From 51f8256e8f4e4cbcd09de48b08033343d834e92e Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jan 2024 11:48:29 +0000 Subject: [PATCH] Improve and amend information about malware in Dependabot (#48626) Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../about-dependabot-alerts.md | 14 +++++------ .../configuring-dependabot-alerts.md | 6 ++--- ...ing-notifications-for-dependabot-alerts.md | 4 +++- .../viewing-and-updating-dependabot-alerts.md | 4 +++- .../troubleshooting-dependabot-errors.md | 3 --- .../about-global-security-advisories.md | 23 +++++++++++++++--- .../about-the-github-advisory-database.md | 24 ++++++++++++++----- ...isories-in-the-github-advisory-database.md | 2 +- .../about-supply-chain-security.md | 4 ++-- .../github-reviewed-overview.md | 1 + .../advisory-database/malware-overview.md | 1 + .../advisory-database/unreviewed-overview.md | 1 + .../no-dependabot-alerts-for-malware.md | 5 ++++ .../repositories/dependency-review.md | 2 +- 14 files changed, 65 insertions(+), 29 deletions(-) create mode 100644 data/reusables/advisory-database/github-reviewed-overview.md create mode 100644 data/reusables/advisory-database/malware-overview.md create mode 100644 data/reusables/advisory-database/unreviewed-overview.md create mode 100644 data/reusables/dependabot/no-dependabot-alerts-for-malware.md diff --git a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md index ea60e3ee68..317cd2f475 100644 --- a/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/about-dependabot-alerts.md @@ -1,6 +1,6 @@ --- title: About Dependabot alerts -intro: '{% data variables.product.product_name %} sends {% data variables.product.prodname_dependabot_alerts %} when we detect that your repository uses a vulnerable dependency{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}.' +intro: '{% data variables.product.product_name %} sends {% data variables.product.prodname_dependabot_alerts %} when we detect that your repository uses a vulnerable dependency.' product: '{% data reusables.gated-features.dependabot-alerts %}' redirect_from: - /articles/about-security-alerts-for-vulnerable-dependencies @@ -26,14 +26,12 @@ shortTitle: Dependabot alerts ## About {% data variables.product.prodname_dependabot_alerts %} -{% ifversion GH-advisory-db-supports-malware %} -{% data reusables.advisory-database.beta-malware-advisories %} -{% endif %} - {% data variables.product.prodname_dependabot_alerts %} tell you that your code depends on a package that is insecure. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible.{% ifversion GH-advisory-db-supports-malware %} If your code uses malware, you need to replace the package with a secure alternative.{% endif %} +{% data reusables.dependabot.no-dependabot-alerts-for-malware %} + {% data reusables.dependabot.quickstart-link %} ## Detection of insecure dependencies @@ -74,7 +72,7 @@ As {% data variables.product.prodname_dependabot_alerts %} rely on the dependenc {% data reusables.repositories.enable-security-alerts %} -{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies and malware in _public_ repositories and displays the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for public repositories. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. +{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and displays the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %} for public repositories. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories. You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts)." @@ -83,7 +81,7 @@ For information about access requirements for actions related to {% data variabl {% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any insecure dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories)." {% endif %} -When {% data variables.product.product_name %} identifies a vulnerable dependency{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}, we generate a {% data variables.product.prodname_dependabot %} alert and display it {% ifversion fpt or ghec or ghes %} on the **Security** tab for the repository and{% endif %} in the repository's dependency graph. The alert includes {% ifversion fpt or ghec or ghes %}a link to the affected file in the project, and {% endif %}information about a fixed version. +When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it {% ifversion fpt or ghec or ghes %} on the **Security** tab for the repository and{% endif %} in the repository's dependency graph. The alert includes {% ifversion fpt or ghec or ghes %}a link to the affected file in the project, and {% endif %}information about a fixed version. {% data variables.product.product_name %} may also notify the maintainers of affected repositories about new alerts according to their notification preferences.{% ifversion dependabot-suppressed-notifications %} When {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.product_name %} does not send notifications for all vulnerable dependencies found in your repository, only for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled.{% endif %} For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts)." @@ -97,7 +95,7 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc {% warning %} -**Note**: {% data variables.product.product_name %}'s security features do not claim to catch all vulnerabilities{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %}. We actively maintain {% data variables.product.prodname_advisory_database %} and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary. +**Note**: {% data variables.product.product_name %}'s security features do not claim to catch all vulnerabilities. We actively maintain {% data variables.product.prodname_advisory_database %} and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary. {% endwarning %} diff --git a/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md index 88bf303570..03947901a8 100644 --- a/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts.md @@ -1,6 +1,6 @@ --- title: Configuring Dependabot alerts -intro: 'Enable {% data variables.product.prodname_dependabot_alerts %} to be generated when a new vulnerable dependency {% ifversion GH-advisory-db-supports-malware %}or malware {% endif %}is found in one of your repositories.' +intro: 'Enable {% data variables.product.prodname_dependabot_alerts %} to be generated when a new vulnerable dependency is found in one of your repositories.' shortTitle: Configure Dependabot alerts versions: fpt: '*' @@ -17,11 +17,11 @@ topics: - Repositories --- -## About {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %} +## About {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies {% data reusables.repositories.a-vulnerability-is %} -{% data variables.product.prodname_dependabot %} scans code when a new advisory is added to the {% data variables.product.prodname_advisory_database %} or the dependency graph for a repository changes. When vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} are detected, {% data variables.product.prodname_dependabot_alerts %} are generated. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +{% data variables.product.prodname_dependabot %} scans code when a new advisory is added to the {% data variables.product.prodname_advisory_database %} or the dependency graph for a repository changes. When vulnerable dependencies are detected, {% data variables.product.prodname_dependabot_alerts %} are generated. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." {% data reusables.dependabot.dependabot-alert-create-PR %} diff --git a/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md index 7f94d86b77..f3cdc3c7e8 100644 --- a/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts.md @@ -23,9 +23,11 @@ topics: ## About notifications for {% data variables.product.prodname_dependabot_alerts %} -When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the **Security** tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% ifversion fpt or ghec %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories, and needs to be enabled on private repositories. By default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email. You can override the default overall behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications). +When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the **Security** tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% ifversion fpt or ghec %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories, and needs to be enabled on private repositories. By default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email. You can override the default overall behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications). {% endif %} +{% data reusables.dependabot.no-dependabot-alerts-for-malware %} + {% ifversion dependabot-suppressed-notifications %}Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.product_name %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.{% endif %} {% ifversion fpt or ghec %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether {% data variables.product.prodname_dependabot_alerts %} will be enabled or disabled for newly-created repositories. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)." diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md index c4e2dadad5..66b1c7cba4 100644 --- a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -38,6 +38,8 @@ You can enable automatic security updates for any repository that uses {% data v {% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect that the default branch of your codebase is using dependencies with known security risks. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency in the default branch, {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. +{% data reusables.dependabot.no-dependabot-alerts-for-malware %} + Each {% data variables.product.prodname_dependabot %} alert has a unique numeric identifier and the {% data variables.product.prodname_dependabot_alerts %} tab lists an alert for every detected vulnerability. Legacy {% data variables.product.prodname_dependabot_alerts %} grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy {% data variables.product.prodname_dependabot %} alert, you will be redirected to a {% data variables.product.prodname_dependabot_alerts %} tab filtered for that package. {% endif %} You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-across--data-variablesproductprodname_dependabot_alerts-)" below. @@ -132,7 +134,7 @@ You can view all open and closed {% data variables.product.prodname_dependabot_a ## Reviewing and fixing alerts -It’s important to ensure that all of your dependencies are clean of any security weaknesses. When {% data variables.product.prodname_dependabot %} discovers vulnerabilities {% ifversion GH-advisory-db-supports-malware %}or malware{% endif %} in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application. +It’s important to ensure that all of your dependencies are clean of any security weaknesses. When {% data variables.product.prodname_dependabot %} discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application. {% ifversion fpt or ghec or ghes %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md index 10f50cdf0e..3dc8b6ab2a 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md +++ b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md @@ -50,9 +50,6 @@ When {% data variables.product.prodname_dependabot %} is blocked from creating a There are several reasons why an alert may have no pull request link: 1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository. -{% ifversion GH-advisory-db-supports-malware %} -1. The alert is for malware and there is no secure version of the package. -{% endif %} 1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file. 1. An error blocked {% data variables.product.prodname_dependabot %} from creating a pull request. diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md index 08d571b090..bd70a3fd50 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories.md @@ -20,9 +20,26 @@ redirect_from: {% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %} -Global security advisories are grouped into two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories. -- {% data variables.product.company_short %}-reviewed advisories are security vulnerabilities{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} that have been mapped to packages in ecosystems we support. -- Unreviewed advisories are security vulnerabilities that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed. +Global security advisories are grouped into these categories: {% data variables.product.company_short %}-reviewed advisories,{% ifversion GH-advisory-db-supports-malware %} unreviewed advisories, and malware advisories{% else %} and unreviewed advisories{% endif %}. +- {% data reusables.advisory-database.github-reviewed-overview %} +- {% data reusables.advisory-database.unreviewed-overview %}{% ifversion GH-advisory-db-supports-malware %} +- {% data reusables.advisory-database.malware-overview %} + +{% note %} + +**Note:** {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for unreviewed and malware advisories. + +{% endnote %} + +{% else %} + +{% note %} + +**Note:** {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories. + +{% endnote %} + +{% endif %} For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database)." diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index 93ef341e23..6f6567d90f 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -1,6 +1,6 @@ --- title: About the GitHub Advisory database -intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities {% ifversion GH-advisory-db-supports-malware %}and malware, {% endif %}grouped in two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.' +intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities {% ifversion GH-advisory-db-supports-malware %}and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.{% else %} grouped in two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.{% endif %}' versions: fpt: '*' ghec: '*' @@ -24,8 +24,6 @@ Security advisories are published as JSON files in the Open Source Vulnerability ## About types of security advisories -{% data reusables.advisory-database.beta-malware-advisories %} - Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects{% ifversion GH-advisory-db-supports-malware %} or for malicious open source software{% endif %}. {% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available. @@ -38,7 +36,7 @@ In contrast, malicious software, or malware, is code that is intentionally desig ### {% data variables.product.company_short %}-reviewed advisories -{% data variables.product.company_short %}-reviewed advisories are security vulnerabilities{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information. +{% data reusables.advisory-database.github-reviewed-overview %} Generally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry. @@ -58,14 +56,28 @@ Generally, we name our supported ecosystems after the software programming langu If you have a suggestion for a new ecosystem we should support, please open an [issue](https://github.com/github/advisory-database/issues) for discussion. -If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability {% ifversion GH-advisory-db-supports-malware %}or malware{% endif %} for a package you depend on. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." +If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." ### Unreviewed advisories -Unreviewed advisories are security vulnerabilities that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed. +{% data reusables.advisory-database.unreviewed-overview %} {% data variables.product.prodname_dependabot %} doesn't create {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories as this type of advisory isn't checked for validity or completion. +{% ifversion GH-advisory-db-supports-malware %} + +### Malware advisories + +{% data reusables.advisory-database.beta-malware-advisories %} + +{% data reusables.advisory-database.malware-overview %} + +{% data variables.product.prodname_dependabot %} doesn't generate alerts when malware is detected as most of the vulnerabilities cannot be resolved by downstream users. You can view malware advisories by searching for `type:malware` in the {% data variables.product.prodname_advisory_database %}. + +Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn’t look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware. + +{% endif %} + ## About information in security advisories In this section, you can find more detailed information about security advisories in the {% data variables.product.prodname_advisory_database %}, such as: diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md index e109bd74b4..63400847ae 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database.md @@ -59,7 +59,7 @@ You can search the database, and use qualifiers to narrow your search. For examp | Qualifier | Example | | ------------- | ------------- | | `type:reviewed`| [**type:reviewed**](https://github.com/advisories?query=type%3Areviewed) will show {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. | -{% ifversion GH-advisory-db-supports-malware %}| `type:malware` | [**type:malware**](https://github.com/advisories?query=type%3Amalware) will show {% data variables.product.company_short %}-reviewed advisories for malware. | +{% ifversion GH-advisory-db-supports-malware %}| `type:malware` | [**type:malware**](https://github.com/advisories?query=type%3Amalware) will show malware advisories. | {% endif %}| `type:unreviewed`| [**type:unreviewed**](https://github.com/advisories?query=type%3Aunreviewed) will show unreviewed advisories. | | `GHSA-ID`| [**GHSA-49wp-qq6x-g2rf**](https://github.com/advisories?query=GHSA-49wp-qq6x-g2rf) will show the advisory with this {% data variables.product.prodname_advisory_database %} ID. | | `CVE-ID`| [**CVE-2020-28482**](https://github.com/advisories?query=CVE-2020-28482) will show the advisory with this CVE ID number. | diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index 8c8a40717b..286cdb9298 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -41,7 +41,7 @@ The dependency graph is central to supply chain security. The dependency graph i Other supply chain features on {% data variables.product.prodname_dotcom %} rely on the information provided by the dependency graph. - Dependency review uses the dependency graph to identify dependency changes and help you understand the security impact of these changes when you review pull requests. -- {% data variables.product.prodname_dependabot %} cross-references dependency data provided by the dependency graph with the list of advisories published in the {% data variables.product.prodname_advisory_database %}, scans your dependencies and generates {% data variables.product.prodname_dependabot_alerts %} when a potential vulnerability {% ifversion GH-advisory-db-supports-malware %}or malware{% endif %} is detected. +- {% data variables.product.prodname_dependabot %} cross-references dependency data provided by the dependency graph with the list of advisories published in the {% data variables.product.prodname_advisory_database %}, scans your dependencies and generates {% data variables.product.prodname_dependabot_alerts %} when a potential vulnerability is detected. {% ifversion fpt or ghec or ghes %}- {% data variables.product.prodname_dependabot_security_updates %} use the dependency graph and {% data variables.product.prodname_dependabot_alerts %} to help you update dependencies with known vulnerabilities in your repository. {% data variables.product.prodname_dependabot_version_updates %} don't use the dependency graph and rely on the semantic versioning of dependencies instead. {% data variables.product.prodname_dependabot_version_updates %} help you keep your dependencies updated, even when they don’t have any vulnerabilities. @@ -110,7 +110,7 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll #### What are Dependabot alerts -{% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %}. +{% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities. - {% data variables.product.prodname_dependabot %} performs a scan to detect insecure dependencies and sends {% data variables.product.prodname_dependabot_alerts %} when: {% ifversion fpt or ghec %} diff --git a/data/reusables/advisory-database/github-reviewed-overview.md b/data/reusables/advisory-database/github-reviewed-overview.md new file mode 100644 index 0000000000..14aedbcd90 --- /dev/null +++ b/data/reusables/advisory-database/github-reviewed-overview.md @@ -0,0 +1 @@ +{% data variables.product.company_short %}-reviewed advisories are security vulnerabilities that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information. diff --git a/data/reusables/advisory-database/malware-overview.md b/data/reusables/advisory-database/malware-overview.md new file mode 100644 index 0000000000..dc53151352 --- /dev/null +++ b/data/reusables/advisory-database/malware-overview.md @@ -0,0 +1 @@ +Malware advisories relate to vulnerabilities caused by malware, and are security advisories that {% data variables.product.prodname_dotcom %} publishes automatically into the {% data variables.product.prodname_advisory_database %}, directly from information provided by the npm security team. Malware advisories are exclusive to the npm ecosystem. {% data variables.product.prodname_dotcom %} doesn't edit or accept community contributions on these advisories. diff --git a/data/reusables/advisory-database/unreviewed-overview.md b/data/reusables/advisory-database/unreviewed-overview.md new file mode 100644 index 0000000000..6ab33614a2 --- /dev/null +++ b/data/reusables/advisory-database/unreviewed-overview.md @@ -0,0 +1 @@ +Unreviewed advisories are security vulnerabilities that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed. diff --git a/data/reusables/dependabot/no-dependabot-alerts-for-malware.md b/data/reusables/dependabot/no-dependabot-alerts-for-malware.md new file mode 100644 index 0000000000..95bfbf3f27 --- /dev/null +++ b/data/reusables/dependabot/no-dependabot-alerts-for-malware.md @@ -0,0 +1,5 @@ +{% ifversion GH-advisory-db-supports-malware %} + +{% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for malware. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#malware-advisories)." + +{% endif %} diff --git a/data/reusables/repositories/dependency-review.md b/data/reusables/repositories/dependency-review.md index ad49ab4b50..7757225ed4 100644 --- a/data/reusables/repositories/dependency-review.md +++ b/data/reusables/repositories/dependency-review.md @@ -1 +1 @@ -Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} before, rather than after, they reach your codebase. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." +Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)."