ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

Browsing security vulnerabilities in the GitHub Advisory Database

The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

このガイドの内容

GitHub Advisory Database について

脆弱性とは、プロジェクトあるいはそのコードを利用する他のプロジェクトにおいて、秘密性、一貫性、可用性を損なうために悪用されうる、プロジェクトコードの問題です。 The GitHub Advisory Database contains a curated list of security vulnerabilities that have been mapped to any package tracked by the GitHub dependency graph. Each advisory listing includes information like the affected repository, as well as the vulnerable and patched versions. The database is also accessible using the GraphQL API. For more information, see "SecurityAdvisoryEvent" in GitHub 開発者ドキュメンテーション.

We use the following sources to add vulnerabilities to the GitHub Advisory Database:

GitHub will send you a security alert if we detect any of the vulnerabilities from the GitHub Advisory Database affecting your repository. For more information, see "About security alerts for vulnerable dependencies."

Advisories from the National Vulnerability Database list will contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "National Vulnerability Database" from the National Institute of Standards and Technology.

重要度のレベルは Common Vulnerability Scoring System (CVSS), Section 2.1.2 で定義されている 4 つのレベルのいずれかです。

  • Low
  • Moderate
  • High
  • Critical

You can also join GitHub Security Lab to browse security-related topics and contribute to security tools and projects.

Accessing an advisory in the GitHub Advisory Database

  1. Navigate to https://github.com/advisories.
  2. Optionally, to filter the list use, any of the drop-down menus.
    Dropdown filters
  3. Click on any advisory to view details.

Searching the GitHub Advisory Database

You can search the database, and use qualifiers to narrow your search to advisories created on a certain date, in a specific ecosystem, or in a particular library.

Date formatting must follow the ISO8601 standard, which is YYYY-MM-DD (year-month-day). You can also add optional time information THH:MM:SS+00:00 after the date, to search by the hour, minute, and second. That's T, followed by HH:MM:SS (hour-minutes-seconds), and a UTC offset (+00:00).

Dates support greater than, less than, and range qualifiers.

修飾子 サンプル
ecosystem:ECOSYSTEM ecosystem:npm will show only advisories affecting NPM packages.
severity:LEVEL severity:high will show only advisories with a high severity level.
affects:LIBRARY affects:lodash will show only advisories affecting the lodash library.
sort:created-asc sort:created-asc will sort by the oldest advisories first.
sort:created-desc sort:created-desc will sort by the newest advisories first.
sort:updated-asc sort:updated-asc will sort by the least recently updated first.
sort:updated-desc sort:updated-desc will sort by the most recently updated first.
is:withdrawn is:withdrawn will show only advisories that have been withdrawn.
created:YYYY-MM-DD created:2019-10-31 will show only advisories created on this date.
updated:YYYY-MM-DD updated:2019-10-31 will show only advisories updated on this date.

担当者にお尋ねください

探しているものが見つからなかったでしょうか?

弊社にお問い合わせください