About the GitHub Advisory Database
The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in two categories: GitHub-reviewed advisories and unreviewed advisories.
We add advisories to the GitHub Advisory Database from the following sources:
- National Vulnerability Database
- GitHub上のパブリックなコミット内の脆弱性の検出に、機械学習と人間によるレビューの組み合わせ
- GitHubで報告されたセキュリティアドバイザリ
- npm Security advisoriesデータベース
About types of security advisories
ノート: マルウェアのアドバイザリは現在ベータであり、変更されることがあります。
Each advisory in the GitHub Advisory Database is for a vulnerability in open source projects or for malicious open source software.
脆弱性とは、プロジェクトあるいはそのコードを利用する他のプロジェクトにおいて、秘密性、一貫性、可用性を損なうために悪用されうる、プロジェクトコードの問題です。 脆弱性の種類、重要度、攻撃の方法は様々です。 Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.
In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.
GitHub-reviewed advisories
GitHub-reviewed advisories are security vulnerabilities or malware that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.
Generally, we name our supported ecosystems after the software programming language's associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.
-
Composer (registry: https://packagist.org/)
-
Erlang (registry: https://hex.pm/)
-
Go (registry: https://pkg.go.dev/)
-
GitHub Actions (https://github.com/marketplace?type=actions/)
-
Maven (registry: https://repo1.maven.org/maven2/org/)
-
npm (registry: https://www.npmjs.com/)
-
NuGet (registry: https://www.nuget.org/)
-
pip (registry: https://pypi.org/)
-
RubyGems (registry: https://rubygems.org/)
-
Rust (registry: https://crates.io/)
If you have a suggestion for a new ecosystem we should support, please open an issue for discussion.
If you enable Dependabotアラート for your repositories, you are automatically notified when a new GitHub-reviewed advisory reports a vulnerability or malware for a package you depend on. For more information, see "About Dependabotアラート."
Unreviewed advisories
Unreviewed advisories are security vulnerabilites that we publish automatically into the GitHub Advisory Database, directly from the National Vulnerability Database feed.
Dependabot doesn't create Dependabotアラート for unreviewed advisories as this type of advisory isn't checked for validity or completion.
About information in security advisories
Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.
The severity level is one of four possible levels defined in the "Common Vulnerability Scoring System (CVSS), Section 5."
- Low
- Medium/Moderate
- High
- Critical
The GitHub Advisory Database uses the CVSS levels described above. If GitHub obtains a CVE, the GitHub Advisory Database uses CVSS version 3.1. If the CVE is imported, the GitHub Advisory Database supports both CVSS versions 3.0 and 3.1.
GitHub Security Labに加わり、セキュリティ関連のトピックをブラウズし、セキュリティのツールやプロジェクトに貢献することもできます。
Accessing an advisory in the GitHub Advisory Database
-
Navigate to https://github.com/advisories.
-
Optionally, to filter the list, use any of the drop-down menus.
Tip: You can use the sidebar on the left to explore GitHub-reviewed and unreviewed advisories separately.
-
Click an advisory to view details. By default, you will see GitHub-reviewed advisories for security vulnerabilities. To show malware advisories, use
type:malware
in the search bar.
The database is also accessible using the GraphQL API. By default, queries will return GitHub-reviewed advisories for security vulnerabilities unless you specify type:malware
. For more information, see the "security_advisory
webhook event."
Editing an advisory in the GitHub Advisory Database
You can suggest improvements to any advisory in the GitHub Advisory Database. For more information, see "Editing security advisories in the GitHub Advisory Database."
Searching the GitHub Advisory Database
You can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.
日付の形式は ISO8601標準に従い、YYYY-MM-DD
(年-月-日) とする必要があります。 オプションの時間情報のTHH:MM:SS+00:00
を日付の後に付けて、時、分、秒で検索できるようにすることもできます。 これはT
の後にHH:MM:SS
(時-分-秒)、そしてUTCオフセット(+00:00
)を続けたものです。
日付に対して検索を行う場合、結果をさらにフィルタリングするためにより大きい、より小さい、範囲の修飾子を利用できます。 詳しい情報については、「検索構文を理解する」を参照してください。
Qualifier | Example |
---|---|
type:reviewed | type:reviewed will show GitHub-reviewed advisories for security vulnerabilities. |
type:malware | type:malware will show GitHub-reviewed advisories for malware. |
type:unreviewed | type:unreviewed will show unreviewed advisories. |
GHSA-ID | GHSA-49wp-qq6x-g2rf will show the advisory with this GitHub Advisory Database ID. |
CVE-ID | CVE-2020-28482 will show the advisory with this CVE ID number. |
ecosystem:ECOSYSTEM | ecosystem:npm will show only advisories affecting NPM packages. |
severity:LEVEL | severity:high will show only advisories with a high severity level. |
affects:LIBRARY | affects:lodash will show only advisories affecting the lodash library. |
cwe:ID | cwe:352 will show only advisories with this CWE number. |
credit:USERNAME | credit:octocat will show only advisories credited to the "octocat" user account. |
sort:created-asc | sort:created-asc will sort by the oldest advisories first. |
sort:created-desc | sort:created-desc will sort by the newest advisories first. |
sort:updated-asc | sort:updated-asc will sort by the least recently updated first. |
sort:updated-desc | sort:updated-desc will sort by the most recently updated first. |
is:withdrawn | is:withdrawn will show only advisories that have been withdrawn. |
created:YYYY-MM-DD | created:2021-01-13 will show only advisories created on this date. |
updated:YYYY-MM-DD | updated:2021-01-13 will show only advisories updated on this date. |
Viewing your vulnerable repositories
For any GitHub-reviewed advisory in the GitHub Advisory Database, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to Dependabotアラート for that repository. For more information, see "About Dependabotアラート."
- Navigate to https://github.com/advisories.
- Click an advisory.
- At the top of the advisory page, click Dependabot alerts.
- Optionally, to filter the list, use the search bar or the drop-down menus. The "Organization" drop-down menu allows you to filter the Dependabotアラート per owner (organization or user).
- For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name.
Further reading
- MITRE's definition of "vulnerability"