зеркало из https://github.com/github/docs.git
[2023-03-28]: Dependency graph updates the repository view - [GA]#9147 (#35833)
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Courtney Claessens <courtneycl@github.com>
This commit is contained in:
Anne-Marie
GitHub
Родитель
aeebc8fa0c
Коммит
2c0421851d
|
|
@ -26,7 +26,7 @@ With the accelerated use of open source, most projects depend on hundreds of ope
|
|||
|
||||
You add dependencies directly to your supply chain when you specify them in a manifest file or a lockfile. Dependencies can also be included transitively, that is, even if you don’t specify a particular dependency, but a dependency of yours uses it, then you’re also dependent on that dependency.
|
||||
|
||||
{% data variables.product.product_name %} offers a range of features to help you understand the dependencies in your environment{% ifversion ghae %} and know about vulnerabilities in those dependencies{% endif %}{% ifversion fpt or ghec or ghes %}, know about vulnerabilities in those dependencies, and patch them{% endif %}.
|
||||
{% data variables.product.product_name %} offers a range of features to help you understand the dependencies in your environment{% ifversion ghae %} and know about vulnerabilities in those dependencies{% endif %}{% ifversion fpt or ghec or ghes %}, know about vulnerabilities in those dependencies, and patch them{% endif %}.
|
||||
|
||||
The supply chain features on {% data variables.product.product_name %} are:
|
||||
- **Dependency graph**
|
||||
|
|
@ -36,7 +36,7 @@ The supply chain features on {% data variables.product.product_name %} are:
|
|||
- **{% data variables.product.prodname_dependabot_security_updates %}**
|
||||
- **{% data variables.product.prodname_dependabot_version_updates %}**{% endif %}
|
||||
|
||||
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
|
||||
The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
|
||||
|
||||
Other supply chain features on {% data variables.product.prodname_dotcom %} rely on the information provided by the dependency graph.
|
||||
|
||||
|
|
@ -57,20 +57,18 @@ For best practice guides on end-to-end supply chain security including the prote
|
|||
|
||||
To generate the dependency graph, {% data variables.product.company_short %} looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
|
||||
|
||||
- The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies.
|
||||
- The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies.
|
||||
- The dependency graph is automatically updated when you push a commit to {% data variables.product.company_short %} that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
|
||||
- You can see the dependency graph by opening the repository's main page on {% data variables.product.product_name %}, and navigating to the **Insights** tab.{% ifversion dependency-graph-sbom-export %}
|
||||
- {% data reusables.dependency-graph.sbom-export %}{% endif %}
|
||||
|
||||
{% ifversion dependency-submission-api %}
|
||||
{% data reusables.dependency-submission.dependency-submission-link %}
|
||||
{% endif %}
|
||||
|
||||
For more information about the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
|
||||
### What is dependency review
|
||||
|
||||
Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
|
||||
Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
|
||||
|
||||
- Dependency review tells you which dependencies were added, removed, or updated, in a pull request. You can use the release dates, popularity of dependencies, and vulnerability information to help you decide whether to accept the change.
|
||||
- You can see the dependency review for a pull request by showing the rich diff on the **Files Changed** tab.
|
||||
|
|
@ -112,13 +110,13 @@ The term "{% data variables.product.prodname_dependabot %}" encompasses the foll
|
|||
|
||||
#### What are Dependabot alerts
|
||||
|
||||
{% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %}.
|
||||
{% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities{% ifversion GH-advisory-db-supports-malware %} and malware{% endif %}.
|
||||
|
||||
- {% data variables.product.prodname_dependabot %} performs a scan to detect insecure dependencies and sends {% data variables.product.prodname_dependabot_alerts %} when:
|
||||
{% ifversion fpt or ghec %}
|
||||
- A new advisory is added to the {% data variables.product.prodname_advisory_database %}.{% else %}
|
||||
- New advisory data is synchronized to {% data variables.location.product_location %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
- The dependency graph for the repository changes.
|
||||
- The dependency graph for the repository changes.
|
||||
- {% data variables.product.prodname_dependabot_alerts %} are displayed {% ifversion fpt or ghec or ghes %} on the **Security** tab for the repository and{% endif %} in the repository's dependency graph. The alert includes {% ifversion fpt or ghec or ghes %}a link to the affected file in the project, and {% endif %}information about a fixed version.
|
||||
|
||||
For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)."
|
||||
|
|
@ -133,7 +131,7 @@ There are two types of {% data variables.product.prodname_dependabot_updates %}:
|
|||
- Update dependencies to the minimum version that resolves a known vulnerability
|
||||
- Supported for ecosystems the dependency graph supports
|
||||
- Does not require a configuration file, but you can use one to override the default behavior
|
||||
|
||||
|
||||
{% data variables.product.prodname_dependabot_version_updates %}:
|
||||
- Requires a configuration file
|
||||
- Run on a schedule you configure
|
||||
|
|
@ -150,7 +148,7 @@ For more information about {% data variables.product.prodname_dependabot_updates
|
|||
Public repositories:
|
||||
- **Dependency graph**—enabled by default and cannot be disabled.
|
||||
- **Dependency review**—enabled by default and cannot be disabled.
|
||||
- **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}.
|
||||
- **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}.
|
||||
You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
|
||||
|
||||
Private repositories:
|
||||
|
|
@ -158,7 +156,7 @@ Private repositories:
|
|||
{% ifversion fpt %}
|
||||
- **Dependency review**—available in private repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GH_advanced_security %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
|
||||
{% elsif ghec %}
|
||||
- **Dependency review**—available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" and "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)."
|
||||
- **Dependency review**—available in private repositories owned by organizations provided you have a license for {% data variables.product.prodname_GH_advanced_security %} and the dependency graph enabled. For more information, see "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)" and "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph-for-a-private-repository)."
|
||||
{% endif %}
|
||||
- **{% data variables.product.prodname_dependabot_alerts %}**—not enabled by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
|
||||
You can also enable or disable Dependabot alerts for all repositories owned by your user account or organization. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account)" or "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
|
||||
|
|
|
|||
|
|
@ -24,9 +24,7 @@ shortTitle: Dependency graph
|
|||
|
||||
When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% ifversion fpt or ghec %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
|
||||
|
||||
{% ifversion dependency-submission-api %}
|
||||
{% data reusables.dependency-submission.dependency-submission-link %}
|
||||
{% endif %}
|
||||
|
||||
When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."
|
||||
|
||||
|
|
@ -114,7 +112,9 @@ The recommended formats explicitly define which versions are used for all direct
|
|||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependency-submission-api %}You can use the Dependency submission API (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the [supported ecosystems](https://github.com/github/advisory-database#supported-ecosystems) of the {% data variables.product.prodname_advisory_database %}. For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
|
||||
{% ifversion dependency-submission-api %}You can use the Dependency submission API (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above.{% endif %} {% data reusables.dependency-graph.dependency-submission-API-short %}
|
||||
|
||||
{% ifversion dependency-submission-api %}You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the [supported ecosystems](https://github.com/github/advisory-database#supported-ecosystems) of the {% data variables.product.prodname_advisory_database %}. For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
|
||||
## Further reading
|
||||
|
||||
- "[Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph)" on Wikipedia
|
||||
|
|
|
|||
|
|
@ -17,12 +17,12 @@ shortTitle: Configure dependency graph
|
|||
---
|
||||
## About the dependency graph
|
||||
|
||||
{% data reusables.dependabot.about-the-dependency-graph %}
|
||||
{% data reusables.dependabot.about-the-dependency-graph %}
|
||||
|
||||
For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
## About configuring the dependency graph
|
||||
## About configuring the dependency graph
|
||||
To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For more information on viewing the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository)."
|
||||
|
||||
{% data reusables.dependency-submission.dependency-submission-link %}
|
||||
|
|
@ -42,7 +42,7 @@ To generate a dependency graph, {% data variables.product.product_name %} needs
|
|||
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% ifversion fpt or ghec %} and every push to other repositories in the graph{% endif %}.
|
||||
|
||||
{% ifversion ghes %}
|
||||
{% ifversion dependency-submission-api %}{% data reusables.dependency-submission.dependency-submission-link %}{% endif %}
|
||||
{% data reusables.dependency-submission.dependency-submission-link %}
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
|
|
|||
|
|
@ -24,13 +24,21 @@ shortTitle: Explore dependencies
|
|||
|
||||
## Viewing the dependency graph
|
||||
|
||||
The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. For information about the detection of dependencies and which ecosystems are supported, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
The dependency graph shows the dependencies{% ifversion fpt or ghec %} and dependents{% endif %} of your repository. {% ifversion dependency-graph-repository-view-update %} {% data reusables.dependency-graph.repository-view-update %}{% endif %} For information about the detection of dependencies and which ecosystems are supported, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.accessing-repository-graphs %}
|
||||
{% data reusables.repositories.click-dependency-graph %}{% ifversion fpt or ghec %}
|
||||
4. Optionally, under "Dependency graph", click **Dependents**.
|
||||
{% endif %}
|
||||
{% data reusables.repositories.click-dependency-graph %}{% ifversion dependency-graph-repository-view-update %}
|
||||
1. Optionally, use the search bar to find a specific dependency or set of dependencies.
|
||||
{% note %}
|
||||
|
||||
**Note:** The search bar only searches based on the package name.
|
||||
|
||||
{% endnote %}{% endif %}
|
||||
{% ifversion fpt or ghec %}
|
||||
1. Optionally, to view the repositories and packages that depend on your repository, under "Dependency graph", click **Dependents**.
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
Enterprise owners can configure the dependency graph at an enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise)."
|
||||
|
|
@ -39,25 +47,25 @@ Enterprise owners can configure the dependency graph at an enterprise level. For
|
|||
### Dependencies view
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
Dependencies are grouped by ecosystem. You can expand a dependency to view its dependencies. Dependencies on private repositories, private packages, or unrecognized files are shown in plain text. If the package manager for the dependency is in a public repository, {% data variables.product.product_name %} will display a link to that repository.
|
||||
For each dependency, you can see its ecosystem, the manifest file in which it was found, and the license (where detected). Dependencies on private repositories, private packages, or unrecognized files are shown in plain text. If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information.
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependency-submission-api %}
|
||||
Dependencies submitted to a project using the Dependency submission API (beta), although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies. For more information on using the dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
|
||||
{% ifversion ghes or ghae %}
|
||||
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed{% ifversion ghes > 3.9 or ghae > 3.9%}.{% else %}, grouped by ecosystem.{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion dependency-graph-repository-view-update %}
|
||||
Dependencies submitted to a project using the Dependency submission API (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes > 3.6 or ghae > 3.6 %}Dependencies submitted to a project using the Dependency submission API (beta), although also grouped by ecosystem, are shown separately from dependencies identified through manifest or lock files in the repository. These submitted dependencies appear in the dependency graph as "Snapshot dependencies" because they are submitted as a snapshot, or set, of dependencies.{% else %}{% endif %}{% ifversion dependency-submission-api %} For more information on using the dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
|
||||
{% endif %}
|
||||
|
||||
If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes or ghae %}
|
||||
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.product_name %} does not populate the **Dependents** view.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ topics:
|
|||
|
||||
The dependency graph {% ifversion dependency-submission-api %}automatically{% endif %} includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file.
|
||||
|
||||
The dependency graph doesn't {% ifversion dependency-submission-api %}automatically{% endif %} include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile.
|
||||
The dependency graph doesn't {% ifversion dependency-submission-api %}automatically{% endif %} include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile.
|
||||
|
||||
{% ifversion dependency-submission-api %}However, you can use the Dependency submission API (beta) to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built. The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
|
||||
{% ifversion dependency-submission-api %}However, you can use the Dependency submission API (beta) to add dependencies to a project's dependency graph, even if the dependencies are not declared in a manifest or lock file, such as dependencies resolved when a project is built.{% endif %} {% data reusables.dependency-graph.dependency-submission-API-short %} {% ifversion dependency-submission-api %}For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
|
||||
|
||||
**Check**: Is the missing dependency for a component that's not specified in the repository's manifest or lockfile?
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ The dependency graph analyzes manifests as they’re pushed to {% data variables
|
|||
|
||||
## Are there limits which affect the dependency graph data?
|
||||
|
||||
Yes, the dependency graph has two categories of limits:
|
||||
Yes, the dependency graph has {% ifversion dependency-graph-repository-view-update %}one category{% else %}two categories{% endif %} of limits:
|
||||
|
||||
1. **Processing limits**
|
||||
|
||||
|
|
@ -56,11 +56,11 @@ Yes, the dependency graph has two categories of limits:
|
|||
- <code>(^|/)[Ee]xtern(als?)?/</code>
|
||||
- <code>(^|/)[Vv]+endor/</code>
|
||||
|
||||
Examples:
|
||||
Examples:
|
||||
- third-party/dependencies/dependency1
|
||||
- vendors/dependency1
|
||||
- /externals/vendor1/dependency1
|
||||
|
||||
{% ifversion ghes < 3.10 or ghae < 3.10 %}
|
||||
2. **Visualization limits**
|
||||
|
||||
These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_alerts %} that are created.
|
||||
|
|
@ -68,7 +68,7 @@ Yes, the dependency graph has two categories of limits:
|
|||
The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_alerts %} are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
**Check**: Is the missing dependency in a manifest file that's over 0.5 MB, or in a repository with a large number of manifests?
|
||||
|
||||
{% endif %}
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
# Reference: #9147
|
||||
# Dependency graph updates the repository view - [GA] #9147
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.9'
|
||||
|
|
@ -1,4 +1,11 @@
|
|||
The dependency graph is a summary of the manifest and lock files stored in a repository{% ifversion dependency-submission-api %} and any dependencies that are submitted for the repository using the Dependency submission API (beta){% endif %}. For each repository, it shows{% ifversion fpt or ghec %}:
|
||||
|
||||
- Dependencies, the ecosystems and packages it depends on
|
||||
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.product_name %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
|
||||
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on.{% endif %}
|
||||
|
||||
{% ifversion dependency-graph-repository-view-update %}
|
||||
{% data reusables.dependency-graph.repository-view-update %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
{% data variables.product.product_name %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
{% ifversion dependency-graph-repository-view-update %}
|
||||
Dependencies submitted to a project using the Dependency submission API (beta) will show which detector was used for their submission and when they were submitted.
|
||||
{% elsif ghes > 3.6 or ghae > 3.6 %}
|
||||
The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.
|
||||
{% else %}{% endif %}
|
||||
|
|
@ -0,0 +1 @@
|
|||
For each dependency, you can see the {% ifversion fpt or ghec %}license information and{% endif %} vulnerability severity. You can also search for a specific dependency using the search bar. Dependencies are sorted automatically by vulnerability severity.
|
||||
|
|
@ -1 +1,2 @@
|
|||
Additionally, you can use the Dependency submission API (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis. The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
|
||||
{% ifversion dependency-submission-api %}
|
||||
Additionally, you can use the Dependency submission API (beta) to submit dependencies from the package manager or ecosystem of your choice, even if the ecosystem is not supported by dependency graph for manifest or lock file analysis.{% endif %}{% ifversion dependency-graph-repository-view-update %} Dependencies submitted to a project using the Dependency submission API (beta) will show which detector was used for their submission and when they were submitted.{% elsif ghes > 3.6 or ghae > 3.6 %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %}{% ifversion dependency-submission-api %} For more information on the Dependency submission API, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."{% endif %}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче