Full Report
Use these insights to automate software security (where possible) to keep your projects safe. The post GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them appeared first on The GitHub Blog.
Analysis Summary
This article summarizes trends and statistics regarding the GitHub Advisory Database (Advisory DB) and does not detail specific, individual vulnerabilities with CVE identifiers, affected versions, or exploit details. The information provided is high-level, focusing on the database's characteristics, ecosystem coverage, and how exploitability predictions (EPSS) relate to the disclosed vulnerabilities in aggregate.
Therefore, the following summary is structured based on the **general data types** described in the article rather than a specific vulnerability report. Actionable remediation steps apply to the process of using the database, not to patching a single flaw.
# Vulnerability: [Aggregate Trends in GitHub Advisory Database]
## CVE Details
- CVE ID: [Not applicable - Article discusses trends across all recorded CVEs]
- CVSS Score: [Not specified per vulnerability; used internally for ranking]
- CWE: [Not specified per vulnerability]
## Affected Systems
- Products: [All supported open-source packages across ecosystems listed (pip, Maven, Composer, npm, RubyGems, NuGet, Go, Rust, Erlang, GitHub Actions, Pub, Swift)]
- Versions: [Varies per specific advisory within the database]
- Configurations: [Varies per specific advisory within the database]
## Vulnerability Description
The article describes the composition of the GitHub Advisory Database, which includes **GitHub-reviewed advisories**, **Unreviewed advisories** (pulled from NVD, potentially not affecting supported packages or invalid), and **Malware advisories** (exclusive to npm, provided by the npm security team). The focus is on the growth and coverage of these advisories across major software ecosystems.
## Exploitation
- Status: [No specific flaw details provided. The article discusses aggregate exploit prediction based on EPSS scores.]
- Complexity: [N/A]
- Attack Vector: [N/A]
* *Exploitability Insight:* Focusing on vulnerabilities with **EPSS scores $\ge 10\%$** (about 7% of the database) covers nearly **$86\%$** of the vulnerabilities expected to be attacked within the next 30 days.
## Impact
- Confidentiality: [Varies by incident]
- Integrity: [Varies by incident]
- Availability: [Varies by incident]
## Remediation
Since this is a summary of database trends, remediation focuses on the *use* of the data:
### Patches
- [Patches are tracked per specific CVE within the Advisory DB, but no specific patch versions are listed here.]
### Workarounds
- [No specific workarounds are detailed for an individual flaw.]
## Detection
The primary strategy for detection and prioritization highlighted is **Exploit Prediction Scoring System (EPSS)**:
- **Indicators of compromise:** Not specified per flaw.
- **Detection methods and tools:** Security software should prioritize mitigation efforts based on the **EPSS score** of known vulnerabilities, focusing resources first on those with high predicted exploitability likelihood.
## References
- [The GitHub Advisory Database (link defanged)](https://github.com/advisories)
- [The GitHub Blog post (link defanged)](https://github.blog/security/vulnerability-research/github-advisory-database-by-the-numbers/)