Skip to main content

此版本的 GitHub Enterprise 已停止服务 2022-10-12. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

Troubleshooting the detection of vulnerable dependencies

If the dependency information reported by GitHub Enterprise Server is not what you expected, there are a number of points to consider, and various things you can check.

GitHub Enterprise Server 报告的依赖项检测结果可能不同于其他工具返回的结果。 这是有原� 的,它有助于了解 GitHub 如何确定项目的依赖项。

Why do some dependencies seem to be missing?

GitHub generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following:

  • GitHub Advisory Database is one of the data sources that GitHub uses to identify vulnerable dependencies. It's a free, curated database of security advisories for common package ecosystems on GitHub. It includes both data reported directly to GitHub from GitHub Security Advisories, as well as official feeds and community sources. This data is reviewed and curated by GitHub to ensure that false or unactionable information is not shared with the development community. 有关详细信息,请参阅“在 GitHub Advisory Database 中浏览安全公告”。
  • The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the package-lock.json file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "About the dependency graph" and "Troubleshooting the dependency graph."
  • Dependabot scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. Dependabot alerts are aggregated at the repository level, rather than creating one alert per advisory. For more information, see "About Dependabot alerts."
  • Dependabot doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added (GitHub checks for this on every push), or when a new advisory is added to the database and synchronized to your GitHub Enterprise Server instance. For more information, see "About Dependabot alerts."

Do Dependabot alerts only relate to insecure dependencies in manifests and lockfiles?

Dependabot alerts advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile.

Check: Is the uncaught vulnerability for a component that's not specified in the repository's manifest or lockfile?

Why don't I get Dependabot alerts for some ecosystems?

Dependabot alerts are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the GitHub Advisory Database, the dependency graph, and Dependabot alerts are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "About the dependency graph."

It's worth noting that security advisories may exist for other ecosystems. The information in an unreviewed security advisory is provided by the maintainers of a particular repository. This data is not curated by GitHub. 有关详细信息,请参阅“在 GitHub Advisory Database 中浏览安全公告”。

Check: Does the uncaught vulnerability apply to an unsupported ecosystem?

Does Dependabot generate alerts for vulnerabilities that have been known for many years?

The GitHub Advisory Database was launched in November 2019, and initially back-filled to include advisories for security risks in the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software.

Some information on older vulnerabilities is available, especially where these CVEs are particularly widespread, however some old vulnerabilities are not included in the GitHub Advisory Database. If there's a specific old vulnerability that you need to be included in the database, contact � 的网站管理员.

Check: Does the uncaught vulnerability have a publish date earlier than 2017 in the National Vulnerability Database?

Why does GitHub Advisory Database use a subset of published vulnerability data?

Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts.

Since Dependabot uses curated data in the GitHub Advisory Database, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.

Further reading