How GitHub maintains its advisory database

Hi,

I am a PhD Student at NC State University. As part of our research, we are evaluating the existing tools that detect vulnerable dependencies. We have observed that the tools’ result can differ based on the strength of its vulnerability database. For our research, we are hoping to understand more on how services like GitHub maintains its vulnerability database. We’d be grateful if we get some responses for the below questions.

  1. What are your sources for vulnerability data, e.g. NVD, OSS Index?
  2. Do you have any process to discover open source vulnerabilities by yourselves, e.g. through monitoring bug repositories? If yes, is it possible to share with us a high level explanation of what you do?
  3. When collecting vulnerability data from third-party databases (e.g. NVD), do you perform any curation and/or correction, e.g. discarding debated CVEs or correcting the affected version range? If yes, is it possible to share with us a high level explanation of what you do?

Thanks,
Nasif

  1. What are your sources for vulnerability data, e.g. NVD, OSS Index?

See the sources listed in our documentation: Browsing security vulnerabilities in the GitHub Advisory Database - GitHub Docs

  1. Do you have any process to discover open source vulnerabilities by yourselves, e.g. through monitoring bug repositories? If yes, is it possible to share with us a high level explanation of what you do?

Yes, though most of our time is spent on curation and helping maintainers report their advisories.

  1. When collecting vulnerability data from third-party databases (e.g. NVD), do you perform any curation and/or correction, e.g. discarding debated CVEs or correcting the affected version range? If yes, is it possible to share with us a high level explanation of what you do?

Yes. See a description in this blog post: Behind the scenes: GitHub security alerts - The GitHub Blog

1 Like