16 KiB
title, intro, shortTitle, miniTocMaxHeadingLevel, redirect_from, versions, type, topics
| title | intro | shortTitle | miniTocMaxHeadingLevel | redirect_from | versions | type | topics | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Browsing security advisories in the GitHub Advisory Database | You can browse the {% data variables.product.prodname_advisory_database %} to find advisories for security risks in open source projects that are hosted on {% data variables.product.company_short %}. | Browse Advisory Database | 3 |
|
|
how_to |
|
About the {% data variables.product.prodname_advisory_database %}
The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities {% ifversion GH-advisory-db-supports-malware %}and malware, {% endif %}grouped in two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.
{% data reusables.repositories.tracks-vulnerabilities %}
About types of security advisories
{% data reusables.advisory-database.beta-malware-advisories %}
Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects{% ifversion GH-advisory-db-supports-malware %} or for malicious open source software{% endif %}.
{% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.
{% ifversion GH-advisory-db-supports-malware %}
In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.
{% endif %}
{% data variables.product.company_short %}-reviewed advisories
{% data variables.product.company_short %}-reviewed advisories are security vulnerabilities{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.
Generally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.
- Composer (registry: https://packagist.org/){% ifversion GH-advisory-db-erlang-support %}
- Erlang (registry: https://hex.pm/){% endif %}
- Go (registry: https://pkg.go.dev/)
- Maven (registry: https://repo1.maven.org/maven2/org/)
- npm (registry: https://www.npmjs.com/)
- NuGet (registry: https://www.nuget.org/)
- pip (registry: https://pypi.org/)
- RubyGems (registry: https://rubygems.org/)
- Rust (registry: https://crates.io/)
If you have a suggestion for a new ecosystem we should support, please open an issue for discussion.
If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability {% ifversion GH-advisory-db-supports-malware %}or malware{% endif %} for a package you depend on. For more information, see "About {% data variables.product.prodname_dependabot_alerts %}."
Unreviewed advisories
Unreviewed advisories are security vulnerabilites that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed.
{% data variables.product.prodname_dependabot %} doesn't create {% data variables.product.prodname_dependabot_alerts %} for unreviewed advisories as this type of advisory isn't checked for validity or completion.
About information in security advisories
Each security advisory contains information about the vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware,{% endif %} which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.
The severity level is one of four possible levels defined in the "Common Vulnerability Scoring System (CVSS), Section 5."
- Low
- Medium/Moderate
- High
- Critical
The {% data variables.product.prodname_advisory_database %} uses the CVSS levels described above. If {% data variables.product.company_short %} obtains a CVE, the {% data variables.product.prodname_advisory_database %} uses CVSS version 3.1. If the CVE is imported, the {% data variables.product.prodname_advisory_database %} supports both CVSS versions 3.0 and 3.1.
{% data reusables.repositories.github-security-lab %}
Accessing an advisory in the {% data variables.product.prodname_advisory_database %}
-
Navigate to https://github.com/advisories.
-
Optionally, to filter the list, use any of the drop-down menus.
{% tip %}Tip: You can use the sidebar on the left to explore {% data variables.product.company_short %}-reviewed and unreviewed advisories separately.
{% endtip %}
-
Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. {% ifversion GH-advisory-db-supports-malware %}To show malware advisories, use
type:malwarein the search bar.{% endif %}
{% note %}
The database is also accessible using the GraphQL API. {% ifversion GH-advisory-db-supports-malware %}By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify type:malware.{% endif %} For more information, see the "security_advisory webhook event."
{% endnote %}
Editing an advisory in the {% data variables.product.prodname_advisory_database %}
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "Editing security advisories in the {% data variables.product.prodname_advisory_database %}."
Searching the {% data variables.product.prodname_advisory_database %}
You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.
{% data reusables.time_date.date_format %} {% data reusables.time_date.time_format %}
{% data reusables.search.date_gt_lt %}
| Qualifier | Example |
|---|---|
type:reviewed |
type:reviewed will show {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. |
| {% ifversion GH-advisory-db-supports-malware %} | type:malware |
| {% endif %} | type:unreviewed |
GHSA-ID |
GHSA-49wp-qq6x-g2rf will show the advisory with this {% data variables.product.prodname_advisory_database %} ID. |
CVE-ID |
CVE-2020-28482 will show the advisory with this CVE ID number. |
ecosystem:ECOSYSTEM |
ecosystem:npm will show only advisories affecting NPM packages. |
severity:LEVEL |
severity:high will show only advisories with a high severity level. |
affects:LIBRARY |
affects:lodash will show only advisories affecting the lodash library. |
cwe:ID |
cwe:352 will show only advisories with this CWE number. |
credit:USERNAME |
credit:octocat will show only advisories credited to the "octocat" user account. |
sort:created-asc |
sort:created-asc will sort by the oldest advisories first. |
sort:created-desc |
sort:created-desc will sort by the newest advisories first. |
sort:updated-asc |
sort:updated-asc will sort by the least recently updated first. |
sort:updated-desc |
sort:updated-desc will sort by the most recently updated first. |
is:withdrawn |
is:withdrawn will show only advisories that have been withdrawn. |
created:YYYY-MM-DD |
created:2021-01-13 will show only advisories created on this date. |
updated:YYYY-MM-DD |
updated:2021-01-13 will show only advisories updated on this date. |
Viewing your vulnerable repositories
For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "About {% data variables.product.prodname_dependabot_alerts %}."
- Navigate to https://github.com/advisories.
- Click an advisory.
- At the top of the advisory page, click Dependabot alerts.
- Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
- For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.
{% ifversion security-advisories-ghes-ghae %}
Accessing the local advisory database on {% data variables.product.product_location %}
If your site administrator has enabled {% data variables.product.prodname_github_connect %} for {% data variables.product.product_location %}, you can also browse reviewed advisories locally. For more information, see "About {% data variables.product.prodname_github_connect %}".
You can use your local advisory database to check whether a specific security vulnerability is included, and therefore whether you'd get alerts for vulnerable dependencies. You can also view any vulnerable repositories.
-
Navigate to
https://HOSTNAME/advisories. -
Optionally, to filter the list, use any of the drop-down menus.
{% note %}Note: Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Accessing an advisory in the GitHub Advisory Database".
{% endnote %}
-
Click an advisory to view details.{% ifversion GH-advisory-db-supports-malware %} By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use
type:malwarein the search bar.{% endif %}
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "Editing advisories from {% data variables.product.product_location %}".
Viewing vulnerable repositories for {% data variables.product.product_location %}
{% data reusables.repositories.enable-security-alerts %}
In the local advisory database, you can see which repositories are affected by each security vulnerability{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %}. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "About {% data variables.product.prodname_dependabot_alerts %}."
- Navigate to
https://HOSTNAME/advisories. - Click an advisory.
- At the top of the advisory page, click Dependabot alerts.
- Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
- For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.
{% endif %}
Further reading
- MITRE's definition of "vulnerability"