Merge branch 'main' into mc-dependabot-advisory-db
This commit is contained in:
mc
@@ -7,6 +7,8 @@ redirect_from:
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
enterprise-server: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About vulnerable dependencies
|
||||
@@ -20,8 +22,7 @@ When your code depends on a package that has a security vulnerability, this vuln
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)."
|
||||
- New vulnerability data from [WhiteSource](https://www.whitesourcesoftware.com/vulnerability-database) is processed.{% else %}
|
||||
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)."{% else %}
|
||||
- New advisory data is synchronized to {% data variables.product.prodname_ghe_server %} each hour from {% data variables.product.prodname_dotcom_the_website %}. For more information about advisory data, see "<a href="/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database" class="dotcom-only">Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}</a>."{% endif %}
|
||||
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% if currentVersion == "free-pro-team@latest" %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/about-github-dependabot-security-updates
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About {% data variables.product.prodname_dependabot_security_updates %}
|
||||
@@ -25,6 +27,10 @@ The {% data variables.product.prodname_dependabot_security_updates %} feature is
|
||||
|
||||
{% endnote %}
|
||||
|
||||
You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "[About {% data variables.product.prodname_dependabot %} version updates](/github/administering-a-repository/about-dependabot-version-updates)."
|
||||
|
||||
{% data reusables.dependabot.pull-request-security-vs-version-updates %}
|
||||
|
||||
### About pull requests for security updates
|
||||
|
||||
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.
|
||||
@@ -39,4 +45,4 @@ When you merge a pull request that contains a security update, the corresponding
|
||||
|
||||
### About notifications for {% data variables.product.prodname_dependabot %} security updates
|
||||
|
||||
You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#dependabot-custom-filters)."
|
||||
You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#dependabot-custom-filters)."
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/about-maintainer-security-advisories
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
{% data reusables.repositories.security-advisory-admin-permissions %}
|
||||
|
||||
@@ -3,6 +3,8 @@ title: About managing vulnerable dependencies
|
||||
intro: '{% data variables.product.prodname_dotcom %} helps you to avoid using third-party software that contains known vulnerabilities.'
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
{% data variables.product.prodname_dotcom %} provides the following tools for removing and avoiding vulnerable dependencies.
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-maintainer-security-advisory
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
People with admin permissions to a security advisory can add collaborators to the security advisory.
|
||||
|
||||
@@ -5,6 +5,8 @@ redirect_from:
|
||||
- /articles/adding-a-security-policy-to-your-repository
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About security policies
|
||||
|
||||
@@ -4,6 +4,8 @@ intro: 'The {% data variables.product.prodname_advisory_database %} allows you t
|
||||
shortTitle: Browsing the Advisory Database
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About security vulnerabilities
|
||||
|
||||
@@ -5,6 +5,8 @@ redirect_from:
|
||||
- /articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### Prerequisites
|
||||
|
||||
@@ -9,6 +9,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About configuring {% data variables.product.prodname_dependabot_security_updates %}
|
||||
|
||||
@@ -5,6 +5,8 @@ intro: 'Optimize how you receive notifications about {% if currentVersion == "f
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
enterprise-server: '>=2.21'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### About notifications for vulnerable dependencies
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/creating-a-maintainer-security-advisory
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
Anyone with admin permissions to a repository can create a security advisory.
|
||||
|
||||
@@ -3,6 +3,8 @@ title: Editing a security advisory
|
||||
intro: You can edit the metadata and description for a security advisory if you need to update details or correct errors.
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
People with admin permissions to a security advisory can edit the security advisory.
|
||||
|
||||
@@ -5,6 +5,8 @@ redirect_from:
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
enterprise-server: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
|
||||
|
||||
@@ -10,5 +10,7 @@ redirect_from:
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
enterprise-server: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
### Permissions overview
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/publishing-a-maintainer-security-advisory
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
Anyone with admin permissions to a security advisory can publish the security advisory.
|
||||
|
||||
@@ -3,6 +3,8 @@ title: Removing a collaborator from a security advisory
|
||||
intro: 'When you remove a collaborator from a security advisory, they lose read and write access to the security advisory''s discussion and metadata.'
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
People with admin permissions to a security advisory can remove collaborators from the security advisory.
|
||||
|
||||
@@ -6,6 +6,8 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
{% data reusables.dependabot.beta-note %}
|
||||
@@ -76,9 +78,20 @@ There are separate limits for security and version update pull requests, so that
|
||||
|
||||
The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
|
||||
|
||||
#### {% data variables.product.prodname_dependabot %} can't resolve your dependency files
|
||||
#### {% data variables.product.prodname_dependabot %} can't resolve or access your dependencies
|
||||
|
||||
If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.
|
||||
If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files." The API error type is `git_dependencies_not_reachable`.
|
||||
|
||||
Similarly, if {% data variables.product.prodname_dependabot %} can't access a private package registry in which a dependency is located, one of the following errors is generated:
|
||||
|
||||
* "Dependabot can't reach a dependency in a private package registry"<br>
|
||||
(API error type: `private_source_not_reachable`)
|
||||
* "Dependabot can't authenticate to a private package registry"<br>
|
||||
(API error type:`private_source_authentication_failure`)
|
||||
* "Dependabot timed out while waiting for a private package registry"<br>
|
||||
(API error type:`private_source_timed_out`)
|
||||
* "Dependabot couldn't validate the certificate for a private package registry"<br>
|
||||
(API error type:`private_source_certificate_failure`)
|
||||
|
||||
To allow {% data variables.product.prodname_dependabot %} to update the dependency references successfully, make sure that all of the referenced dependencies are hosted at accessible locations.
|
||||
|
||||
|
||||
@@ -4,6 +4,8 @@ intro: 'If the dependency information reported by {% data variables.product.prod
|
||||
shortTitle: Troubleshooting detection
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
The results of dependency detection reported by {% data variables.product.product_name %} may be different from the results returned by other tools. There are good reasons for this and it's helpful to understand how {% data variables.product.prodname_dotcom %} determines dependencies for your project.
|
||||
|
||||
@@ -7,6 +7,8 @@ permissions: Repository administrators and organization owners can view and upda
|
||||
shortTitle: Viewing and updating vulnerable dependencies
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
|
||||
@@ -3,6 +3,8 @@ title: Withdrawing a security advisory
|
||||
intro: You can withdraw a security advisory that you've published.
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
If you publish a security advisory in error, you can withdraw the security advisory by contacting {% data variables.contact.contact_support %}.
|
||||
|
||||
Reference in New Issue
Block a user