注意： Dependabot 安全和版本更新目前处于私密测试阶段，可能会发生更改。 请联系您的客户管理团队，以获取有关启用 Dependabot 更新的说明。
GitHub Enterprise Server 报告的依赖项检测结果可能不同于其他工具返回的结果。 这是有原因的，它有助于了解 GitHub 如何确定项目的依赖项。
GitHub generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following:
GitHub Advisory Database is one of the data sources that GitHub uses to identify vulnerable dependencies. It's a free, curated database of vulnerability information for common package ecosystems on GitHub. It includes both data reported directly to GitHub from GitHub Security Advisories, as well as official feeds and community sources. This data is reviewed and curated by GitHub to ensure that false or unactionable information is not shared with the development community. For more information about advisory data, see "Browsing security vulnerabilities in the GitHub Advisory Database" in the GitHub.com documentation.
The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the package-lock.json file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "About the dependency graph" and "Troubleshooting the dependency graph."
Dependabot scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. Dependabot 警报 are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "About Dependabot 警报."
Dependabot 安全更新 are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, Dependabot creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "About Dependabot 安全更新" and "Troubleshooting Dependabot errors."
Dependabot doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added (GitHub checks for this on every push), or when a new vulnerability is added to the advisory database and synchronized to 您的 GitHub Enterprise Server 实例. For more information, see "About Dependabot 警报."
Dependabot 警报 advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. Dependabot 安全更新 only suggest a change where Dependabot can directly "fix" the dependency, that is, when these are:
- Direct dependencies explicitly declared in a manifest or lockfile
- Transitive dependencies declared in a lockfile
Check: Is the uncaught vulnerability for a component that's not specified in the repository's manifest or lockfile?
It's worth noting that GitHub Security Advisories may exist for other ecosystems. The information in a security advisory is provided by the maintainers of a particular repository. This data is not curated in the same way as information for the supported ecosystems.
Check: Does the uncaught vulnerability apply to an unsupported ecosystem?
The GitHub Advisory Database was launched in November 2019, and initially back-filled to include vulnerability information for the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software.
Some information on older vulnerabilities is available, especially where these CVEs are particularly widespread, however some old vulnerabilities are not included in the GitHub Advisory Database. If there's a specific old vulnerability that you need to be included in the database, contact 您的网站管理员.
Check: Does the uncaught vulnerability have a publish date earlier than 2017 in the National Vulnerability Database?
Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts.
Since Dependabot uses curated data in the GitHub Advisory Database, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.