{"meta":{"title":"About the GitHub Advisory database","intro":"The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in three categories: GitHub-reviewed advisories, unreviewed advisories, and malware advisories.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/concepts","title":"Concepts"},{"href":"/en/code-security/concepts/vulnerability-reporting-and-management","title":"Vulnerability reporting"},{"href":"/en/code-security/concepts/vulnerability-reporting-and-management/about-the-github-advisory-database","title":"GitHub Advisory database"}],"documentType":"article"},"body":"# About the GitHub Advisory database\n\nThe GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in three categories: GitHub-reviewed advisories, unreviewed advisories, and malware advisories.\n\n## About the GitHub Advisory Database\n\nWe add advisories to the GitHub Advisory Database from the following sources:\n\n* Security advisories reported on GitHub\n* The [National Vulnerability database](https://nvd.nist.gov/)\n* The [npm Security advisories database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm)\n* The [FriendsOfPHP database](https://github.com/FriendsOfPHP/security-advisories)\n* The [Go Vulncheck database](https://pkg.go.dev/vuln/)\n* The [Python Packaging Advisory database](https://github.com/pypa/advisory-database)\n* The [Ruby Advisory database](https://rubysec.com/)\n* The [RustSec Advisory database](https://rustsec.org/)\n* Community contributions. For more information, see .\n\nIf you know of another database we should be importing advisories from, tell us about it by opening an issue in .\n\nSecurity advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see [Open Source Vulnerability format](https://ossf.github.io/osv-schema/).\n\n## Types of security advisories\n\nEach advisory in the GitHub Advisory Database is for a vulnerability in open source projects or for malicious open source software.\n\nA vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.\n\nIn contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.\n\n### GitHub-reviewed advisories\n\n**GitHub-reviewed** advisories are mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they contain a full description and both ecosystem and package information.\n\nGenerally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.\n\n* Composer (registry: )\n* Erlang (registry: )\n* Go (registry: )\n* GitHub Actions ()\n* Maven (registry: )\n* Npm (registry: )\n* NuGet (registry: )\n* Pip (registry: )\n* Pub (registry: )\n* RubyGems (registry: )\n* Rust (registry: )\n* Swift (registry: N/A)\n\nIf you have a suggestion for a new ecosystem we should support, please open an [issue](https://github.com/github/advisory-database/issues) for discussion.\n\nIf you enable Dependabot alerts for your repositories, you are automatically notified when a new GitHub-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [About Dependabot alerts](/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).\n\n### Unreviewed advisories\n\n**Unreviewed** advisories are published automatically into the GitHub Advisory Database, directly from the National Vulnerability Database feed.\n\nDependabot doesn't create Dependabot alerts for unreviewed advisories as this type of advisory isn't checked for validity or completion.\n\n### Malware advisories\n\n**Malware** advisories relate to vulnerabilities caused by malware and are exclusive to the **npm** ecosystem. We publish them automatically into the GitHub Advisory Database, directly from information provided by the npm security team.\n\nDependabot doesn't generate alerts when malware is detected as most of the vulnerabilities cannot be resolved by downstream users. You can view malware advisories by searching for `type:malware` in the GitHub Advisory Database.\n\nOur malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. Dependabot doesn’t look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware.\n\n## Information in security advisories\n\nIn this section, you can find more detailed information about specific data attributes of the GitHub Advisory Database.\n\n### GHSA IDs\n\nEach security advisory, regardless of its type, has a unique identifier referred to as a GHSA ID. A `GHSA-ID` qualifier is assigned when a new advisory is created on GitHub or added to the GitHub Advisory Database from any of the supported sources.\n\nThe syntax of GHSA IDs follows this format: `GHSA-xxxx-xxxx-xxxx` where:\n\n* `x` is a letter or a number from the following set: `23456789cfghjmpqrvwx`.\n* Outside the `GHSA` portion of the name:\n * The numbers and letters are randomly assigned.\n * All letters are lowercase.\n\nYou can validate a GHSA ID using a regular expression.\n\n```bash copy\n/GHSA(-[23456789cfghjmpqrvwx]{4}){3}/\n```\n\n### CVSS levels\n\nThe GitHub Advisory Database supports both CVSS version 3.1 and CVSS version 4.0.\n\nEach security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the [National Vulnerability Database](https://nvd.nist.gov/) from the National Institute of Standards and Technology.\n\nThe severity level is one of four possible levels defined in the [Common Vulnerability Scoring System (CVSS), Section 5](https://www.first.org/cvss/specification-document).\n\n* Low\n* Medium/Moderate\n* High\n* Critical\n\nThe GitHub Advisory Database uses the CVSS levels described above. If GitHub obtains a CVE, the GitHub Advisory Database uses the CVSS version assigned by the maintainer, which can be version 3.1 or 4.0. If the CVE is imported, the GitHub Advisory Database supports CVSS versions 4.0, 3.1 and 3.0.\n\nYou can also join [GitHub Security Lab](https://securitylab.github.com/) to browse security-related topics and contribute to security tools and projects.\n\n### EPSS scores\n\nThe Exploit Prediction Scoring System, or EPSS, is a system devised by the global Forum of Incident Response and Security Teams (FIRST) for quantifying the likelihood of vulnerability exploit. The model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited. For more information about FIRST, see .\n\nThe GitHub Advisory Database includes EPSS scores from FIRST for advisories containing CVEs with corresponding EPSS data. GitHub also displays the EPSS score percentile, which is the proportion of all scored vulnerabilities with the same or a lower EPSS score.\n\nFor example, if an advisory had an EPSS score that had a percentage of 90.534% at the 95th percentile, according to the [EPSS model](https://www.first.org/epss/model), this means that:\n\n* There is a 90.534% chance of this vulnerability being exploited in the wild in the next 30 days.\n* 95% of the total modeled vulnerabilities are considered less likely to be exploited in the next 30 days than this vulnerability.\n\nExtended information about how to interpret this data can be found in FIRST's EPSS User Guide. This information helps you understand how both percentage and percentile can be used to interpret the likelihood that a vulnerability could be exploited in the wild according to FIRST's model. For more information, see the [FIRST's EPSS User Guide](https://www.first.org/epss/user-guide) on the FIRST website.\n\nFIRST also provides additional information around the distribution of their EPSS data. For more information, see [EPSS data and statistics documentation](https://www.first.org/epss/data_stats) on the FIRST website.\n\n> \\[!NOTE] GitHub keeps EPSS data up to date with a daily synchronization action. While EPSS score percentages will always be fully synchronized, score percentiles will only be updated when significantly different.\n\nAt GitHub, we do not author this data, but rather source it from FIRST, which means that this data is not editable in community contributions. For more information about community contributions, see [Editing security advisories in the GitHub Advisory Database](/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).\n\n## Community contributions\n\nA **community contribution** is a pull request submitted to the [github/advisory-database](https://github.com/github/advisory-database?ref_product=security-advisories\\&ref_type=engagement\\&ref_style=text) repository that improves the content of a global security advisory. When you make a community contribution, you can edit or add any detail, including additional affected ecosystems, the severity level, or the description of who is impacted. The GitHub Security Lab curation team will review the submitted contributions and publish them onto the GitHub Advisory Database if accepted.\n\nIf we accept and publish the community contribution, the person who submitted the community contribution pull request will automatically be assigned a credit type of \"Analyst\". For more information, see [Creating a repository security advisory](/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories).\n\n## Further reading\n\n* [About Dependabot alerts](/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)\n* The CVE Program's [definition of \"vulnerability\"](https://www.cve.org/ResourcesSupport/Glossary#glossaryVulnerability)"}