asc**](https://github.com/advisories?utf8=%E2%9C%93&query=sort%3Aupdated-asc) will sort by the least recently updated first. | | `sort:updated-desc`| [**sort:updated-desc**](https://github.com/advisories?utf8=%E2%9C%93&query=sort%3Aupdated-desc) will sort by the most recently updated first. | | `is:withdrawn`| [**is:withdrawn**](https://github.com/advisories?utf8=%E2%9C%93&query=is%3Awithdrawn) will show only advisories that have been withdrawn. | -| `created:YYYY-MM-DD`| [**created:2019-10-31**](https://github.com/advisories?utf8=%E2%9C%93&query=created%3A2019-10-31) will show only advisories created on this date. | -| `updated:YYYY-MM-DD`| [**updated:2019-10-31**](https://github.com/advisories?utf8=%E2%9C%93&query=updated%3A2019-10-31) will show only advisories updated on this date. | +| `created:YYYY-MM-DD`| [**created:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=created%3A2021-01-13) will show only advisories created on this date. | +| `updated:YYYY-MM-DD`| [**updated:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=updated%3A2021-01-13) will show only advisories updated on this date. | + +### Viewing your vulnerable repositories + +For any vulnerability in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories have a {% data variables.product.prodname_dependabot %} alert for that vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#access-to-dependabot-alerts)." + +1. Navigate to https://github.com/advisories. +2. Click an advisory. +3. At the top of the advisory page, click **Dependabot alerts**. + ![Dependabot alerts](/assets/images/help/security/advisory-database-dependabot-alerts.png) +4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user). + ![Search bar and drop-down menus to filter alerts](/assets/images/help/security/advisory-database-dependabot-alerts-filters.png) +5. For more details about the vulnerability, and for advice on how to fix the vulnerable repository, click the repository name. ### Further reading diff --git a/data/reusables/github-actions/supported-github-runners.md b/data/reusables/github-actions/supported-github-runners.md index 80614213e4..3af3da15cb 100644 --- a/data/reusables/github-actions/supported-github-runners.md +++ b/data/reusables/github-actions/supported-github-runners.md @@ -1,8 +1,8 @@ | Virtual environment | YAML workflow label | | --------------------|---------------------| | Windows Server 2019 | `windows-latest` or `windows-2019` | -| Ubuntu 20.04 | `ubuntu-20.04` | -| Ubuntu 18.04 | `ubuntu-latest` or `ubuntu-18.04` | +| Ubuntu 20.04 | `ubuntu-latest` (see note) or `ubuntu-20.04` | +| Ubuntu 18.04 | `ubuntu-latest` (see note) or `ubuntu-18.04` | | Ubuntu 16.04 | `ubuntu-16.04` | | macOS Big Sur 11.0 | `macos-11.0` | | macOS Catalina 10.15 | `macos-latest` or `macos-10.15` | diff --git a/data/reusables/github-actions/ubuntu-runner-preview.md b/data/reusables/github-actions/ubuntu-runner-preview.md index 1a3636e0e1..6eb91edc13 100644 --- a/data/reusables/github-actions/ubuntu-runner-preview.md +++ b/data/reusables/github-actions/ubuntu-runner-preview.md @@ -1,5 +1,5 @@ {% note %} -**Note:** The Ubuntu 20.04 virtual environment is currently provided as a preview only. The `ubuntu-latest` YAML workflow label still uses the Ubuntu 18.04 virtual environment. +**Note:** The `ubuntu-latest` label is currently being migrated from the Ubuntu 18.04 virtual environment to Ubuntu 20.04. Specifying the `ubuntu-latest` label during the migration might use either virtual environment. To explicitly use Ubuntu 20.04 or Ubuntu 18.04, specify `ubuntu-20.04` or `ubuntu-18.04`. When the migration is complete, `ubuntu-latest` will use the Ubuntu 20.04 virtual environment. For more information about the migration, see "[Ubuntu-latest workflows will use Ubuntu-20.04](https://github.com/actions/virtual-environments/issues/1816)." {% endnote %} diff --git a/middleware/set-fastly-cache-headers.js b/middleware/set-fastly-cache-headers.js index 9e6cc02667..f76d84496c 100644 --- a/middleware/set-fastly-cache-headers.js +++ b/middleware/set-fastly-cache-headers.js @@ -2,11 +2,11 @@ const FASTLY_TTL = process.env.FASTLY_TTL || String(60 * 60 * 24) // 24 hours const STALE_TTL = String(60 * 10) // 10 minutes const BYPASS_FASTLY = process.env.TEST_BYPASS_FASTLY === 'true' -const BYPASS_PRODUCTS = /^\/([a-z]{2})\/([a-z0-9._-]+@[a-z0-9._-]+\/)?(discussions|packages|actions)(\/.*|$)/i +const BYPASS_PRODUCTS = /^\/([a-z]{2})\/([a-z0-9._-]+@[a-z0-9._-]+\/)?github(\/.*|$)/i module.exports = (req, res, next) => { // Test bypassing Fastly for all pages inside of the Discussions product - if (BYPASS_FASTLY && BYPASS_PRODUCTS.test(req.originalUrl)) { + if (BYPASS_FASTLY && !BYPASS_PRODUCTS.test(req.originalUrl)) { res.set({ 'surrogate-control': 'private, no-store', 'cache-control': 'private, no-store'