Skip to content

Commit 1564b99

Browse files
authored
Merge pull request #45084 from github/repo-sync
Repo sync
2 parents 9fcab57 + 9434639 commit 1564b99

31 files changed

Lines changed: 863 additions & 109 deletions

File tree

content/code-security/concepts/supply-chain-security/dependabot-alerts.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,8 @@ Software often relies on packages from various sources, creating dependency rela
2828

2929
{% ifversion fpt or ghec %}
3030
* A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}{% else %}
31-
* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
31+
* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}{% ifversion ghec %}
32+
* Your enterprise publishes an innersource advisory for a component you depend on. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).{% endif %}
3233
* Your dependency graph changes—for example, when you push commits that update packages or versions
3334

3435
For supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems).
@@ -41,7 +42,9 @@ When {% data variables.product.github %} detects a vulnerable dependency, a {% d
4142
* Details about the vulnerability and its severity
4243
* Information about a fixed version (when available)
4344

44-
For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
45+
{% ifversion ghec %}Alerts generated from an innersource advisory carry a distinct "Innersource" label, distinguishing them from alerts based on public advisories.
46+
47+
{% endif %}For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).
4548

4649
## Who can enable alerts?
4750

@@ -102,7 +105,7 @@ Alternatively, you can opt into the weekly email digest, or even completely turn
102105

103106
* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
104107
* New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
105-
* Only advisories reviewed by {% data variables.product.github %} trigger alerts.
108+
* Only advisories reviewed by {% data variables.product.github %}{% ifversion ghec %} or published by your enterprise as innersource advisories{% endif %} trigger alerts.
106109
* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %}
107110
* {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %}
108111
* {% data reusables.dependabot.dependabot-alert-actions-semver %}
@@ -120,7 +123,8 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% d
120123
## Further reading
121124

122125
{% ifversion dependabot-malware-alerts %}
123-
* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}
126+
* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}{% ifversion ghec %}
127+
* [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories){% endif %}
124128
* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
125129
* [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
126130
* [AUTOTITLE](/code-security/getting-started/auditing-security-alerts)

content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: GitHub Advisory database
3-
intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.'
3+
intro: 'Research known security vulnerabilities and malware in open source packages, so you can understand and remediate the risks in your dependencies.'
44
versions:
55
fpt: '*'
66
ghec: '*'
@@ -17,19 +17,25 @@ category:
1717

1818
## About the {% data variables.product.prodname_advisory_database %}
1919

20-
{% data reusables.repositories.tracks-vulnerabilities %}
21-
2220
Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see [Open Source Vulnerability format](https://ossf.github.io/osv-schema/).
2321

2422
## Types of security advisories
2523

26-
Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects or for malicious open source software.
24+
Each advisory in the {% data variables.product.prodname_advisory_database %} relates to a specific security problem in a software component. These problems come in several varieties.
25+
26+
A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use it. Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. Vulnerability advisories contain information about the range of released package versions where the problem exists, and the earliest version where the problem was fixed. This helps downstream users of the software address the vulnerability by updating their dependencies to use a fixed version as soon as it is available.
27+
28+
In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency. Malware alerts do not contain a fix version, because the defining characteristic of a malware alert is that there are no safe versions—the only safe course of action is not to use the package at all.
2729

28-
{% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available.
30+
{% ifversion ghec %}
2931

30-
In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency.
32+
Both of these advisory types are public information about open source packages. Users with {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} can also create innersource advisories, which restrict visibility to just their organization or enterprise. Innersource advisories use the same OSV format as public advisories but can be associated with either public or internal, private projects. This allows enterprises to use the familiar {% data variables.product.prodname_dependabot %} alert and update features to provide fixes to internal software consumers. For more information about innersource advisories, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).
3133

32-
### {% data variables.product.company_short %}-reviewed advisories
34+
{% endif %}
35+
36+
### {% data variables.product.company_short %}-reviewed vulnerability advisories
37+
38+
{% data reusables.repositories.tracks-vulnerabilities %}
3339

3440
{% data reusables.advisory-database.github-reviewed-overview %}
3541

@@ -52,7 +58,7 @@ If you have a suggestion for a new ecosystem we should support, please open an [
5258

5359
If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
5460

55-
### Unreviewed advisories
61+
### Unreviewed vulnerability advisories
5662

5763
{% data reusables.advisory-database.unreviewed-overview %}
5864

@@ -64,7 +70,7 @@ If you enable {% data variables.product.prodname_dependabot_alerts %} for your r
6470

6571
{% data variables.product.prodname_dependabot %} doesn't generate alerts when malware is detected as most of the vulnerabilities cannot be resolved by downstream users. You can view malware advisories by searching for `type:malware` in the {% data variables.product.prodname_advisory_database %}.
6672

67-
Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesnt look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware.
73+
Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn't look at project configurations to determine if the packages are coming from a private registry, so we can't determine whether you're using the malicious version or a non-malicious version that has the same name. Users who have their dependencies appropriately scoped should not be affected by malware.
6874

6975
## Information in security advisories
7076

content/code-security/concepts/vulnerability-reporting-and-management/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ versions:
88
contentType: concepts
99
children:
1010
- /github-advisory-database
11+
- /innersource-advisories
1112
- /repository-security-advisories
1213
- /global-security-advisories
1314
- /coordinated-disclosure
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
title: Innersource advisories
3+
shortTitle: Innersource advisories
4+
intro: Enterprises can alert their internal repositories to vulnerabilities and ship automated fixes with {% data variables.product.prodname_dependabot %}, using advisories that stay private to a single enterprise.
5+
versions:
6+
fpt: '*'
7+
ghec: '*'
8+
contentType: concepts
9+
category:
10+
- Secure your dependencies
11+
---
12+
13+
## About innersource advisories
14+
15+
The {% data variables.product.prodname_advisory_database %} provides a centralized source of alert information for security vulnerabilities. When an advisory about a vulnerable open source component is published, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}'s dependency graph to find repositories that are using that component, then sends alerts and pull requests to notify the repository's owners and update the affected code to a newer version that fixes the vulnerability.
16+
17+
Enterprises can use the same mechanism to create alerts and send updates about internally discovered vulnerabilities. Innersource advisories use a similar Open Source Vulnerability (OSV) data format to public advisories, but are not publicly visible. They are scoped to a single enterprise and therefore only propagate alerts to repositories inside that enterprise. The subject of an innersource advisory can be either an internal or open source component, enabling enterprises to push fixes independent of public disclosure and alerting.
18+
19+
## Who can create innersource advisories
20+
21+
Innersource advisories can only be created in enterprises that have an active {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} license. If your license expires or {% data variables.product.prodname_GH_code_security %} is disabled, advisories will no longer be visible and will not propagate alerts. However, the underlying data will not be deleted, and re-activating the license will restore any pre-existing advisories.
22+
23+
## Limitations of innersource advisories
24+
25+
* Currently, advisories can only be scoped to an entire enterprise. You cannot target individual organizations or groups of organizations inside the enterprise.
26+
* Each enterprise is limited to 2,000 active advisories. Attempts to create new advisories once that limit is reached will result in an error. If you reach this limit, you can withdraw old or outdated advisories. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories#withdrawing-innersource-advisories).
27+
28+
## Next steps
29+
30+
To create, distribute, and withdraw innersource advisories, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories).

content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ children:
1212
- /configure-malware-alerts
1313
- /configure-security-updates
1414
- /configure-version-updates
15+
- /manage-innersource-advisories
1516
- /auto-update-actions
1617
- /configuring-multi-ecosystem-updates
1718
- /enable-dependency-graph

0 commit comments

Comments
 (0)