docs/content/code-security/dependabot/dependabot-alerts/browsing-security-vulnerabilities-in-the-github-advisory-database.md

title, intro, shortTitle, miniTocMaxHeadingLevel, redirect_from, versions, type, topics

title	intro	shortTitle	miniTocMaxHeadingLevel	redirect_from	versions	type	topics
Browsing security vulnerabilities in the GitHub Advisory Database	The {% data variables.product.prodname_advisory_database %} allows you to browse or search for vulnerabilities that affect open source projects on {% data variables.product.company_short %}.	Browse Advisory Database	3	/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database /code-security/supply-chain-security/browsing-security-vulnerabilities-in-the-github-advisory-database /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database	fpt ghec * *	how_to	Security advisories Alerts Dependabot Vulnerabilities CVEs

About security vulnerabilities

{% data reusables.repositories.a-vulnerability-is %}

About the {% data variables.product.prodname_advisory_database %}

The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities, grouped in two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.

{% data reusables.repositories.tracks-vulnerabilities %}

About {% data variables.product.company_short %}-reviewed advisories

{% data variables.product.company_short %}-reviewed advisories are security vulnerabilities that have been mapped to packages tracked by the {% data variables.product.company_short %} dependency graph.

We carefully review each advisory for validity. Each {% data variables.product.company_short %}-reviewed advisory has a full description, and contains both ecosystem and package information.

If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory affects packages you depend on. For more information, see "About {% data variables.product.prodname_dependabot_alerts %}."

About unreviewed advisories

Unreviewed advisories are security vulnerabilites that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed.

{% data variables.product.prodname_dependabot %} doesn't create {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories as this type of advisory isn't checked for validity or completion.

About security advisories

Each security advisory contains information about the vulnerability, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

The severity level is one of four possible levels defined in the "Common Vulnerability Scoring System (CVSS), Section 5."

• Low
• Medium/Moderate
• High
• Critical

The {% data variables.product.prodname_advisory_database %} uses the CVSS levels described above. If {% data variables.product.company_short %} obtains a CVE, the {% data variables.product.prodname_advisory_database %} uses CVSS version 3.1. If the CVE is imported, the {% data variables.product.prodname_advisory_database %} supports both CVSS versions 3.0 and 3.1.

{% data reusables.repositories.github-security-lab %}

Accessing an advisory in the {% data variables.product.prodname_advisory_database %}

1. Navigate to https://github.com/advisories.

2. Optionally, to filter the list, use any of the drop-down menus. {% tip %}

   Tip: You can use the sidebar on the left to explore {% data variables.product.company_short %}-reviewed and unreviewed advisories separately.

   {% endtip %}

3. Click on any advisory to view details.

{% note %}

The database is also accessible using the GraphQL API. For more information, see the "security_advisory webhook event."

{% endnote %}

Editing an advisory in the {% data variables.product.prodname_advisory_database %}

You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "Editing security advisories in the {% data variables.product.prodname_advisory_database %}."

Searching the {% data variables.product.prodname_advisory_database %}

You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.

{% data reusables.time_date.date_format %} {% data reusables.time_date.time_format %}

{% data reusables.search.date_gt_lt %}

Qualifier	Example
type:reviewed	type:reviewed will show {% data variables.product.company_short %}-reviewed advisories.
type:unreviewed	type:unreviewed will show unreviewed advisories.
GHSA-ID	GHSA-49wp-qq6x-g2rf will show the advisory with this {% data variables.product.prodname_advisory_database %} ID.
CVE-ID	CVE-2020-28482 will show the advisory with this CVE ID number.
ecosystem:ECOSYSTEM	ecosystem:npm will show only advisories affecting NPM packages.
severity:LEVEL	severity:high will show only advisories with a high severity level.
affects:LIBRARY	affects:lodash will show only advisories affecting the lodash library.
cwe:ID	cwe:352 will show only advisories with this CWE number.
credit:USERNAME	credit:octocat will show only advisories credited to the "octocat" user account.
sort:created-asc	sort:created-asc will sort by the oldest advisories first.
sort:created-desc	sort:created-desc will sort by the newest advisories first.
sort:updated-asc	sort:updated-asc will sort by the least recently updated first.
sort:updated-desc	sort:updated-desc will sort by the most recently updated first.
is:withdrawn	is:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DD	created:2021-01-13 will show only advisories created on this date.
updated:YYYY-MM-DD	updated:2021-01-13 will show only advisories updated on this date.

Viewing your vulnerable repositories

For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "About {% data variables.product.prodname_dependabot_alerts %}."

1. Navigate to https://github.com/advisories.
2. Click an advisory.
3. At the top of the advisory page, click Dependabot alerts.
4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
5. For more details about the vulnerability, and for advice on how to fix the vulnerable repository, click the repository name.

Further reading

• MITRE's definition of "vulnerability"