Puntos de conexión de la API de REST para Dependabot alerts
Usa la API REST para interactuar con alertas de Dependabot en un repositorio.
Nota: La capacidad de usar la API REST para administrar las alertas de Dependabot está actualmente en beta y sujeta a cambios.
Acerca de Dependabot alerts
Puedes ver alertas de Dependabot de un repositorio y actualizar alertas individuales con la API REST. Para obtener más información, vea «Acerca de las alertas Dependabot».
List Dependabot alerts for an enterprise
Lists Dependabot alerts for repositories that are owned by the specified enterprise.
The authenticated user must be a member of the enterprise to use this endpoint.
Alerts are only returned for organizations in the enterprise for which you are an organization owner or a security manager. For more information about security managers, see "Managing security managers in your organization."
OAuth app tokens and personal access tokens (classic) need the repo
or security_events
scope to use this endpoint.
Tokens de acceso específicos para "List Dependabot alerts for an enterprise"
Este punto de conexión no funciona con tokens de acceso de usuario de aplicación de GitHub, tokens de acceso de instalación de aplicaciones de GitHub ni tokens de acceso personales específicos.
Parámetros para "List Dependabot alerts for an enterprise"
Nombre, Tipo, Descripción |
---|
accept string Setting to |
Nombre, Tipo, Descripción |
---|
enterprise string RequeridoThe slug version of the enterprise name. You can also substitute this value with the enterprise id. |
Nombre, Tipo, Descripción |
---|
state string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: |
severity string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: |
ecosystem string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: |
package string A comma-separated list of package names. If specified, only alerts for these packages will be returned. |
scope string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Puede ser uno de los siguientes: |
sort string The property by which to sort the results.
Valor predeterminado: Puede ser uno de los siguientes: |
direction string The direction to sort the results by. Valor predeterminado: Puede ser uno de los siguientes: |
before string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." |
after string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." |
first integer Deprecated. The number of results per page (max 100), starting from the first matching result.
This parameter must not be used in combination with Valor predeterminado: |
last integer Deprecated. The number of results per page (max 100), starting from the last matching result.
This parameter must not be used in combination with |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Valor predeterminado: |
Códigos de estado de respuesta HTTP para "List Dependabot alerts for an enterprise"
status code | Descripción |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Ejemplos de código para "List Dependabot alerts for an enterprise"
Ejemplo de solicitud
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/enterprises/ENTERPRISE/dependabot/alerts
Response
Status: 200
[
{
"number": 2,
"state": "dismissed",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-rf4j-j272-fj86",
"cve_id": "CVE-2018-6188",
"summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
"description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 1.11.8, < 1.11.10",
"first_patched_version": {
"identifier": "1.11.10"
}
}
],
"severity": "high",
"cvss": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"score": 8.7
}
},
"cwes": [
{
"cwe_id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-rf4j-j272-fj86"
},
{
"type": "CVE",
"value": "CVE-2018-6188"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
},
{
"url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
},
{
"url": "https://usn.ubuntu.com/3559-1/"
},
{
"url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
},
{
"url": "http://www.securitytracker.com/id/1040422"
}
],
"published_at": "2018-10-03T21:13:54Z",
"updated_at": "2022-04-26T18:35:37Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
"url": "https://HOSTNAME/repos/octo-org/octo-repo/dependabot/alerts/2",
"html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2",
"created_at": "2022-06-15T07:43:03Z",
"updated_at": "2022-08-23T14:29:47Z",
"dismissed_at": "2022-08-23T14:29:47Z",
"dismissed_by": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"dismissed_reason": "tolerable_risk",
"dismissed_comment": "This alert is accurate but we use a sanitizer.",
"fixed_at": null,
"repository": {
"id": 217723378,
"node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=",
"name": "octo-repo",
"full_name": "octo-org/octo-repo",
"owner": {
"login": "octo-org",
"id": 6811672,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
"avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octo-org",
"html_url": "https://github.com/octo-org",
"followers_url": "https://HOSTNAME/users/octo-org/followers",
"following_url": "https://HOSTNAME/users/octo-org/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octo-org/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octo-org/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octo-org/subscriptions",
"organizations_url": "https://HOSTNAME/users/octo-org/orgs",
"repos_url": "https://HOSTNAME/users/octo-org/repos",
"events_url": "https://HOSTNAME/users/octo-org/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octo-org/received_events",
"type": "Organization",
"site_admin": false
},
"private": true,
"html_url": "https://github.com/octo-org/octo-repo",
"description": null,
"fork": false,
"url": "https://HOSTNAME/repos/octo-org/octo-repo",
"archive_url": "https://HOSTNAME/repos/octo-org/octo-repo/{archive_format}{/ref}",
"assignees_url": "https://HOSTNAME/repos/octo-org/octo-repo/assignees{/user}",
"blobs_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/blobs{/sha}",
"branches_url": "https://HOSTNAME/repos/octo-org/octo-repo/branches{/branch}",
"collaborators_url": "https://HOSTNAME/repos/octo-org/octo-repo/collaborators{/collaborator}",
"comments_url": "https://HOSTNAME/repos/octo-org/octo-repo/comments{/number}",
"commits_url": "https://HOSTNAME/repos/octo-org/octo-repo/commits{/sha}",
"compare_url": "https://HOSTNAME/repos/octo-org/octo-repo/compare/{base}...{head}",
"contents_url": "https://HOSTNAME/repos/octo-org/octo-repo/contents/{+path}",
"contributors_url": "https://HOSTNAME/repos/octo-org/octo-repo/contributors",
"deployments_url": "https://HOSTNAME/repos/octo-org/octo-repo/deployments",
"downloads_url": "https://HOSTNAME/repos/octo-org/octo-repo/downloads",
"events_url": "https://HOSTNAME/repos/octo-org/octo-repo/events",
"forks_url": "https://HOSTNAME/repos/octo-org/octo-repo/forks",
"git_commits_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/commits{/sha}",
"git_refs_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/refs{/sha}",
"git_tags_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/tags{/sha}",
"hooks_url": "https://HOSTNAME/repos/octo-org/octo-repo/hooks",
"issue_comment_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues/comments{/number}",
"issue_events_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues/events{/number}",
"issues_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues{/number}",
"keys_url": "https://HOSTNAME/repos/octo-org/octo-repo/keys{/key_id}",
"labels_url": "https://HOSTNAME/repos/octo-org/octo-repo/labels{/name}",
"languages_url": "https://HOSTNAME/repos/octo-org/octo-repo/languages",
"merges_url": "https://HOSTNAME/repos/octo-org/octo-repo/merges",
"milestones_url": "https://HOSTNAME/repos/octo-org/octo-repo/milestones{/number}",
"notifications_url": "https://HOSTNAME/repos/octo-org/octo-repo/notifications{?since,all,participating}",
"pulls_url": "https://HOSTNAME/repos/octo-org/octo-repo/pulls{/number}",
"releases_url": "https://HOSTNAME/repos/octo-org/octo-repo/releases{/id}",
"stargazers_url": "https://HOSTNAME/repos/octo-org/octo-repo/stargazers",
"statuses_url": "https://HOSTNAME/repos/octo-org/octo-repo/statuses/{sha}",
"subscribers_url": "https://HOSTNAME/repos/octo-org/octo-repo/subscribers",
"subscription_url": "https://HOSTNAME/repos/octo-org/octo-repo/subscription",
"tags_url": "https://HOSTNAME/repos/octo-org/octo-repo/tags",
"teams_url": "https://HOSTNAME/repos/octo-org/octo-repo/teams",
"trees_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/trees{/sha}"
}
},
{
"number": 1,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-8f4m-hccc-8qph",
"cve_id": "CVE-2021-20191",
"summary": "Insertion of Sensitive Information into Log File in ansible",
"description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.9.0, < 2.9.18",
"first_patched_version": {
"identifier": "2.9.18"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.10.0, < 2.10.7",
"first_patched_version": {
"identifier": "2.10.7"
}
}
],
"severity": "medium",
"cvss": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 8.5
}
},
"cwes": [
{
"cwe_id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-8f4m-hccc-8qph"
},
{
"type": "CVE",
"value": "CVE-2021-20191"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
},
{
"url": "https://access.redhat.com/security/cve/cve-2021-20191"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
}
],
"published_at": "2021-06-01T17:38:00Z",
"updated_at": "2021-08-12T23:06:00Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
"url": "https://HOSTNAME/repos/octo-org/hello-world/dependabot/alerts/1",
"html_url": "https://github.com/octo-org/hello-world/security/dependabot/1",
"created_at": "2022-06-14T15:21:52Z",
"updated_at": "2022-06-14T15:21:52Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null,
"repository": {
"id": 664700648,
"node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=",
"name": "hello-world",
"full_name": "octo-org/hello-world",
"owner": {
"login": "octo-org",
"id": 6811672,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
"avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octo-org",
"html_url": "https://github.com/octo-org",
"followers_url": "https://HOSTNAME/users/octo-org/followers",
"following_url": "https://HOSTNAME/users/octo-org/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octo-org/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octo-org/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octo-org/subscriptions",
"organizations_url": "https://HOSTNAME/users/octo-org/orgs",
"repos_url": "https://HOSTNAME/users/octo-org/repos",
"events_url": "https://HOSTNAME/users/octo-org/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octo-org/received_events",
"type": "Organization",
"site_admin": false
},
"private": true,
"html_url": "https://github.com/octo-org/hello-world",
"description": null,
"fork": false,
"url": "https://HOSTNAME/repos/octo-org/hello-world",
"archive_url": "https://HOSTNAME/repos/octo-org/hello-world/{archive_format}{/ref}",
"assignees_url": "https://HOSTNAME/repos/octo-org/hello-world/assignees{/user}",
"blobs_url": "https://HOSTNAME/repos/octo-org/hello-world/git/blobs{/sha}",
"branches_url": "https://HOSTNAME/repos/octo-org/hello-world/branches{/branch}",
"collaborators_url": "https://HOSTNAME/repos/octo-org/hello-world/collaborators{/collaborator}",
"comments_url": "https://HOSTNAME/repos/octo-org/hello-world/comments{/number}",
"commits_url": "https://HOSTNAME/repos/octo-org/hello-world/commits{/sha}",
"compare_url": "https://HOSTNAME/repos/octo-org/hello-world/compare/{base}...{head}",
"contents_url": "https://HOSTNAME/repos/octo-org/hello-world/contents/{+path}",
"contributors_url": "https://HOSTNAME/repos/octo-org/hello-world/contributors",
"deployments_url": "https://HOSTNAME/repos/octo-org/hello-world/deployments",
"downloads_url": "https://HOSTNAME/repos/octo-org/hello-world/downloads",
"events_url": "https://HOSTNAME/repos/octo-org/hello-world/events",
"forks_url": "https://HOSTNAME/repos/octo-org/hello-world/forks",
"git_commits_url": "https://HOSTNAME/repos/octo-org/hello-world/git/commits{/sha}",
"git_refs_url": "https://HOSTNAME/repos/octo-org/hello-world/git/refs{/sha}",
"git_tags_url": "https://HOSTNAME/repos/octo-org/hello-world/git/tags{/sha}",
"hooks_url": "https://HOSTNAME/repos/octo-org/hello-world/hooks",
"issue_comment_url": "https://HOSTNAME/repos/octo-org/hello-world/issues/comments{/number}",
"issue_events_url": "https://HOSTNAME/repos/octo-org/hello-world/issues/events{/number}",
"issues_url": "https://HOSTNAME/repos/octo-org/hello-world/issues{/number}",
"keys_url": "https://HOSTNAME/repos/octo-org/hello-world/keys{/key_id}",
"labels_url": "https://HOSTNAME/repos/octo-org/hello-world/labels{/name}",
"languages_url": "https://HOSTNAME/repos/octo-org/hello-world/languages",
"merges_url": "https://HOSTNAME/repos/octo-org/hello-world/merges",
"milestones_url": "https://HOSTNAME/repos/octo-org/hello-world/milestones{/number}",
"notifications_url": "https://HOSTNAME/repos/octo-org/hello-world/notifications{?since,all,participating}",
"pulls_url": "https://HOSTNAME/repos/octo-org/hello-world/pulls{/number}",
"releases_url": "https://HOSTNAME/repos/octo-org/hello-world/releases{/id}",
"stargazers_url": "https://HOSTNAME/repos/octo-org/hello-world/stargazers",
"statuses_url": "https://HOSTNAME/repos/octo-org/hello-world/statuses/{sha}",
"subscribers_url": "https://HOSTNAME/repos/octo-org/hello-world/subscribers",
"subscription_url": "https://HOSTNAME/repos/octo-org/hello-world/subscription",
"tags_url": "https://HOSTNAME/repos/octo-org/hello-world/tags",
"teams_url": "https://HOSTNAME/repos/octo-org/hello-world/teams",
"trees_url": "https://HOSTNAME/repos/octo-org/hello-world/git/trees{/sha}"
}
}
]
List Dependabot alerts for an organization
Lists Dependabot alerts for an organization.
The authenticated user must be an owner or security manager for the organization to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the security_events
scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo
scope instead.
Tokens de acceso específicos para "List Dependabot alerts for an organization"
Este punto de conexión funciona con los siguientes tipos de token pormenorizados:
- Tokens de acceso de usuario de la aplicación de GitHub
- Token de acceso a la instalación de la aplicación de GitHub
- Tokens de acceso personal específico
El token pormenorizado debe tener el siguiente conjunto de permisos:
- "Dependabot alerts" repository permissions (read)
Parámetros para "List Dependabot alerts for an organization"
Nombre, Tipo, Descripción |
---|
accept string Setting to |
Nombre, Tipo, Descripción |
---|
org string RequeridoThe organization name. The name is not case sensitive. |
Nombre, Tipo, Descripción |
---|
state string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: |
severity string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: |
ecosystem string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: |
package string A comma-separated list of package names. If specified, only alerts for these packages will be returned. |
scope string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Puede ser uno de los siguientes: |
sort string The property by which to sort the results.
Valor predeterminado: Puede ser uno de los siguientes: |
direction string The direction to sort the results by. Valor predeterminado: Puede ser uno de los siguientes: |
before string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." |
after string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." |
first integer Deprecated. The number of results per page (max 100), starting from the first matching result.
This parameter must not be used in combination with Valor predeterminado: |
last integer Deprecated. The number of results per page (max 100), starting from the last matching result.
This parameter must not be used in combination with |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Valor predeterminado: |
Códigos de estado de respuesta HTTP para "List Dependabot alerts for an organization"
status code | Descripción |
---|---|
200 | OK |
304 | Not modified |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Ejemplos de código para "List Dependabot alerts for an organization"
Ejemplo de solicitud
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/orgs/ORG/dependabot/alerts
Response
Status: 200
[
{
"number": 2,
"state": "dismissed",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-rf4j-j272-fj86",
"cve_id": "CVE-2018-6188",
"summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
"description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 1.11.8, < 1.11.10",
"first_patched_version": {
"identifier": "1.11.10"
}
}
],
"severity": "high",
"cvss": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"score": 8.7
}
},
"cwes": [
{
"cwe_id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-rf4j-j272-fj86"
},
{
"type": "CVE",
"value": "CVE-2018-6188"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
},
{
"url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
},
{
"url": "https://usn.ubuntu.com/3559-1/"
},
{
"url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
},
{
"url": "http://www.securitytracker.com/id/1040422"
}
],
"published_at": "2018-10-03T21:13:54Z",
"updated_at": "2022-04-26T18:35:37Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
"url": "https://HOSTNAME/repos/octo-org/octo-repo/dependabot/alerts/2",
"html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2",
"created_at": "2022-06-15T07:43:03Z",
"updated_at": "2022-08-23T14:29:47Z",
"dismissed_at": "2022-08-23T14:29:47Z",
"dismissed_by": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"dismissed_reason": "tolerable_risk",
"dismissed_comment": "This alert is accurate but we use a sanitizer.",
"fixed_at": null,
"repository": {
"id": 217723378,
"node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=",
"name": "octo-repo",
"full_name": "octo-org/octo-repo",
"owner": {
"login": "octo-org",
"id": 6811672,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
"avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octo-org",
"html_url": "https://github.com/octo-org",
"followers_url": "https://HOSTNAME/users/octo-org/followers",
"following_url": "https://HOSTNAME/users/octo-org/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octo-org/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octo-org/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octo-org/subscriptions",
"organizations_url": "https://HOSTNAME/users/octo-org/orgs",
"repos_url": "https://HOSTNAME/users/octo-org/repos",
"events_url": "https://HOSTNAME/users/octo-org/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octo-org/received_events",
"type": "Organization",
"site_admin": false
},
"private": true,
"html_url": "https://github.com/octo-org/octo-repo",
"description": null,
"fork": false,
"url": "https://HOSTNAME/repos/octo-org/octo-repo",
"archive_url": "https://HOSTNAME/repos/octo-org/octo-repo/{archive_format}{/ref}",
"assignees_url": "https://HOSTNAME/repos/octo-org/octo-repo/assignees{/user}",
"blobs_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/blobs{/sha}",
"branches_url": "https://HOSTNAME/repos/octo-org/octo-repo/branches{/branch}",
"collaborators_url": "https://HOSTNAME/repos/octo-org/octo-repo/collaborators{/collaborator}",
"comments_url": "https://HOSTNAME/repos/octo-org/octo-repo/comments{/number}",
"commits_url": "https://HOSTNAME/repos/octo-org/octo-repo/commits{/sha}",
"compare_url": "https://HOSTNAME/repos/octo-org/octo-repo/compare/{base}...{head}",
"contents_url": "https://HOSTNAME/repos/octo-org/octo-repo/contents/{+path}",
"contributors_url": "https://HOSTNAME/repos/octo-org/octo-repo/contributors",
"deployments_url": "https://HOSTNAME/repos/octo-org/octo-repo/deployments",
"downloads_url": "https://HOSTNAME/repos/octo-org/octo-repo/downloads",
"events_url": "https://HOSTNAME/repos/octo-org/octo-repo/events",
"forks_url": "https://HOSTNAME/repos/octo-org/octo-repo/forks",
"git_commits_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/commits{/sha}",
"git_refs_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/refs{/sha}",
"git_tags_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/tags{/sha}",
"hooks_url": "https://HOSTNAME/repos/octo-org/octo-repo/hooks",
"issue_comment_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues/comments{/number}",
"issue_events_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues/events{/number}",
"issues_url": "https://HOSTNAME/repos/octo-org/octo-repo/issues{/number}",
"keys_url": "https://HOSTNAME/repos/octo-org/octo-repo/keys{/key_id}",
"labels_url": "https://HOSTNAME/repos/octo-org/octo-repo/labels{/name}",
"languages_url": "https://HOSTNAME/repos/octo-org/octo-repo/languages",
"merges_url": "https://HOSTNAME/repos/octo-org/octo-repo/merges",
"milestones_url": "https://HOSTNAME/repos/octo-org/octo-repo/milestones{/number}",
"notifications_url": "https://HOSTNAME/repos/octo-org/octo-repo/notifications{?since,all,participating}",
"pulls_url": "https://HOSTNAME/repos/octo-org/octo-repo/pulls{/number}",
"releases_url": "https://HOSTNAME/repos/octo-org/octo-repo/releases{/id}",
"stargazers_url": "https://HOSTNAME/repos/octo-org/octo-repo/stargazers",
"statuses_url": "https://HOSTNAME/repos/octo-org/octo-repo/statuses/{sha}",
"subscribers_url": "https://HOSTNAME/repos/octo-org/octo-repo/subscribers",
"subscription_url": "https://HOSTNAME/repos/octo-org/octo-repo/subscription",
"tags_url": "https://HOSTNAME/repos/octo-org/octo-repo/tags",
"teams_url": "https://HOSTNAME/repos/octo-org/octo-repo/teams",
"trees_url": "https://HOSTNAME/repos/octo-org/octo-repo/git/trees{/sha}"
}
},
{
"number": 1,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-8f4m-hccc-8qph",
"cve_id": "CVE-2021-20191",
"summary": "Insertion of Sensitive Information into Log File in ansible",
"description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.9.0, < 2.9.18",
"first_patched_version": {
"identifier": "2.9.18"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.10.0, < 2.10.7",
"first_patched_version": {
"identifier": "2.10.7"
}
}
],
"severity": "medium",
"cvss": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 8.5
}
},
"cwes": [
{
"cwe_id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-8f4m-hccc-8qph"
},
{
"type": "CVE",
"value": "CVE-2021-20191"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
},
{
"url": "https://access.redhat.com/security/cve/cve-2021-20191"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
}
],
"published_at": "2021-06-01T17:38:00Z",
"updated_at": "2021-08-12T23:06:00Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
"url": "https://HOSTNAME/repos/octo-org/hello-world/dependabot/alerts/1",
"html_url": "https://github.com/octo-org/hello-world/security/dependabot/1",
"created_at": "2022-06-14T15:21:52Z",
"updated_at": "2022-06-14T15:21:52Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null,
"repository": {
"id": 664700648,
"node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=",
"name": "hello-world",
"full_name": "octo-org/hello-world",
"owner": {
"login": "octo-org",
"id": 6811672,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=",
"avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octo-org",
"html_url": "https://github.com/octo-org",
"followers_url": "https://HOSTNAME/users/octo-org/followers",
"following_url": "https://HOSTNAME/users/octo-org/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octo-org/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octo-org/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octo-org/subscriptions",
"organizations_url": "https://HOSTNAME/users/octo-org/orgs",
"repos_url": "https://HOSTNAME/users/octo-org/repos",
"events_url": "https://HOSTNAME/users/octo-org/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octo-org/received_events",
"type": "Organization",
"site_admin": false
},
"private": true,
"html_url": "https://github.com/octo-org/hello-world",
"description": null,
"fork": false,
"url": "https://HOSTNAME/repos/octo-org/hello-world",
"archive_url": "https://HOSTNAME/repos/octo-org/hello-world/{archive_format}{/ref}",
"assignees_url": "https://HOSTNAME/repos/octo-org/hello-world/assignees{/user}",
"blobs_url": "https://HOSTNAME/repos/octo-org/hello-world/git/blobs{/sha}",
"branches_url": "https://HOSTNAME/repos/octo-org/hello-world/branches{/branch}",
"collaborators_url": "https://HOSTNAME/repos/octo-org/hello-world/collaborators{/collaborator}",
"comments_url": "https://HOSTNAME/repos/octo-org/hello-world/comments{/number}",
"commits_url": "https://HOSTNAME/repos/octo-org/hello-world/commits{/sha}",
"compare_url": "https://HOSTNAME/repos/octo-org/hello-world/compare/{base}...{head}",
"contents_url": "https://HOSTNAME/repos/octo-org/hello-world/contents/{+path}",
"contributors_url": "https://HOSTNAME/repos/octo-org/hello-world/contributors",
"deployments_url": "https://HOSTNAME/repos/octo-org/hello-world/deployments",
"downloads_url": "https://HOSTNAME/repos/octo-org/hello-world/downloads",
"events_url": "https://HOSTNAME/repos/octo-org/hello-world/events",
"forks_url": "https://HOSTNAME/repos/octo-org/hello-world/forks",
"git_commits_url": "https://HOSTNAME/repos/octo-org/hello-world/git/commits{/sha}",
"git_refs_url": "https://HOSTNAME/repos/octo-org/hello-world/git/refs{/sha}",
"git_tags_url": "https://HOSTNAME/repos/octo-org/hello-world/git/tags{/sha}",
"hooks_url": "https://HOSTNAME/repos/octo-org/hello-world/hooks",
"issue_comment_url": "https://HOSTNAME/repos/octo-org/hello-world/issues/comments{/number}",
"issue_events_url": "https://HOSTNAME/repos/octo-org/hello-world/issues/events{/number}",
"issues_url": "https://HOSTNAME/repos/octo-org/hello-world/issues{/number}",
"keys_url": "https://HOSTNAME/repos/octo-org/hello-world/keys{/key_id}",
"labels_url": "https://HOSTNAME/repos/octo-org/hello-world/labels{/name}",
"languages_url": "https://HOSTNAME/repos/octo-org/hello-world/languages",
"merges_url": "https://HOSTNAME/repos/octo-org/hello-world/merges",
"milestones_url": "https://HOSTNAME/repos/octo-org/hello-world/milestones{/number}",
"notifications_url": "https://HOSTNAME/repos/octo-org/hello-world/notifications{?since,all,participating}",
"pulls_url": "https://HOSTNAME/repos/octo-org/hello-world/pulls{/number}",
"releases_url": "https://HOSTNAME/repos/octo-org/hello-world/releases{/id}",
"stargazers_url": "https://HOSTNAME/repos/octo-org/hello-world/stargazers",
"statuses_url": "https://HOSTNAME/repos/octo-org/hello-world/statuses/{sha}",
"subscribers_url": "https://HOSTNAME/repos/octo-org/hello-world/subscribers",
"subscription_url": "https://HOSTNAME/repos/octo-org/hello-world/subscription",
"tags_url": "https://HOSTNAME/repos/octo-org/hello-world/tags",
"teams_url": "https://HOSTNAME/repos/octo-org/hello-world/teams",
"trees_url": "https://HOSTNAME/repos/octo-org/hello-world/git/trees{/sha}"
}
}
]
List Dependabot alerts for a repository
OAuth app tokens and personal access tokens (classic) need the security_events
scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo
scope instead.
Tokens de acceso específicos para "List Dependabot alerts for a repository"
Este punto de conexión funciona con los siguientes tipos de token pormenorizados:
- Tokens de acceso de usuario de la aplicación de GitHub
- Token de acceso a la instalación de la aplicación de GitHub
- Tokens de acceso personal específico
El token pormenorizado debe tener el siguiente conjunto de permisos:
- "Dependabot alerts" repository permissions (read)
Parámetros para "List Dependabot alerts for a repository"
Nombre, Tipo, Descripción |
---|
accept string Setting to |
Nombre, Tipo, Descripción |
---|
owner string RequeridoThe account owner of the repository. The name is not case sensitive. |
repo string RequeridoThe name of the repository without the |
Nombre, Tipo, Descripción |
---|
state string A comma-separated list of states. If specified, only alerts with these states will be returned. Can be: |
severity string A comma-separated list of severities. If specified, only alerts with these severities will be returned. Can be: |
ecosystem string A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned. Can be: |
package string A comma-separated list of package names. If specified, only alerts for these packages will be returned. |
manifest string A comma-separated list of full manifest paths. If specified, only alerts for these manifests will be returned. |
scope string The scope of the vulnerable dependency. If specified, only alerts with this scope will be returned. Puede ser uno de los siguientes: |
sort string The property by which to sort the results.
Valor predeterminado: Puede ser uno de los siguientes: |
direction string The direction to sort the results by. Valor predeterminado: Puede ser uno de los siguientes: |
page integer Closing down notice. Page number of the results to fetch. Use cursor-based pagination with Valor predeterminado: |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Valor predeterminado: |
before string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." |
after string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." |
first integer Deprecated. The number of results per page (max 100), starting from the first matching result.
This parameter must not be used in combination with Valor predeterminado: |
last integer Deprecated. The number of results per page (max 100), starting from the last matching result.
This parameter must not be used in combination with |
Códigos de estado de respuesta HTTP para "List Dependabot alerts for a repository"
status code | Descripción |
---|---|
200 | OK |
304 | Not modified |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Ejemplos de código para "List Dependabot alerts for a repository"
Ejemplo de solicitud
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependabot/alerts
Response
Status: 200
[
{
"number": 2,
"state": "dismissed",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-rf4j-j272-fj86",
"cve_id": "CVE-2018-6188",
"summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
"description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 1.11.8, < 1.11.10",
"first_patched_version": {
"identifier": "1.11.10"
}
}
],
"severity": "high",
"cvss": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"score": 8.7
}
},
"cwes": [
{
"cwe_id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-rf4j-j272-fj86"
},
{
"type": "CVE",
"value": "CVE-2018-6188"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
},
{
"url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
},
{
"url": "https://usn.ubuntu.com/3559-1/"
},
{
"url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
},
{
"url": "http://www.securitytracker.com/id/1040422"
}
],
"published_at": "2018-10-03T21:13:54Z",
"updated_at": "2022-04-26T18:35:37Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
"url": "https://HOSTNAME/repos/octocat/hello-world/dependabot/alerts/2",
"html_url": "https://github.com/octocat/hello-world/security/dependabot/2",
"created_at": "2022-06-15T07:43:03Z",
"updated_at": "2022-08-23T14:29:47Z",
"dismissed_at": "2022-08-23T14:29:47Z",
"dismissed_by": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"dismissed_reason": "tolerable_risk",
"dismissed_comment": "This alert is accurate but we use a sanitizer.",
"fixed_at": null
},
{
"number": 1,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-8f4m-hccc-8qph",
"cve_id": "CVE-2021-20191",
"summary": "Insertion of Sensitive Information into Log File in ansible",
"description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.9.0, < 2.9.18",
"first_patched_version": {
"identifier": "2.9.18"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.10.0, < 2.10.7",
"first_patched_version": {
"identifier": "2.10.7"
}
}
],
"severity": "medium",
"cvss": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 8.5
}
},
"cwes": [
{
"cwe_id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-8f4m-hccc-8qph"
},
{
"type": "CVE",
"value": "CVE-2021-20191"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
},
{
"url": "https://access.redhat.com/security/cve/cve-2021-20191"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
}
],
"published_at": "2021-06-01T17:38:00Z",
"updated_at": "2021-08-12T23:06:00Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
"url": "https://HOSTNAME/repos/octocat/hello-world/dependabot/alerts/1",
"html_url": "https://github.com/octocat/hello-world/security/dependabot/1",
"created_at": "2022-06-14T15:21:52Z",
"updated_at": "2022-06-14T15:21:52Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null
}
]
Get a Dependabot alert
OAuth app tokens and personal access tokens (classic) need the security_events
scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo
scope instead.
Tokens de acceso específicos para "Get a Dependabot alert"
Este punto de conexión funciona con los siguientes tipos de token pormenorizados:
- Tokens de acceso de usuario de la aplicación de GitHub
- Token de acceso a la instalación de la aplicación de GitHub
- Tokens de acceso personal específico
El token pormenorizado debe tener el siguiente conjunto de permisos:
- "Dependabot alerts" repository permissions (read)
Parámetros para "Get a Dependabot alert"
Nombre, Tipo, Descripción |
---|
accept string Setting to |
Nombre, Tipo, Descripción |
---|
owner string RequeridoThe account owner of the repository. The name is not case sensitive. |
repo string RequeridoThe name of the repository without the |
alert_number integer RequeridoThe number that identifies a Dependabot alert in its repository.
You can find this at the end of the URL for a Dependabot alert within GitHub,
or in |
Códigos de estado de respuesta HTTP para "Get a Dependabot alert"
status code | Descripción |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Ejemplos de código para "Get a Dependabot alert"
Ejemplo de solicitud
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER
Response
Status: 200
{
"number": 1,
"state": "open",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-8f4m-hccc-8qph",
"cve_id": "CVE-2021-20191",
"summary": "Insertion of Sensitive Information into Log File in ansible",
"description": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.9.0, < 2.9.18",
"first_patched_version": {
"identifier": "2.9.18"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
{
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": ">= 2.10.0, < 2.10.7",
"first_patched_version": {
"identifier": "2.10.7"
}
}
],
"severity": "medium",
"cvss": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"score": 5.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 8.5
}
},
"cwes": [
{
"cwe_id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-8f4m-hccc-8qph"
},
{
"type": "CVE",
"value": "CVE-2021-20191"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191"
},
{
"url": "https://access.redhat.com/security/cve/cve-2021-20191"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
}
],
"published_at": "2021-06-01T17:38:00Z",
"updated_at": "2021-08-12T23:06:00Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "ansible"
},
"severity": "medium",
"vulnerable_version_range": "< 2.8.19",
"first_patched_version": {
"identifier": "2.8.19"
}
},
"url": "https://HOSTNAME/repos/octocat/hello-world/dependabot/alerts/1",
"html_url": "https://github.com/octocat/hello-world/security/dependabot/1",
"created_at": "2022-06-14T15:21:52Z",
"updated_at": "2022-06-14T15:21:52Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null
}
Update a Dependabot alert
The authenticated user must have access to security alerts for the repository to use this endpoint. For more information, see "Granting access to security alerts."
OAuth app tokens and personal access tokens (classic) need the security_events
scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo
scope instead.
Tokens de acceso específicos para "Update a Dependabot alert"
Este punto de conexión funciona con los siguientes tipos de token pormenorizados:
- Tokens de acceso de usuario de la aplicación de GitHub
- Token de acceso a la instalación de la aplicación de GitHub
- Tokens de acceso personal específico
El token pormenorizado debe tener el siguiente conjunto de permisos:
- "Dependabot alerts" repository permissions (write)
Parámetros para "Update a Dependabot alert"
Nombre, Tipo, Descripción |
---|
accept string Setting to |
Nombre, Tipo, Descripción |
---|
owner string RequeridoThe account owner of the repository. The name is not case sensitive. |
repo string RequeridoThe name of the repository without the |
alert_number integer RequeridoThe number that identifies a Dependabot alert in its repository.
You can find this at the end of the URL for a Dependabot alert within GitHub,
or in |
Nombre, Tipo, Descripción |
---|
state string RequeridoThe state of the Dependabot alert.
A Puede ser uno de los siguientes: |
dismissed_reason string Required when Puede ser uno de los siguientes: |
dismissed_comment string An optional comment associated with dismissing the alert. |
Códigos de estado de respuesta HTTP para "Update a Dependabot alert"
status code | Descripción |
---|---|
200 | OK |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
409 | Conflict |
422 | Validation failed, or the endpoint has been spammed. |
Ejemplos de código para "Update a Dependabot alert"
Ejemplo de solicitud
curl -L \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER \
-d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"This alert is accurate but we use a sanitizer."}'
Response
Status: 200
{
"number": 2,
"state": "dismissed",
"dependency": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"manifest_path": "path/to/requirements.txt",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-rf4j-j272-fj86",
"cve_id": "CVE-2018-6188",
"summary": "Django allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive",
"description": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
"vulnerabilities": [
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
{
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 1.11.8, < 1.11.10",
"first_patched_version": {
"identifier": "1.11.10"
}
}
],
"severity": "high",
"cvss": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"score": 7.5
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"score": 8.7
}
},
"cwes": [
{
"cwe_id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-rf4j-j272-fj86"
},
{
"type": "CVE",
"value": "CVE-2018-6188"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
},
{
"url": "https://github.com/advisories/GHSA-rf4j-j272-fj86"
},
{
"url": "https://usn.ubuntu.com/3559-1/"
},
{
"url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
},
{
"url": "http://www.securitytracker.com/id/1040422"
}
],
"published_at": "2018-10-03T21:13:54Z",
"updated_at": "2022-04-26T18:35:37Z",
"withdrawn_at": null
},
"security_vulnerability": {
"package": {
"ecosystem": "pip",
"name": "django"
},
"severity": "high",
"vulnerable_version_range": ">= 2.0.0, < 2.0.2",
"first_patched_version": {
"identifier": "2.0.2"
}
},
"url": "https://HOSTNAME/repos/octocat/hello-world/dependabot/alerts/2",
"html_url": "https://github.com/octocat/hello-world/security/dependabot/2",
"created_at": "2022-06-15T07:43:03Z",
"updated_at": "2022-08-23T14:29:47Z",
"dismissed_at": "2022-08-23T14:29:47Z",
"dismissed_by": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"dismissed_reason": "tolerable_risk",
"dismissed_comment": "This alert is accurate but we use a sanitizer.",
"fixed_at": null
}