Skip to content

browsing-security-advisories-in-the-github-advisory-database.md

Latest commit

 

History

History
118 lines (87 loc) · 11.1 KB

browsing-security-advisories-in-the-github-advisory-database.md

File metadata and controls

118 lines (87 loc) · 11.1 KB
title Browsing security advisories in the GitHub Advisory Database
intro You can browse the {% data variables.product.prodname_advisory_database %} to find CVEs and {% data variables.product.prodname_dotcom %}-originated advisories affecting the open source world.
shortTitle Browse Advisory Database
permissions {% data reusables.permissions.global-security-advisories-browse %}
redirect_from
/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database
/code-security/supply-chain-security/browsing-security-vulnerabilities-in-the-github-advisory-database
/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database
/code-security/dependabot/dependabot-alerts/browsing-security-vulnerabilities-in-the-github-advisory-database
/code-security/dependabot/dependabot-alerts/browsing-security-advisories-in-the-github-advisory-database
/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database
/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database
/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database
/code-security/security-advisories/global-security-advisories
versions
fpt ghec ghes
*
*
*
contentType how-tos
category
Report and disclose vulnerabilities

Accessing an advisory in the {% data variables.product.prodname_advisory_database %}

You can access any advisory in the {% data variables.product.prodname_advisory_database %}.

  1. Navigate to https://github.com/advisories.

  2. Optionally, to filter the list of advisories, use the search field or the drop-down menus at the top of the list.

    [!NOTE] You can use the sidebar on the left to explore {% data variables.product.company_short %}-reviewed and unreviewed advisories separately, or to filter by ecosystem.

  3. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use type:malware in the search bar.

The database is also accessible using the GraphQL API. By default, queries will return {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities unless you specify type:malware. For more information, see the AUTOTITLE.

Additionally, you can access the {% data variables.product.prodname_advisory_database %} using the REST API. For more information, see AUTOTITLE.

Editing an advisory in the {% data variables.product.prodname_advisory_database %}

You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see AUTOTITLE.

Searching the {% data variables.product.prodname_advisory_database %}

You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.

{% data reusables.time_date.date_format %} {% data reusables.time_date.time_format %}

{% data reusables.search.date_gt_lt %}

Qualifier Example
type:reviewed type:reviewed will show {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities.
type:malware type:malware will show malware advisories.
type:unreviewed type:unreviewed will show unreviewed advisories.
GHSA-ID GHSA-49wp-qq6x-g2rf will show the advisory with this {% data variables.product.prodname_advisory_database %} ID.
CVE-ID CVE-2020-28482 will show the advisory with this CVE ID number.
ecosystem:ECOSYSTEM ecosystem:npm will show only advisories affecting npm packages.
severity:LEVEL severity:high will show only advisories with a high severity level.
affects:LIBRARY affects:lodash will show only advisories affecting the lodash library.
cwe:ID cwe:352 will show only advisories with this CWE number.
credit:USERNAME credit:octocat will show only advisories credited to the "octocat" user account.
sort:created-asc sort:created-asc will sort by the oldest advisories first.
sort:created-desc sort:created-desc will sort by the newest advisories first.
sort:updated-asc sort:updated-asc will sort by the least recently updated first.
sort:updated-desc sort:updated-desc will sort by the most recently updated first.
is:withdrawn is:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DD created:2021-01-13 will show only advisories created on this date.
updated:YYYY-MM-DD updated:2021-01-13 will show only advisories updated on this date.

A GHSA-ID qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see About the {% data variables.product.prodname_advisory_database %}.

Viewing your vulnerable repositories

For any {% data variables.product.company_short %}-reviewed advisory in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see AUTOTITLE.

  1. Navigate to https://github.com/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts. Screenshot of a "global security advisory". The "Dependabot alerts" button is highlighted with an orange outline.
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
  5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.

{% ifversion ghes %}

Accessing the local advisory database on {% data variables.product.prodname_ghe_server %}

If your site administrator has enabled {% data variables.product.prodname_github_connect %} for your instance, you can also browse reviewed advisories locally. For more information, see AUTOTITLE.

You can use your local advisory database to check whether a specific security vulnerability is included, and therefore whether you'd get alerts for vulnerable dependencies. You can also view any vulnerable repositories.

  1. Navigate to https://HOSTNAME/advisories.

  2. Optionally, to filter the list, use any of the drop-down menus.

    [!NOTE] Only reviewed advisories will be listed. Unreviewed advisories can be viewed in the {% data variables.product.prodname_advisory_database %} on {% data variables.product.prodname_dotcom_the_website %}. For more information, see Accessing an advisory in the GitHub Advisory Database.

  3. Click an advisory to view details. By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use type:malware in the search bar.

You can also suggest improvements to any advisory directly from your local advisory database. For more information, see AUTOTITLE.

Viewing vulnerable repositories for your instance

{% data reusables.repositories.enable-security-alerts %}

In the local advisory database, you can see which repositories are affected by each security vulnerability or malware. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see AUTOTITLE.

  1. Navigate to https://HOSTNAME/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts. Screenshot of a "global security advisory". The "Dependabot alerts" button is highlighted with an orange outline.
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the {% data variables.product.prodname_dependabot_alerts %} per owner (organization or user).
  5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.

{% endif %}