我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

Publishing a security advisory

You can publish a security advisory to alert your community about a security vulnerability in your project.

本文内容

Anyone with admin permissions to a security advisory can publish the security advisory.

基本要求

Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability.

If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory's details at the top of the security advisory.

For more information, see "Creating a security advisory."

About publishing a security advisory

When you publish a security advisory, you notify your community about the security vulnerability that the security advisory addresses. Publishing a security advisory makes it easier for your community to update package dependencies and research the impact of the security vulnerability.

After you publish a security advisory, anyone with read access to the repository can see the security advisory. The URL for the security advisory will remain the same as before you published the security advisory.

Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. 更多信息请参阅“在临时私有复刻中协作以解决安全漏洞”。

Requesting a CVE identification number

Anyone with admin permissions to a security advisory can request a CVE identification number for the security advisory.

如果项目中尚无表示安全漏洞的 CVE 识别码,您可以从 GitHub 请求一个 CVE 识别码。 分配 CVE 识别码一般在 72 小时内可以完成。 For more information, see "About GitHub Security Advisories."

  1. 在 GitHub 上,导航到仓库的主页面。

  2. 在仓库名称下,单击 Security(安全)

    Security 选项卡

  3. 在左侧边栏中,单击 Advisories(通告)

    通告选项卡

  4. In the "Security Advisories" list, click the security advisory you'd like to request a CVE identification number for.

    Security advisory in list

  5. Use the Publish advisory drop-down menu, and click Request CVE.

    Request CVE in drop-down

  6. Click Request CVE.

    Request CVE button

Publishing a security advisory

Publishing a security advisory deletes the temporary private fork for the security advisory.

GitHub 将审查每个发布的安全通告,将其添加到 GitHub Advisory Database, 并且可能使用安全通告向受影响的仓库发送安全警报。 如果安全通告来自复刻,我们仅当该复刻拥有在公共软件包注册表上以唯一名称发布的软件包时才发送警报。 此过程最长可能需要 72 小时,GitHub 可能会联系您以获取更多信息。

有关安全警报的更多信息,请参阅见“关于易受攻击依赖项的安全警报”。有关 GitHub Advisory Database 的更多信息,请参阅"浏览 GitHub Advisory Database 中的安全漏洞"。

  1. 在 GitHub 上,导航到仓库的主页面。

  2. 在仓库名称下,单击 Security(安全)

    Security 选项卡

  3. 在左侧边栏中,单击 Advisories(通告)

    通告选项卡

  4. In the "Security Advisories" list, click the security advisory you'd like to publish.

    Security advisory in list

  5. At the bottom of the page, click Publish advisory.

    发布通告按钮

Security alerts for published security advisories

GitHub 将审查每个发布的安全通告,将其添加到 GitHub Advisory Database, 并且可能使用安全通告向受影响的仓库发送安全警报。 如果安全通告来自复刻,我们仅当该复刻拥有在公共软件包注册表上以唯一名称发布的软件包时才发送警报。 此过程最长可能需要 72 小时,GitHub 可能会联系您以获取更多信息。

有关安全警报的更多信息,请参阅见“关于易受攻击依赖项的安全警报”。有关 GitHub Advisory Database 的更多信息,请参阅"浏览 GitHub Advisory Database 中的安全漏洞"。

延伸阅读

问问别人

找不到要找的内容?

联系我们