Skip to main content

Эта версия GitHub Enterprise Server была прекращена 2024-09-25. Исправления выпускаться не будут даже при критических проблемах безопасности. Для повышения производительности, повышения безопасности и новых функций выполните обновление до последней версии GitHub Enterprise Server. Чтобы получить справку по обновлению, обратитесь в службу поддержки GitHub Enterprise.

Troubleshooting the detection of vulnerable dependencies

If the dependency information reported by GitHub Enterprise Server is not what you expected, there are a number of points to consider, and various things you can check.

Результаты обнаружения зависимостей, сообщаемые GitHub Enterprise Server, могут отличаться от результатов, возвращаемых другими средствами. Для этого есть веские причины, и полезно понять, как GitHub определяет зависимости для проекта.

Why do some dependencies seem to be missing?

GitHub generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following:

Do Dependabot alerts only relate to insecure dependencies in manifests and lockfiles?

Dependabot alerts advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. Dependabot security updates only suggest a change where Dependabot can directly "fix" the dependency, that is, when these are:

  • Direct dependencies explicitly declared in a manifest or lockfile
  • Transitive dependencies declared in a lockfile

Check: Is the uncaught vulnerability for a component that's not specified in the repository's manifest or lockfile?

Why don't I get Dependabot alerts for some ecosystems?

Dependabot alerts are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the GitHub Advisory Database, the dependency graph, and Dependabot alerts are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for Dependabot alerts, see Поддерживаемые экосистемы пакетов графа зависимостей.

It's worth noting that security advisories may exist for other ecosystems. The information in an unreviewed security advisory is provided by the maintainers of a particular repository. This data is not curated by GitHub. Дополнительные сведения см. в разделе Просмотр рекомендаций по безопасности в базе данных рекомендаций по GitHub.

Check: Does the uncaught vulnerability apply to an unsupported ecosystem?

Does Dependabot generate alerts for vulnerabilities that have been known for many years?

The GitHub Advisory Database was launched in November 2019, and initially back-filled to include advisories for security risks in the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software.

Some information on older vulnerabilities is available, especially where these CVEs are particularly widespread, however some old vulnerabilities are not included in the GitHub Advisory Database. If there's a specific old vulnerability that you need to be included in the database, contact ваш администратор сайта.

Check: Does the uncaught vulnerability have a publish date earlier than 2017 in the National Vulnerability Database?

Why does GitHub Advisory Database use a subset of published vulnerability data?

Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts.

Since Dependabot uses curated data in the GitHub Advisory Database, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.

Can Dependabot ignore specific dependencies?

You can configure Dependabot to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see Настройка обновлений для системы безопасности Dependabot to prevent version updates from being activated. For information about ignoring dependencies, see Ignoring specific dependencies.

Further reading