我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

Browsing security vulnerabilities in the GitHub Advisory Database

The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

本文内容

关于 GitHub Advisory Database

漏洞是项目代码中的问题,可能被利用来损害机密性、完整性或者该项目或其他使用其代码的项目的可用性。 The GitHub Advisory Database contains a curated list of security vulnerabilities that have been mapped to any package tracked by the GitHub dependency graph. Each advisory listing includes information like the affected repository, as well as the vulnerable and patched versions. The database is also accessible using the GraphQL API. For more information, see "SecurityAdvisoryEvent" in GitHub 开发者文档.

我们使用以下来源将漏洞添加到 GitHub Advisory Database:

GitHub will send you a security alert if we detect any of the vulnerabilities from the GitHub Advisory Database affecting your repository. For more information, see "About security alerts for vulnerable dependencies."

Advisories from the National Vulnerability Database list will contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

我们在常见漏洞评分系统 (CVSS) 第 2.1.2 节中定义了以下四种可能的严重性等级:

  • 关键

您也可以加入 GitHub Security Lab,以便浏览安全主题并参与安全工具和项目。

Accessing an advisory in the GitHub Advisory Database

  1. 导航到 https://github.com/advisories。
  2. Optionally, to filter the list use, any of the drop-down menus.
    Dropdown filters
  3. Click on any advisory to view details.

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search to advisories created on a certain date, in a specific ecosystem, or in a particular library.

日期格式必须遵循 ISO8601标准,即 YYYY-MM-DD(年-月-日)。 您也可以在日期后添加可选的时间信息 THH:MM:SS+00:00,以便按小时、分钟和秒进行搜索。 这是 T,随后是 HH:MM:SS(时-分-秒)和 UTC 偏移 (+00:00)。

日期支持大于、小于和范围限定符

限定符示例
ecosystem:ECOSYSTEMecosystem:npm will show only advisories affecting NPM packages.
severity:LEVELseverity:high will show only advisories with a high severity level.
affects:LIBRARYaffects:lodash will show only advisories affecting the lodash library.
sort:created-ascsort:created-asc will sort by the oldest advisories first.
sort:created-descsort:created-desc will sort by the newest advisories first.
sort:updated-ascsort:updated-asc will sort by the least recently updated first.
sort:updated-descsort:updated-desc will sort by the most recently updated first.
is:withdrawnis:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DDcreated:2019-10-31 will show only advisories created on this date.
updated:YYYY-MM-DDupdated:2019-10-31 will show only advisories updated on this date.

问问别人

找不到要找的内容?

联系我们