зеркало из https://github.com/github/docs.git
Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
This commit is contained in:
Anne-Marie
GitHub
Родитель
e4d9af8197
Коммит
79ff2bc7f6
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 167 KiB |
|
|
@ -26,7 +26,7 @@ topics:
|
|||
{% data reusables.dependabot.beta-security-and-version-updates %}
|
||||
{% data reusables.dependabot.enterprise-enable-dependabot %}
|
||||
|
||||
Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt or ghec or ghes %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can{% ifversion fpt or ghec or ghes > 3.4 or ghae > 3.4 %} filter alerts by package, ecosystem, or manifest. You can {% endif %} sort the list of alerts, and you can click into specific alerts for more details. {% ifversion dependabot-bulk-alerts %}You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once.{% else %}You can also dismiss or reopen alerts. {% endif %} For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
Your repository's {% data variables.product.prodname_dependabot_alerts %} tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% ifversion fpt or ghec or ghes %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can{% ifversion fpt or ghec or ghes > 3.4 or ghae > 3.4 %} filter alerts by package, ecosystem, or manifest. You can {% endif %} sort the list of alerts, and you can click into specific alerts for more details. {% ifversion dependabot-bulk-alerts %}You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once.{% else %}You can also dismiss or reopen alerts. {% endif %} For more information, see "[About {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
{% ifversion fpt or ghec or ghes %}
|
||||
You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)."
|
||||
|
|
@ -51,7 +51,9 @@ You can filter and sort {% data variables.product.prodname_dependabot_alerts %}
|
|||
|
||||
{% data reusables.dependabot.dependabot-alerts-filters %}
|
||||
|
||||
In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to "[PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7)" as the search string appears in the advisory description.
|
||||
In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. {% ifversion dependabot-filter-label-security-advisory %}Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.{% endif %}
|
||||
|
||||
The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to "[PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7)" as the search string appears in the advisory description.
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -80,7 +82,7 @@ The alert details page of alerts on development-scoped packages shows a "Tags" s
|
|||
|
||||
{% data reusables.dependabot.vulnerable-calls-beta %}
|
||||
|
||||
When {% data variables.product.prodname_dependabot %} tells you that your repository uses a vulnerable dependency, you need to determine what the vulnerable functions are and check whether you are using them. Once you have this information, then you can determine how urgently you need to upgrade to a secure version of the dependency.
|
||||
When {% data variables.product.prodname_dependabot %} tells you that your repository uses a vulnerable dependency, you need to determine what the vulnerable functions are and check whether you are using them. Once you have this information, then you can determine how urgently you need to upgrade to a secure version of the dependency.
|
||||
|
||||
For supported languages, {% data variables.product.prodname_dependabot %} automatically detects whether you use a vulnerable function and adds the label "Vulnerable call" to affected alerts. You can use this information in the {% data variables.product.prodname_dependabot_alerts %} view to triage and prioritize remediation work more effectively.
|
||||
|
||||
|
|
@ -111,7 +113,7 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
|
|||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
{% data reusables.repositories.sidebar-dependabot-alerts %}
|
||||
1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-across--data-variablesproductprodname_dependabot_alerts-)."
|
||||
1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. {% ifversion dependabot-filter-label-security-advisory %}Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.{% endif %} For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-dependabot-alerts)."
|
||||
{%- ifversion dependabot-bulk-alerts %}
|
||||
{% else %}
|
||||
{% endif %}
|
||||
|
|
@ -125,13 +127,17 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
|
|||
{% data reusables.repositories.sidebar-dependabot-alerts %}
|
||||
1. Click the alert you'd like to view.
|
||||
|
||||
{% endif %}{% ifversion dependabot-filter-label-security-advisory %}
|
||||
1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see "[Editing security advisories in the GitHub Advisory Database](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Reviewing and fixing alerts
|
||||
|
||||
It’s important to ensure that all of your dependencies are clean of any security weaknesses. When {% data variables.product.prodname_dependabot %} discovers vulnerabilities {% ifversion GH-advisory-db-supports-malware %}or malware{% endif %} in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.
|
||||
|
||||
If a patched version of the dependency is available, you can generate a {% data variables.product.prodname_dependabot %} pull request to update this dependency directly from a {% data variables.product.prodname_dependabot %} alert. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, the pull request may be linked will in the Dependabot alert.
|
||||
If a patched version of the dependency is available, you can generate a {% data variables.product.prodname_dependabot %} pull request to update this dependency directly from a {% data variables.product.prodname_dependabot %} alert. If you have {% data variables.product.prodname_dependabot_security_updates %} enabled, the pull request may be linked in the {% data variables.product.prodname_dependabot %} alert.
|
||||
|
||||
In cases where a patched version is not available, or you can’t update to the secure version, {% data variables.product.prodname_dependabot %} shares additional information to help you determine next steps. When you click through to view a {% data variables.product.prodname_dependabot %} alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.
|
||||
|
||||
|
|
@ -151,7 +157,7 @@ For supported languages, {% data variables.product.prodname_dependabot %} detect
|
|||
{% elsif ghae %}
|
||||
1. You can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to the manifest or lock file to a secure version.
|
||||
{% endif %}
|
||||
1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.
|
||||
1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.
|
||||
|
||||
{% ifversion fpt or ghec or ghes %}
|
||||
Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[Managing pull requests for dependency updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)."
|
||||
|
|
@ -231,7 +237,7 @@ You can view all open alerts, and you can reopen alerts that have been previousl
|
|||
|
||||
{% endif %}
|
||||
|
||||
|
||||
|
||||
## Reviewing the audit logs for {% data variables.product.prodname_dependabot_alerts %}
|
||||
|
||||
When a member of your organization {% ifversion not fpt %}or enterprise {% endif %}performs an action related to {% data variables.product.prodname_dependabot_alerts %}, you can review the actions in the audit log. For more information about accessing the log, see "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log){% ifversion not fpt %}" and "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)."{% else %}."{% endif %}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
# Reference: issue #8291
|
||||
# Incremental improvements - labels act as filters; improve a security advisory from the UI
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>= 3.8'
|
||||
ghae: '>= 3.8'
|
||||
Загрузка…
Ссылка в новой задаче