advisory-database
advisory-database copied to clipboard
github
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
[GHSA-rjhf-4mh8-9xjq](https://github.com/advisories/GHSA-rjhf-4mh8-9xjq) is a duplicate of [GHSA-3mv5-343c-w2qg](https://github.com/advisories/GHSA-3mv5-343c-w2qg) and should be revoked as soon as that feature is available.
Whatever process is used to create GitHub Security Advisories does not consume version ranges from CVE metadata properly. This results, for example, in https://github.com/advisories/GHSA-g975-f26h-93g8 claiming that version 2.24.2 is affected,...
Indeed it is [documented in the README](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems ) that contributions are not accepted for advisories outside the supported ecosystems. But some of the most high-impact vulnerability bulletins that need improvements...
From [docs](https://github.com/github/advisory-database/blob/main/CONTRIBUTING.md#submitting-an-advisory-improvement): > Here are a few things you can do that will increase the likelihood of your pull request being accepted: > > - Follow the OSSF [OSV schema](https://ossf.github.io/osv-schema/)....
As best as I can tell, most of the current Java packages cover Maven Central and not other maven repositories For example the Atlassian maven repo https://packages.atlassian.com/content/repositories/atlassian-public/com/atlassian/ contains confluence Java...
### Description: A CVE reference auto-linking should not link to a Github advisory if Github didn't assign the CVE ID (meaning the CVE came from somewhere else). These kinds of...
(Possibly this is the wrong place for this request; in that case please point me to where I should request this instead) TLDR: Extend GitHub's CNA scope so that MITRE...
Hello, I noticed that for some go vulnerabilities, the vulnerability references a go package, and not a go module. For example, [GHSA-pmw9-567p-68pc](https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc) references the package `github.com/cloudflare/cfrpki/cmd/octorpki`, while the associated go...
We have just done some work to submit the (still shallow) dependency graph in opam to the DS API. Next we want to make sure the GitHub team is aware...
Accroding to the document, it seems that github security advisory database would collect every CVE from NVD  But I have seen a few CVEs not in GHSA, neither `reviewed`...
