Browsing security vulnerabilities in the GitHub Advisory Database

The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

En este artículo

About security vulnerabilities

Una vulnerabilidad es un problema en el código de un proyecto que se puede aprovechar para dañar la confidencialidad, la integridad o la disponibilidad del proyecto o de otros proyectos que usan su código. Las vulnerabilidades varían en tipo, severidad y método de ataque.

GitHub will send you Alertas del Dependabot de GitHub if we detect that any of the vulnerabilities from the GitHub Advisory Database affect the packages that your repository depends on. For more information, see "About alerts for vulnerable dependencies."

About the GitHub Advisory Database

The GitHub Advisory Database contains a curated list of security vulnerabilities that have been mapped to packages tracked by the GitHub dependency graph. Agregamos vulnerabilidades a la GitHub Advisory Database desde las siguientes fuentes:

Each security advisory contains information about the vulnerability, including the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

The severity level is one of four possible levels defined in the "Common Vulnerability Scoring System (CVSS), Section 5."

  • Low
  • Medium/Moderate
  • High
  • Critical

The GitHub Advisory Database uses the CVSS levels described above. If GitHub obtains a CVE, the GitHub Advisory Database uses CVSS version 3.1. If the CVE is imported, the GitHub Advisory Database supports both CVSS versions 3.0 and 3.1.

También puedes unirte a GitHub Security Lab para buscar temas relacionados con seguridad y contribuir con las herramientas y proyectos de seguridad.

Accessing an advisory in the GitHub Advisory Database

  1. Navigate to https://github.com/advisories.
  2. Optionally, to filter the list, use any of the drop-down menus. Dropdown filters
  3. Click on any advisory to view details.

The database is also accessible using the GraphQL API. For more information, see the "security_advisory webhook event."

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.

El formato de fecha debe seguir el estándar ISO8601, el cual es YYYY-MM-DD (año-mes-día). También puedes agregar información de tiempo ocpional THH:MM:SS+00:00 después de la fecha, para buscar por hora, minuto y segundo. Se hace agregando T, seguido de HH:MM:SS (hora-minutos-segundos), y un intervalo de UTC (+00:00).

Las fechas son compatibles con calificadores de mayor qué, menor qué y rango.

QualifierExample
GHSA-IDGHSA-49wp-qq6x-g2rf will show the advisory with this GitHub Advisory Database ID.
CVE-IDCVE-2020-28482 will show the advisory with this CVE ID number.
ecosystem:ECOSYSTEMecosystem:npm will show only advisories affecting NPM packages.
severity:LEVELseverity:high will show only advisories with a high severity level.
affects:LIBRARYaffects:lodash will show only advisories affecting the lodash library.
cwe:IDcwe:352 will show only advisories with this CWE number.
credit:USERNAMEcredit:octocat will show only advisories credited to the "octocat" user account.
sort:created-ascsort:created-asc will sort by the oldest advisories first.
sort:created-descsort:created-desc will sort by the newest advisories first.
sort:updated-ascsort:updated-asc will sort by the least recently updated first.
sort:updated-descsort:updated-desc will sort by the most recently updated first.
is:withdrawnis:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DDcreated:2021-01-13 will show only advisories created on this date.
updated:YYYY-MM-DDupdated:2021-01-13 will show only advisories updated on this date.

Viewing your vulnerable repositories

For any vulnerability in the GitHub Advisory Database, you can see which of your repositories have a Dependabot de GitHub alert for that vulnerability. To see a vulnerable repository, you must have access to Alertas del Dependabot de GitHub for that repository. For more information, see "About alerts for vulnerable dependencies."

  1. Navigate to https://github.com/advisories.
  2. Click an advisory.
  3. At the top of the advisory page, click Dependabot alerts. Dependabot alerts
  4. Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the Alertas del Dependabot de GitHub per owner (organization or user). Search bar and drop-down menus to filter alerts
  5. For more details about the vulnerability, and for advice on how to fix the vulnerable repository, click the repository name.

Further reading

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.