GitHub Advisory Database Overview

Introduction

The GitHub Advisory Database is a valuable resource for developers, providing a comprehensive list of known security vulnerabilities and malware affecting open source packages. The advisories in the database are grouped into three categories: GitHub-reviewed advisories, Reviewed advisories, and Non-reviewed advisories.

GitHub-reviewed Advisories

GitHub-reviewed advisories are manually reviewed and mapped to packages in supported ecosystems. These vulnerabilities have been analyzed by security experts and are considered valid. Advisories in this category are sourced from various databases, including NVD, and are prioritized based on severity ratings and CVSS scores.

Reviewed Advisories

Reviewed advisories are vulnerabilities that have been reviewed but may not be mapped to packages in supported ecosystems. Despite not being mapped, these advisories are still valuable for developers to be aware of. They may come from various sources and cover a wide range of software vulnerabilities.

Non-reviewed Advisories

Non-reviewed advisories are vulnerabilities that have not yet been reviewed by security analysts. While they may not be as extensively analyzed as reviewed advisories, they are still included in the database to provide a comprehensive list of known security issues.

Advisory Prioritization

GitHub Advisory Database offers tools to help prioritize remediation efforts, including severity ratings, CVSS scores, and EPSS (Exploit Prediction Scoring System). By focusing on vulnerabilities with high EPSS scores, developers can address issues that are at higher risk of exploitation within the next 30 days.

Conclusion

With over 22,000 reviewed advisories, the GitHub Advisory Database is a powerful tool for tracking open source software vulnerabilities. By leveraging the database and creating GitHub security advisories in repositories, developers can stay informed and proactive in addressing security issues in their projects.