我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

发布安全通告

您可以发布安全通告,向社区提醒项目中的安全漏洞。

本文内容

Did this doc help you?

对安全通告具有管理员权限的任何人都可发布安全通告。

基本要求

Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. 更多信息请参阅“创建安全通告”。

如果您已创建安全通告,但尚未提供有关安全漏洞影响的项目版本的详细信息,则可以编辑安全通告。 更多信息请参阅“编辑安全通告”。

关于发布安全通告

When you publish a security advisory, you notify your community about the security vulnerability that the security advisory addresses. Publishing a security advisory makes it easier for your community to update package dependencies and research the impact of the security vulnerability.

您还可以使用 GitHub Security Advisories 重新发布已在其他地方披露的安全漏洞详细信息,方法是将该漏洞的详细信息复制并粘贴到新的安全通告中。

Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. 更多信息请参阅“在临时私有复刻中协作以解决安全漏洞”。

When you publish a draft advisory from a public repository, everyone is able to see:

  • The current version of the advisory data.
  • Any advisory credits that the credited users have accepted.

Note: The general public will never have access to the edit history of the advisory, and will only see the published version.

发布安全通告后,安全通告的 URL 将与发布安全通告之前保持相同。 对仓库具有读取权限的任何人都能看到安全通告。 Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.

如果需要更新或更正已发布的安全通告中的信息,可以编辑安全通告。 更多信息请参阅“编辑安全通告”。

申请 CVE 识别号

Anyone with admin permissions to a security advisory can request a CVE identification number for the security advisory.

如果项目中尚无表示安全漏洞的 CVE 识别码,您可以从 GitHub 请求一个 CVE 识别码。 GitHub usually reviews the request within 72 hours. Requesting a CVE identification number doesn't make your security advisory public. If your security advisory is eligible for a CVE, GitHub will reserve a CVE identification number for your advisory. We'll then publish the CVE details after you publish the security advisory. For more information, see "About GitHub Security Advisories."

  1. 在 GitHub 上,导航到仓库的主页面。
  2. 在仓库名称下,单击 Security(安全)
    Security 选项卡
  3. 在左侧边栏中,单击 Security advisories(安全通告)
    安全通告选项卡
  4. 在“Security Advisories(安全通告)”列表中,单击要为其申请 CVE 识别号的安全通告。
    列表中的安全通告
  5. 使用 Publish advisory(发布通告)下拉菜单,然后单击 Request CVE(申请 CVE)
    下拉列表中的“申请 CVE”
  6. 单击 Request CVE(申请 CVE)
    申请 CVE 按钮

发布安全通告

Publishing a security advisory deletes the temporary private fork for the security advisory.

  1. 在 GitHub 上,导航到仓库的主页面。
  2. 在仓库名称下,单击 Security(安全)
    Security 选项卡
  3. 在左侧边栏中,单击 Security advisories(安全通告)
    安全通告选项卡
  4. 在“Security Advisories(安全通告)”列表中,单击您要发布的安全通告。
    列表中的安全通告
  5. 在页面底部,单击 Publish advisory(发布通告)
    发布通告按钮

对于发布的安全通告的 GitHub Dependabot 警报

GitHub will review each published security advisory, add it to the GitHub Advisory Database, and may use the security advisory to send GitHub Dependabot 警报 to affected repositories. 如果安全通告来自复刻,我们仅当该复刻拥有在公共软件包注册表上以唯一名称发布的软件包时才发送警报。 此过程最长可能需要 72 小时,GitHub 可能会联系您以获取更多信息。

GitHub will review each published security advisory, add it to the GitHub Advisory Database, and may use the security advisory to send GitHub Dependabot 警报 to affected repositories. 如果安全通告来自复刻,我们仅当该复刻拥有在公共软件包注册表上以唯一名称发布的软件包时才发送警报。 此过程最长可能需要 72 小时,GitHub 可能会联系您以获取更多信息。

延伸阅读

Did this doc help you?