ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
it distributors
#
microsoft
#
partner programmes
Search
Story image
#
App development
#
APM
#
Cloud Services
GitHub Advisory Database opens to community contributions
Thu, 24th Feb 2022
FYI, this story is more than a year old
Author image
By Shannon Williams, Journalist
Follow us

GitHub has announced the GitHub Advisory Database is now open to community contributions, allowing anyone to contribute security information to advisories to better secure software supply chains.

The world of open source security is fast moving, GitHub says, with new vulnerabilities and different attack vectors driving the community to continuously seek to learn more. GitHub has teams of security researchers that review all changes and help keep security advisories up to date, but often there are community members with additional insights and intelligence on CVEs that do not have a place to share this knowledge.

GitHub is publishing the full contents of the Advisory Database to a new public repository to make it easier for the community to benefit from this data. It has also built a user interface for making contributions. The data is licensed under a Creative Commons license, and has been since the databases inception, making it forever free and usable by the community.

The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub's own Dependabot alerts. By making it easier to contribute to and consume, Github says it hopes it will power more experiences and will further help improve the security of all software.

How to contribute to a security advisory
With community contributions, security researchers, academics, and enthusiasts will now be able to provide additional information and context to further the community's understanding and awareness of security advisories. To provide a community contribution to a security advisory, navigate to the advisory to which you wish to contribute to, and submit your research through the suggest improvements for this vulnerability workflow.

To complete your submission, the form will walk you through opening a pull request that details your suggested changes. Once the pull request is open, security researchers from the GitHub Security Lab, as well as the maintainer of the project who filed the CVE (if known), will be able to review your request. Contributors will get public credit on their GitHub profile once their contribution is merged!

Advisory Database format
In the spirit of furthering interoperability, advisories in the GitHub Advisory Database repository use the Open source Vulnerabilities (OSV) format. In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all, said Oliver Chang, software engineer for Googles Open source Security Team. OSV provides that capability.

Learn more about GitHub supply chain security
The GitHub Advisory Database is the foundation of GitHubs supply chain security capabilities, including Dependabot alerts and Dependabot security updates. If you have a security vulnerability in an open source repository that you maintain, the built-in security advisories feature in every GitHub open source repository can help.

Related stories
RiverSafe teams up with Cribl to boost IT & data security services
SAS expands managed services portfolio to Amazon Web Services
SAS Viya Workbench expands data & AI platform's capabilities
Business leaders anxious over data security – report
Ververica celebrates as Apache Paimon becomes top-level project
Top stories
Unearthing mining's data and AI potential: Why It's overlooked and how to start
Adobe reveals new AI-powered mobile app, Adobe Express
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
GitLab unveils Duo Chat for simplified AI-powered DevSecOps workflows