Skip to main content

Browsing security advisories in the GitHub Advisory Database

You can browse the GitHub Advisory Database to find advisories for security risks in open source projects that are hosted on GitHub.

关于 GitHub Advisory Database

The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories.

We add advisories to the GitHub Advisory Database from the following sources:

About types of security advisories

Note: Advisories for malware are currently in beta and subject to change.

Each advisory in the GitHub Advisory Database is for a vulnerability in open source projects or for malicious open source software.

漏洞是项目代码中的问题,可能被利用来损害机密性、完整性或者该项目或其他使用其代码的项目的可用性。 漏洞的类型、严重性和攻击方法各不相同。 Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.

In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.

GitHub-reviewed advisories

GitHub-reviewed advisories are security vulnerabilities or malware that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.

Generally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.

If you have a suggestion for a new ecosystem we should support, please open an issue for discussion.

If you enable Dependabot 警报 for your repositories, you are automatically notified when a new GitHub-reviewed advisory reports a vulnerability or malware for a package you depend on. 更多信息请参阅“关于 Dependabot 警报 警报”。

Unreviewed advisories

未审核的公告是我们直接从国家漏洞数据库源自动发布到 GitHub Advisory Database 的安全漏洞。

Dependabot 不会为未审核的公告创建 Dependabot 警报,因为不会检查此类公告的有效性或完成情况。

About information in security advisories

Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. 此外,国家漏洞数据库列表中的公告包含 CVE 记录链接,通过链接可以查看漏洞、其 CVSS 得分及其质化严重等级的更多详细信息。 更多信息请参阅国家标准和技术研究所 (National Institute of Standards and Technology) 的“国家漏洞数据库”。

我们在常见漏洞评分系统 (CVSS) 第 5 节中定义了以下四种可能的严重性等级。

  • 关键

GitHub Advisory Database 使用上述 CVSS 级别。 如果 GitHub 获取 CVE,GitHub Advisory Database 将使用 CVSS 版本 3.1。 如果 CVE 是导入的,则 GitHub Advisory Database 支持 CVSS 版本 3.0 和 3.1。

您也可以加入 GitHub Security Lab,以便浏览安全主题并参与安全工具和项目。

访问 GitHub Advisory Database 中的通告

  1. 导航到 https://github.com/advisories。

  2. (可选)要过滤列表,请使用任意下拉菜单。 下拉过滤器

    提示:您可以使用左侧的边栏分别浏览 GitHub 已审核和未审核的公告。

  3. 单击任何通告以查看详情。 By default, you will see GitHub-reviewed advisories for security vulnerabilities. To show malware advisories, use type:malware in the search bar.

也可以使用 GraphQL API 访问数据库。 By default, queries will return GitHub-reviewed advisories for security vulnerabilities unless you specify type:malware. 更多信息请参阅“security_advisory web 挂钩事件”。

在 GitHub Advisory Database 中编辑公告

您可以对 GitHub Advisory Database 中的任何公告提出改进建议。 更多信息请参阅“编辑 GitHub Advisory Database 中的安全通告”。

搜索 GitHub Advisory Database

您可以搜索数据库,并使用限定符缩小搜索范围。 例如,您可以搜索在特定日期、特定生态系统或特定库中创建的通告。

日期格式必须遵循 ISO8601标准,即 YYYY-MM-DD(年-月-日)。 您也可以在日期后添加可选的时间信息 THH:MM:SS+00:00,以便按小时、分钟和秒进行搜索。 这是 T,随后是 HH:MM:SS(时-分-秒)和 UTC 偏移 (+00:00)。

搜索日期时,可以使用大于、小于和范围限定符来进一步筛选结果。 更多信息请参阅“了解搜索语法”。

限定符示例
type:reviewedtype:reviewed will show GitHub-reviewed advisories for security vulnerabilities.
type:malwaretype:malware will show GitHub-reviewed advisories for malware.
type:unreviewedtype:unreviewed 将显示未审核的公告。
GHSA-IDGHSA-49wp-qq6x-g2rf 将显示使用此 GitHub Advisory Database ID 的通告。
CVE-IDCVE-2020-28482 将显示使用此 CVE ID 号的通告。
ecosystem:ECOSYSTEMecosystem:npm 只显示影响 NPM 包的通告。
severity:LEVELseverity:high 只显示严重程度高的公告。
affects:LIBRARYaffects:lodash 只显示影响 lodash 库的通告。
cwe:IDcwe:352 将只显示使用此 CWE 编号的通告。
credit:USERNAMEcredit:octocat 将只显示计入“octocat”用户帐户的通告。
sort:created-ascsort:created-asc 按照时间顺序对通告排序,最早的通告排在最前面。
sort:created-descsort:created-desc 按照时间顺序对通告排序,最新的通告排在最前面。
sort:updated-ascsort:updated-asc 按照更新顺序排序,最早更新的排在最前面。
sort:updated-descsort:updated-desc 按照更新顺序排序,最近更新的排在最前面。
is:withdrawnis:withdrawn 只显示已经撤销的通告。
created:YYYY-MM-DDcreated:2021-01-13 只显示此日期创建的通告。
updated:YYYY-MM-DDupdated:2021-01-13 只显示此日期更新的通告。

查看有漏洞的仓库

For any GitHub-reviewed advisory in the GitHub Advisory Database, you can see which of your repositories are affected by that security vulnerability or malware. 要查看有漏洞的仓库,您必须有权访问该仓库的 Dependabot 警报。 更多信息请参阅“关于 Dependabot 警报 警报”。

  1. 导航到 https://github.com/advisories。
  2. 单击通告。
  3. 在通告页面的顶部,单击 Dependabot alerts(Dependabot 警报)Dependabot 警报
  4. (可选)要过滤列表,请使用搜索栏或下拉菜单。 “Organization(组织)”下拉菜单用于按所有者(组织或用户)过滤 Dependabot 警报。 用于过滤警报的搜索栏和下拉菜单
  5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.

延伸阅读