Skip to main content

Browsing security vulnerabilities in the GitHub Advisory Database

The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

About security vulnerabilities

漏洞是项目代码中的问题,可能被利用来损害机密性、完整性或者该项目或其他使用其代码的项目的可用性。 漏洞的类型、严重性和攻击方法各不相同。

About the GitHub Advisory Database

The GitHub Advisory Database contains a list of known security vulnerabilities, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories.

我们从以下来源添加漏洞到 GitHub Advisory Database:

About GitHub-reviewed advisories

GitHub-reviewed advisories are security vulnerabilities that have been mapped to packages tracked by the GitHub dependency graph.

We carefully review each advisory for validity. Each GitHub-reviewed advisory has a full description, and contains both ecosystem and package information.

If you enable Dependabot 警报 for your repositories, you are automatically notified when a new GitHub-reviewed advisory affects packages you depend on. For more information, see "About Dependabot 警报."

About unreviewed advisories

Unreviewed advisories are security vulnerabilites that we publish automatically into the GitHub Advisory Database, directly from the National Vulnerability Database feed.

Dependabot doesn't create Dependabot 警报 for unreviewed advisories as this type of advisory isn't checked for validity or completion.

About security advisories

Each security advisory contains information about the vulnerability, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

The severity level is one of four possible levels defined in the "Common Vulnerability Scoring System (CVSS), Section 5."

  • Low
  • Medium/Moderate
  • High
  • Critical

The GitHub Advisory Database uses the CVSS levels described above. If GitHub obtains a CVE, the GitHub Advisory Database uses CVSS version 3.1. If the CVE is imported, the GitHub Advisory Database supports both CVSS versions 3.0 and 3.1.

您也可以加入 GitHub Security Lab,以便浏览安全主题并参与安全工具和项目。

Accessing an advisory in the GitHub Advisory Database

  1. Navigate to https://github.com/advisories.

  2. Optionally, to filter the list, use any of the drop-down menus. Dropdown filters

    Tip: You can use the sidebar on the left to explore GitHub-reviewed and unreviewed advisories separately.

  3. Click on any advisory to view details.

The database is also accessible using the GraphQL API. For more information, see the "security_advisory webhook event."

Editing an advisory in the GitHub Advisory Database

You can suggest improvements to any advisory in the GitHub Advisory Database. For more information, see "Editing security advisories in the GitHub Advisory Database."

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.

日期格式必须遵循 ISO8601标准,即 YYYY-MM-DD(年-月-日)。 您也可以在日期后添加可选的时间信息 THH:MM:SS+00:00,以便按小时、分钟和秒进行搜索。 这是 T,随后是 HH:MM:SS(时-分-秒)和 UTC 偏移 (+00:00)。

搜索日期时,可以使用大于、小于和范围限定符来进一步筛选结果。 更多信息请参阅“了解搜索语法”。

QualifierExample
type:reviewedtype:reviewed will show GitHub-reviewed advisories.
type:unreviewedtype:unreviewed will show unreviewed advisories.
GHSA-IDGHSA-49wp-qq6x-g2rf will show the advisory with this GitHub Advisory Database ID.
CVE-IDCVE-2020-28482 will show the advisory with this CVE ID number.
ecosystem:ECOSYSTEMecosystem:npm will show only advisories affecting NPM packages.
severity:LEVELseverity:high will show only advisories with a high severity level.
affects:LIBRARYaffects:lodash will show only advisories affecting the lodash library.
cwe:IDcwe:352 will show only advisories with this CWE number.
credit:USERNAMEcredit:octocat will show only advisories credited to the "octocat" user account.
sort:created-ascsort:created-asc will sort by the oldest advisories first.
sort:created-descsort:created-desc will sort by the newest advisories first.
sort:updated-ascsort:updated-asc will sort by the least recently updated first.
sort:updated-descsort:updated-desc will sort by the most recently updated first.
is:withdrawnis:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DDcreated:2021-01-13 will show only advisories created on this date.
updated:YYYY-MM-DDupdated:2021-01-13 will show only advisories updated on this date.

Viewing your vulnerable repositories

For any GitHub-reviewed advisory in the GitHub Advisory Database, you can see which of your repositories are affected by that security vulnerability. To see a vulnerable repository, you must have access to Dependabot 警报 for that repository. For more information, see "About Dependabot 警报."

  1. Navigate to https://github.com/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts. Dependabot alerts
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the Dependabot 警报 per owner (organization or user). Search bar and drop-down menus to filter alerts
  5. For more details about the vulnerability, and for advice on how to fix the vulnerable repository, click the repository name.

Further reading