From ab2a2271c8a58b759c850c2f35310b63bbb550b9 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Wed, 16 Feb 2022 13:10:32 -0500 Subject: [PATCH] rename section and update urls with it + add info on editing --- content/code-security/guides.md | 22 ++++++++-------- content/code-security/index.md | 6 ++--- ...-disclosure-of-security-vulnerabilities.md | 6 +++-- ...ub-security-advisories-for-repositories.md | 10 +++---- ...rator-to-a-repository-security-advisory.md | 10 +++---- ...lve-a-repository-security-vulnerability.md | 10 +++---- ...creating-a-repository-security-advisory.md | 8 +++--- .../editing-a-repository-security-advisory.md | 2 +- .../index.md | 5 ++-- ...vels-for-repository-security-advisories.md | 26 +++++++++---------- ...blishing-a-repository-security-advisory.md | 12 ++++----- ...tor-from-a-repository-security-advisory.md | 4 +-- ...hdrawing-a-repository-security-advisory.md | 2 +- ...isories-in-the-github-advisory-database.md | 3 +++ data/learning-tracks/code-security.yml | 20 +++++++------- 15 files changed, 76 insertions(+), 70 deletions(-) rename content/code-security/{security-advisories => repository-security-advisories}/about-coordinated-disclosure-of-security-vulnerabilities.md (95%) rename content/code-security/{security-advisories => repository-security-advisories}/about-github-security-advisories-for-repositories.md (87%) rename content/code-security/{security-advisories => repository-security-advisories}/adding-a-collaborator-to-a-repository-security-advisory.md (76%) rename content/code-security/{security-advisories => repository-security-advisories}/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md (90%) rename content/code-security/{security-advisories => repository-security-advisories}/creating-a-repository-security-advisory.md (81%) rename content/code-security/{security-advisories => repository-security-advisories}/editing-a-repository-security-advisory.md (95%) rename content/code-security/{security-advisories => repository-security-advisories}/index.md (85%) rename content/code-security/{security-advisories => repository-security-advisories}/permission-levels-for-repository-security-advisories.md (60%) rename content/code-security/{security-advisories => repository-security-advisories}/publishing-a-repository-security-advisory.md (89%) rename content/code-security/{security-advisories => repository-security-advisories}/removing-a-collaborator-from-a-repository-security-advisory.md (90%) rename content/code-security/{security-advisories => repository-security-advisories}/withdrawing-a-repository-security-advisory.md (83%) diff --git a/content/code-security/guides.md b/content/code-security/guides.md index dc02e729e6..494aaeb693 100644 --- a/content/code-security/guides.md +++ b/content/code-security/guides.md @@ -9,7 +9,7 @@ versions: ghae: '*' ghec: '*' learningTracks: - - security_advisories + - repository_security_advisories - dependabot_alerts - dependabot_security_updates - dependency_version_updates @@ -47,16 +47,16 @@ includeGuides: - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/running-codeql-runner-in-your-ci-system - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/troubleshooting-codeql-runner-in-your-ci-system - - /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities - - /code-security/security-advisories/about-github-security-advisories - - /code-security/security-advisories/adding-a-collaborator-to-a-security-advisory - - /code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability - - /code-security/security-advisories/creating-a-security-advisory - - /code-security/security-advisories/editing-a-security-advisory - - /code-security/security-advisories/permission-levels-for-security-advisories - - /code-security/security-advisories/publishing-a-security-advisory - - /code-security/security-advisories/removing-a-collaborator-from-a-security-advisory - - /code-security/security-advisories/withdrawing-a-security-advisory + - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities + - /code-security/repository-security-advisories/about-github-security-advisories-for-repositories + - /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory + - /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability + - /code-security/repository-security-advisories/creating-a-repository-security-advisory + - /code-security/repository-security-advisories/editing-a-repository-security-advisory + - /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories + - /code-security/repository-security-advisories/publishing-a-repository-security-advisory + - /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory + - /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory - /code-security/security-overview/about-the-security-overview - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions diff --git a/content/code-security/index.md b/content/code-security/index.md index 49eee619c6..4cc88fec92 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -8,7 +8,7 @@ featuredLinks: guides: - /code-security/getting-started/securing-your-repository - /code-security/getting-started/securing-your-organization - - '{% ifversion fpt %}/code-security/security-advisories/creating-a-security-advisory{% endif %}' + - '{% ifversion fpt %}/code-security/repository-security-advisories/creating-a-repository-security-advisory{% endif %}' - '{% ifversion ghes or ghae %}/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository{% endif%}' guideCards: - '{% ifversion fpt %}/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates{% endif %}' @@ -22,7 +22,7 @@ featuredLinks: popular: - '{% ifversion ghes %}/admin/release-notes{% endif %}' - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies - - /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities + - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot @@ -51,7 +51,7 @@ children: - /getting-started - /secret-scanning - /code-scanning - - /security-advisories + - /repository-security-advisories - /supply-chain-security - /security-overview - /guides diff --git a/content/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md b/content/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md similarity index 95% rename from content/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md rename to content/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md index 169d39ee72..0f8b4d0573 100644 --- a/content/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md +++ b/content/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities.md @@ -1,6 +1,8 @@ --- title: About coordinated disclosure of security vulnerabilities intro: Vulnerability disclosure is a coordinated effort between security reporters and repository maintainers. +redirect_from: +- /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities miniTocMaxHeadingLevel: 3 versions: fpt: '*' @@ -63,7 +65,7 @@ The process for reporting and disclosing vulnerabilities for projects on {% data If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see "[About security policies](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. - As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %} for repositories](/code-security/security-advisories/about-github-security-advisories-for-repositories)." + As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %} for repositories](/code-security/repository-security-advisories/about-github-security-advisories-for-repositories)." - To get started, see "[Creating a repository security advisory](/code-security/security-advisories/creating-a-repository-security-advisory)." + To get started, see "[Creating a repository security advisory](/code-security/repository-security-advisories/creating-a-repository-security-advisory)." diff --git a/content/code-security/security-advisories/about-github-security-advisories-for-repositories.md b/content/code-security/repository-security-advisories/about-github-security-advisories-for-repositories.md similarity index 87% rename from content/code-security/security-advisories/about-github-security-advisories-for-repositories.md rename to content/code-security/repository-security-advisories/about-github-security-advisories-for-repositories.md index 892333e81a..d7920f2446 100644 --- a/content/code-security/security-advisories/about-github-security-advisories-for-repositories.md +++ b/content/code-security/repository-security-advisories/about-github-security-advisories-for-repositories.md @@ -23,19 +23,19 @@ shortTitle: Repository security advisories ## About {% data variables.product.prodname_security_advisories %} -{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[About coordinated disclosure of security vulnerabilities](/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities)." +{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[About coordinated disclosure of security vulnerabilities](/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities)." {% data reusables.security-advisory.security-advisory-overview %} With {% data variables.product.prodname_security_advisories %}, you can: -1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[Creating a repository security advisory](/code-security/security-advisories/creating-a-repository-security-advisory)." +1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[Creating a repository security advisory](/code-security/repository-security-advisories/creating-a-repository-security-advisory)." 2. Privately collaborate to fix the vulnerability in a temporary private fork. -3. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)." +3. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)." {% data reusables.repositories.security-advisories-republishing %} -You can give credit to individuals who contributed to a security advisory. For more information, see "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." +You can give credit to individuals who contributed to a security advisory. For more information, see "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." {% data reusables.repositories.security-guidelines %} @@ -54,7 +54,7 @@ If a security advisory is specifically for npm, we also publish the advisory to When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %} Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database. -For more information, see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)." +For more information, see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)." ## {% data variables.product.prodname_dependabot_alerts %} for published security advisories diff --git a/content/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md similarity index 76% rename from content/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md index 42f8aef603..44d712e625 100644 --- a/content/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory.md @@ -23,11 +23,11 @@ People with admin permissions to a security advisory can add collaborators to th ## Adding a collaborator to a security advisory -Collaborators have write permissions to the security advisory. For more information, see "[Permission levels for repository security advisories](/code-security/security-advisories/permission-levels-for-repository-security-advisories)." +Collaborators have write permissions to the security advisory. For more information, see "[Permission levels for repository security advisories](/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories)." {% note %} -{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[Removing a collaborator from a repository security advisory](/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." +{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[Removing a collaborator from a repository security advisory](/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." {% endnote %} @@ -42,6 +42,6 @@ Collaborators have write permissions to the security advisory. For more informat ## Further reading -- "[Permission levels for repository security advisories](/code-security/security-advisories/permission-levels-for-repository-security-advisories)" -- "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" -- "[Removing a collaborator from a repository security advisory](/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." +- "[Permission levels for repository security advisories](/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories)" +- "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" +- "[Removing a collaborator from a repository security advisory](/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)." diff --git a/content/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md b/content/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md similarity index 90% rename from content/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md rename to content/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md index c15e84b96d..c2aed44197 100644 --- a/content/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md +++ b/content/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability.md @@ -21,7 +21,7 @@ shortTitle: Temporary private forks ## Prerequisites -Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[Creating a repository security advisory](/code-security/security-advisories/creating-a-repository-security-advisory)." +Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[Creating a repository security advisory](/code-security/repository-security-advisories/creating-a-repository-security-advisory)." ## Creating a temporary private fork @@ -39,7 +39,7 @@ To keep information about vulnerabilities secure, integrations, including CI, ca ## Adding collaborators to a temporary private fork -Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." +Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." ## Adding changes to a temporary private fork @@ -87,9 +87,9 @@ Before you can merge changes in a security advisory, every open pull request in 5. To merge all open pull requests in the temporary private fork, click **Merge pull requests**. ![Merge pull requests button](/assets/images/help/security/merge-pull-requests-button.png) -After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)." +After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)." ## Further reading -- "[Permission levels for repository security advisories](/code-security/security-advisories/permission-levels-for-repository-security-advisories)" -- "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)" +- "[Permission levels for repository security advisories](/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories)" +- "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)" diff --git a/content/code-security/security-advisories/creating-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/creating-a-repository-security-advisory.md similarity index 81% rename from content/code-security/security-advisories/creating-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/creating-a-repository-security-advisory.md index 61826dfc97..bd70aab1d9 100644 --- a/content/code-security/security-advisories/creating-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/creating-a-repository-security-advisory.md @@ -38,7 +38,7 @@ Anyone with admin permissions to a repository can create a security advisory. ## Next steps - Comment on the draft security advisory to discuss the vulnerability with your team. -- Add collaborators to the security advisory. For more information, see "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." -- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." -- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." -- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)." +- Add collaborators to the security advisory. For more information, see "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." +- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." +- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)." +- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)." diff --git a/content/code-security/security-advisories/editing-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/editing-a-repository-security-advisory.md similarity index 95% rename from content/code-security/security-advisories/editing-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/editing-a-repository-security-advisory.md index 0d3239c9c5..ccb6e9ba67 100644 --- a/content/code-security/security-advisories/editing-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/editing-a-repository-security-advisory.md @@ -46,4 +46,4 @@ If you believe you should be credited for a security advisory, please contact th ## Further reading -- "[Withdrawing a repository security advisory](/code-security/security-advisories/withdrawing-a-repository-security-advisory)" +- "[Withdrawing a repository security advisory](/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory)" diff --git a/content/code-security/security-advisories/index.md b/content/code-security/repository-security-advisories/index.md similarity index 85% rename from content/code-security/security-advisories/index.md rename to content/code-security/repository-security-advisories/index.md index 6bb913b64b..58bf1aeb14 100644 --- a/content/code-security/security-advisories/index.md +++ b/content/code-security/repository-security-advisories/index.md @@ -1,10 +1,11 @@ --- -title: Managing security advisories for vulnerabilities in your project -shortTitle: Security advisories +title: Managing repository security advisories for vulnerabilities in your project +shortTitle: Repository security advisories intro: 'Discuss, fix, and disclose security vulnerabilities in your repositories using repository security advisories.' redirect_from: - /articles/managing-security-vulnerabilities-in-your-project - /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project + - /code-security/security-advisories versions: fpt: '*' ghec: '*' diff --git a/content/code-security/security-advisories/permission-levels-for-repository-security-advisories.md b/content/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories.md similarity index 60% rename from content/code-security/security-advisories/permission-levels-for-repository-security-advisories.md rename to content/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories.md index d5662515ef..110e83d07b 100644 --- a/content/code-security/security-advisories/permission-levels-for-repository-security-advisories.md +++ b/content/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories.md @@ -20,25 +20,25 @@ This article applies only to repository-level security advisories. Anyone can co ## Permissions overview -{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." +{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)." Action | Write permissions | Admin permissions | ------ | ----------------- | ----------------- | See a draft security advisory | X | X | -Add collaborators to the security advisory (see "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | | X | +Add collaborators to the security advisory (see "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | | X | Edit and delete any comments in the security advisory | X | X | -Create a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | | X | -Add changes to a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | X | X | -Create pull requests in a temporary private fork (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | X | X | -Merge changes in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | | X | -Add and edit metadata in the security advisory (see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)") | X | X | -Add and remove credits for a security advisory (see "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory)") | X | X | +Create a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | | X | +Add changes to a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | X | X | +Create pull requests in a temporary private fork (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | X | X | +Merge changes in the security advisory (see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | | X | +Add and edit metadata in the security advisory (see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)") | X | X | +Add and remove credits for a security advisory (see "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory)") | X | X | Close the draft security advisory | | X | -Publish the security advisory (see "[Publishing a repository security advisory](/code-security/security-advisories/publishing-a-repository-security-advisory)") | | X | +Publish the security advisory (see "[Publishing a repository security advisory](/code-security/repository-security-advisories/publishing-a-repository-security-advisory)") | | X | ## Further reading -- "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" -- "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" -- "[Removing a collaborator from a repository security advisory](/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory)" -- "[Withdrawing a repository security advisory](/code-security/security-advisories/withdrawing-a-repository-security-advisory)" +- "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" +- "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)" +- "[Removing a collaborator from a repository security advisory](/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)" +- "[Withdrawing a repository security advisory](/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory)" diff --git a/content/code-security/security-advisories/publishing-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/publishing-a-repository-security-advisory.md similarity index 89% rename from content/code-security/security-advisories/publishing-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/publishing-a-repository-security-advisory.md index f1579706a7..ca1864d977 100644 --- a/content/code-security/security-advisories/publishing-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/publishing-a-repository-security-advisory.md @@ -25,9 +25,9 @@ Anyone with admin permissions to a security advisory can publish the security ad ## Prerequisites -Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[Creating a repository security advisory](/code-security/security-advisories/creating-a-repository-security-advisory)." +Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[Creating a repository security advisory](/code-security/repository-security-advisories/creating-a-repository-security-advisory)." -If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory)." +If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory)." ## About publishing a security advisory @@ -35,7 +35,7 @@ When you publish a security advisory, you notify your community about the securi {% data reusables.repositories.security-advisories-republishing %} -Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." +Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a repository security vulnerability](/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)." {% warning %} @@ -62,7 +62,7 @@ When you publish a draft advisory from a public repository, everyone is able to After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory. -If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory)." +If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory)." ## Publishing a security advisory @@ -82,7 +82,7 @@ Publishing a security advisory deletes the temporary private fork for the securi ## Requesting a CVE identification number (Optional) -{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[About {% data variables.product.prodname_security_advisories %} for repositories](/code-security/security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers)." +{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[About {% data variables.product.prodname_security_advisories %} for repositories](/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -96,4 +96,4 @@ Publishing a security advisory deletes the temporary private fork for the securi ## Further reading -- "[Withdrawing a repository security advisory](/code-security/security-advisories/withdrawing-a-repository-security-advisory)" +- "[Withdrawing a repository security advisory](/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory)" diff --git a/content/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md similarity index 90% rename from content/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md index c249916f97..12ff241bc1 100644 --- a/content/code-security/security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory.md @@ -35,5 +35,5 @@ People with admin permissions to a security advisory can remove collaborators fr ## Further reading -- "[Permission levels for repository security advisories](/code-security/security-advisories/permission-levels-for-repository-security-advisories)" -- "[Adding a collaborator to a repository security advisory](/code-security/security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" +- "[Permission levels for repository security advisories](/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories)" +- "[Adding a collaborator to a repository security advisory](/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)" diff --git a/content/code-security/security-advisories/withdrawing-a-repository-security-advisory.md b/content/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory.md similarity index 83% rename from content/code-security/security-advisories/withdrawing-a-repository-security-advisory.md rename to content/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory.md index a5e640a63b..f4b6557d60 100644 --- a/content/code-security/security-advisories/withdrawing-a-repository-security-advisory.md +++ b/content/code-security/repository-security-advisories/withdrawing-a-repository-security-advisory.md @@ -20,4 +20,4 @@ If you publish a security advisory in error, you can withdraw the security advis ## Further reading -- "[Editing a repository security advisory](/code-security/security-advisories/editing-a-repository-security-advisory)" +- "[Editing a repository security advisory](/code-security/repository-security-advisories/editing-a-repository-security-advisory)" diff --git a/content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database.md b/content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database.md index 147da78a3f..bd6cc59569 100644 --- a/content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database.md +++ b/content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database.md @@ -27,3 +27,6 @@ Only repository owners and administrators can edit repository-level security adv ![Suggest improvements link](/assets/images/help/security/suggest-improvements-to-advisory.png) 4. In the contribution form, make the desired improvements. You can edit or add any detail. 5. When you finish editing the advisory, click **Submit improvements**. +6. Once you submit your improvements, a pull request containing your changes is created in [github/advisory-database](https://github.com/github/advisory-database) for review by the {% data variables.product.prodname_security %} curation team. If the advisory originated from a {% data variables.product.prodname_dotcom %} repository, we will also tag the original publisher for optional commentary. You can view the pull request and get notifications when it is updated or closed. + +You can also open a pull request directly on an advisory file in the [github/advisory-database](https://github.com/github/advisory-database) repository. For more information, see the [contribution guidelines](https://github.com/github/advisory-database/blob/main/CONTRIBUTING.md). \ No newline at end of file diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 965b34f65c..c181ae6701 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -1,17 +1,17 @@ # Feature available only on dotcom -security_advisories: +repository_security_advisories: title: 'Fix and disclose a security vulnerability' - description: 'Using security advisories to privately fix a reported vulnerability and get a CVE.' + description: 'Using repository security advisories to privately fix a reported vulnerability and get a CVE.' featured_track: '{% ifversion fpt %}true{% else %}false{% endif %}' guides: - - /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities - - /code-security/security-advisories/creating-a-security-advisory - - /code-security/security-advisories/adding-a-collaborator-to-a-security-advisory - - /code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability - - /code-security/security-advisories/publishing-a-security-advisory - - /code-security/security-advisories/editing-a-security-advisory - - /code-security/security-advisories/withdrawing-a-security-advisory - - /code-security/security-advisories/removing-a-collaborator-from-a-security-advisory + - /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities + - /code-security/repository-security-advisories/creating-a-repository-security-advisory + - /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory + - /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability + - /code-security/repository-security-advisories/publishing-a-repository-security-advisory + - /code-security/repository-security-advisories/editing-a-repository-security-advisory + - /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory + - /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory # Feature available on dotcom and GHES dependabot_alerts: