Points de terminaison d’API REST pour les avis de sécurité globaux
Utilisez l'API REST pour afficher les avis de sécurité globale.
List global security advisories
Lists all global security advisories that match the specified parameters. If no other parameters are defined, the request will return only GitHub-reviewed advisories that are not malware.
By default, all responses will exclude advisories for malware, because malware are not standard vulnerabilities. To list advisories for malware, you must include the type
parameter in your request, with the value malware
. For more information about the different types of security advisories, see "About the GitHub Advisory database."
Jetons d’accès affinés pour « List global security advisories »
Ce point de terminaison fonctionne avec les types de jetons précis suivants:
- Jetons d’accès utilisateur d’application GitHub
- Jetons d’accès d’installation d’application GitHub
- Jetons d’accès personnel affiné
Le jeton précis ne nécessite aucune autorisation.
Ce point de terminaison peut être utilisé sans authentification ou si seules les ressources publiques sont demandées.
Paramètres pour « List global security advisories »
Nom, Type, Description |
---|
accept string Setting to |
Nom, Type, Description |
---|
ghsa_id string If specified, only advisories with this GHSA (GitHub Security Advisory) identifier will be returned. |
type string If specified, only advisories of this type will be returned. By default, a request with no other parameters defined will only return reviewed advisories that are not malware. Default: Peut être: |
cve_id string If specified, only advisories with this CVE (Common Vulnerabilities and Exposures) identifier will be returned. |
ecosystem string If specified, only advisories for these ecosystems will be returned. Peut être: |
severity string If specified, only advisories with these severities will be returned. Peut être: |
cwes If specified, only advisories with these Common Weakness Enumerations (CWEs) will be returned. Example: |
is_withdrawn boolean Whether to only return advisories that have been withdrawn. |
affects If specified, only return advisories that affect any of Example: |
published string If specified, only return advisories that were published on a date or date range. For more information on the syntax of the date range, see "Understanding the search syntax." |
updated string If specified, only return advisories that were updated on a date or date range. For more information on the syntax of the date range, see "Understanding the search syntax." |
modified string If specified, only show advisories that were updated or published on a date or date range. For more information on the syntax of the date range, see "Understanding the search syntax." |
epss_percentage string If specified, only return advisories that have an EPSS percentage score that matches the provided value. The EPSS percentage represents the likelihood of a CVE being exploited. |
epss_percentile string If specified, only return advisories that have an EPSS percentile score that matches the provided value. The EPSS percentile represents the relative rank of the CVE's likelihood of being exploited compared to other CVEs. |
before string A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." |
after string A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." |
direction string The direction to sort the results by. Default: Peut être: |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: |
sort string The property to sort the results by. Default: Peut être: |
Codes d’état de la réponse HTTP pour « List global security advisories »
Code d’état | Description |
---|---|
200 | OK |
422 | Validation failed, or the endpoint has been spammed. |
429 | Too many requests |
Exemples de code pour « List global security advisories »
Si vous accédez à GitHub à GHE.com, remplacez api.github.com
par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com
.
Exemple de requête
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/advisories
Response
Status: 200
[
{
"id": 1,
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/advisories/GHSA-abcd-1234-efgh",
"repository_advisory_url": "https://api.github.com/repos/project/a-package/security-advisories/GHSA-abcd-1234-efgh",
"summary": "Heartbleed security advisory",
"description": "This bug allows an attacker to read portions of the affected server’s memory, potentially disclosing sensitive information.",
"type": "reviewed",
"severity": "high",
"source_code_location": "https://github.com/project/a-package",
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2050-00000"
],
"published_at": "2023-03-23T02:30:56Z",
"updated_at": "2023-03-24T02:30:56Z",
"github_reviewed_at": "2023-03-23T02:30:56Z",
"nvd_published_at": "2023-03-25T02:30:56Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "npm",
"name": "a-package"
},
"first_patched_version": "1.0.3",
"vulnerable_version_range": "<=1.0.2",
"vulnerable_functions": [
"a_function"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"score": 7.6
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"score": 7.6
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 9.3
}
},
"cwes": [
{
"cwe_id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
}
],
"epss": [
{
"percentage": 0.00045,
"percentile": "0.16001e0"
}
],
"credits": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst"
}
]
}
]
Get a global security advisory
Gets a global security advisory using its GitHub Security Advisory (GHSA) identifier.
Jetons d’accès affinés pour « Get a global security advisory »
Ce point de terminaison fonctionne avec les types de jetons précis suivants:
- Jetons d’accès utilisateur d’application GitHub
- Jetons d’accès d’installation d’application GitHub
- Jetons d’accès personnel affiné
Le jeton précis ne nécessite aucune autorisation.
Ce point de terminaison peut être utilisé sans authentification ou si seules les ressources publiques sont demandées.
Paramètres pour « Get a global security advisory »
Nom, Type, Description |
---|
accept string Setting to |
Nom, Type, Description |
---|
ghsa_id string ObligatoireThe GHSA (GitHub Security Advisory) identifier of the advisory. |
Codes d’état de la réponse HTTP pour « Get a global security advisory »
Code d’état | Description |
---|---|
200 | OK |
404 | Resource not found |
Exemples de code pour « Get a global security advisory »
Si vous accédez à GitHub à GHE.com, remplacez api.github.com
par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com
.
Exemple de requête
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/advisories/GHSA_ID
Response
Status: 200
{
"ghsa_id": "GHSA-abcd-1234-efgh",
"cve_id": "CVE-2050-00000",
"url": "https://api.github.com/advisories/GHSA-abcd-1234-efgh",
"html_url": "https://github.com/advisories/GHSA-abcd-1234-efgh",
"repository_advisory_url": "https://api.github.com/repos/project/a-package/security-advisories/GHSA-abcd-1234-efgh",
"summary": "A short summary of the advisory.",
"description": "A detailed description of what the advisory entails.",
"type": "reviewed",
"severity": "high",
"source_code_location": "https://github.com/project/a-package",
"identifiers": [
{
"type": "GHSA",
"value": "GHSA-abcd-1234-efgh"
},
{
"type": "CVE",
"value": "CVE-2050-00000"
}
],
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2050-00000"
],
"published_at": "2023-03-23T02:30:56Z",
"updated_at": "2023-03-24T02:30:56Z",
"github_reviewed_at": "2023-03-23T02:30:56Z",
"nvd_published_at": "2023-03-25T02:30:56Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "npm",
"name": "a-package"
},
"first_patched_version": "1.0.3",
"vulnerable_version_range": "<=1.0.2",
"vulnerable_functions": [
"a_function"
]
}
],
"cvss": {
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"score": 7.6
},
"cvss_severities": {
"cvss_v3": {
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"score": 7.6
},
"cvss_v4": {
"vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"score": 9.3
}
},
"cwes": [
{
"cwe_id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
}
],
"credits": [
{
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"type": "analyst"
}
]
}