Skip to content

Commit

Permalink
Merge pull request #20046 from github/repo-sync
Browse files Browse the repository at this point in the history 
repo sync
  • Loading branch information
@Octomerger
Octomerger authored Aug 22, 2022
2 parents 0500918 + ef28063 commit 439056e
Show file tree
Hide file tree
Showing 16 changed files with 233 additions and 213 deletions.
40 changes: 23 additions & 17 deletions ...security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,21 +37,40 @@ You can enable automatic security updates for any repository that uses {% data v

{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect that your codebase is using dependencies with known security risks. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency in the default branch, {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

{% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are displayed in the {% data variables.product.prodname_dependabot_alerts %} tab in order of importance, but you can sort alerts by other criteria. {% endif %}{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5638 %}You can sort and filter {% data variables.product.prodname_dependabot_alerts %} with the dropdown menus in the {% data variables.product.prodname_dependabot_alerts %} tab or by typing filters as `key:value` pairs into the search bar. The available filters are repository (for example, `repo:my-repository`), package (for example, `package:django`), ecosystem (for example, `ecosystem:npm`), manifest (for example, `manifest:webwolf/pom.xml`), state (for example, `is:open`), and whether an advisory has a patch (for example, `has: patch`).{% ifversion dependabot-alerts-development-label %} You can also filter alerts with dependency scope data using `scope`, for example: `scope:development` or `scope:runtime`. With `scope:development`, the list of alerts will only show dependencies used during development, not production.{% endif %}

Each {% data variables.product.prodname_dependabot %} alert has a unique numeric identifier and the {% data variables.product.prodname_dependabot_alerts %} tab lists an alert for every detected vulnerability. Legacy {% data variables.product.prodname_dependabot_alerts %} grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy {% data variables.product.prodname_dependabot %} alert, you will be redirected to a {% data variables.product.prodname_dependabot_alerts %} tab filtered for that package. {% endif %}

{% ifversion fpt or ghec or ghes > 3.4 or ghae-issue-5638 %}
You can filter and sort {% data variables.product.prodname_dependabot_alerts %} using a variety of filters and sort options available on the user interface. For more information, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-across--data-variablesproductprodname_dependabot_alerts-)" below.

## Prioritizing {% data variables.product.prodname_dependabot_alerts %}

{% data variables.product.company_short %} helps you prioritize fixing {% data variables.product.prodname_dependabot_alerts %}. {% ifversion dependabot-most-important-sort-option %} By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort order helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.

![Screenshot of Sort dropdown with "Most important" sort](/assets/images/help/dependabot/dependabot-alerts-sort-dropdown.png)
{% endif %}

{% data reusables.dependabot.dependabot-alerts-filters %}

In addition to the filters available via the search bar, you can sort and filter {% data variables.product.prodname_dependabot_alerts %} using the dropdown menus at the top of the alert list. The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for `yaml.load() API could execute arbitrary code` will return {% data variables.product.prodname_dependabot_alerts %} linked to "[PyYAML insecurely deserializes YAML strings leading to arbitrary code execution](https://github.com/advisories/GHSA-rprw-h62v-c2w7)" as the search string appears in the advisory description.

{% endif %}

{% ifversion dependabot-bulk-alerts %}
![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png){% elsif ghes = 3.5 %}
You can select a filter in a dropdown menu at the top of the list, then click the filter that you would like to apply.
![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/enterprise/3.5/dependabot/dependabot-alerts-filters.png){% endif %}

{% ifversion dependabot-alerts-development-label %}
## Supported ecosystems and manifests for dependency scope

<!-- TODO: for now we'd have this table and heading as they are, but we're planning to replace this with at a later date a new heading containing all the available filters in one or more tables -->
{% data reusables.dependabot.dependabot-alerts-dependency-scope %}

Alerts for packages listed as development dependencies are marked with the `Development` label on the {% data variables.product.prodname_dependabot_alerts %} page and are also available for filtering via the `scope` filter.

![Screenshot showing the "Development" label in the list of alerts](/assets/images/help/repository/dependabot-alerts-development-label.png)

The alert details page of alerts on development-scoped packages shows a "Tags" section containing a `Development` label.

![Screenshot showing the "Tags" section in the alert details page](/assets/images/help/repository/dependabot-alerts-tags-section.png)

{% endif %}
Expand Down Expand Up @@ -92,20 +111,7 @@ For more information, see "[Reviewing and fixing alerts](#reviewing-and-fixing-a
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-dependabot-alerts %}
1. Optionally, to filter alerts, select the **Repository**, **Package**, **Ecosystem**, or **Manifest** dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For example, `ecosystem:npm`{% ifversion ghes < 3.7 or ghae-issue-5638 %} or `has:patch`{% endif %}{% ifversion dependabot-alerts-development-label %}, `has:patch` or `scope:development`{% endif %}. To sort alerts, select the **Sort** dropdown menu then click the option that you would like to sort by, or type `sort:` into the search bar and choose an option from the suggestions (for example, `sort:newest`).

{% ifversion dependabot-most-important-sort-option %}
{% note %}

**Note:** By default, {% data variables.product.prodname_dependabot_alerts %} are sorted by importance. The "Most important" sort helps you prioritize which {% data variables.product.prodname_dependabot_alerts %} to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert.
{% endnote %}

![Screenshot of Sort dropdown with "Most important" sort](/assets/images/help/dependabot/dependabot-alerts-sort-dropdown.png)
{% endif %}

You can also click a label on an alert to only show alerts of that type.{% ifversion dependabot-alerts-development-label %} For example, clicking the `Development` label in the list of alerts will only show alerts relating to dependencies used in development, not production. For information about the list of ecosystems supported, see "[Supported ecosystems and manifests for dependency scope ](#supported-ecosystems-and-manifests-for-dependency-scope)."

{% endif %}
1. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For more information about filtering and sorting alerts, see "[Prioritizing {% data variables.product.prodname_dependabot_alerts %}](#prioritizing-across--data-variablesproductprodname_dependabot_alerts-)."
{%- ifversion dependabot-bulk-alerts %}
![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/help/graphs/dependabot-alerts-filters-checkbox.png){% else %}
![Screenshot of the filter and sort menus in the {% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/enterprise/3.5/dependabot/dependabot-alerts-filters.png){% endif %}
Expand Down
14 changes: 14 additions & 0 deletions data/reusables/dependabot/dependabot-alerts-filters.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
You can sort and filter {% data variables.product.prodname_dependabot_alerts %} by typing filters as `key:value` pairs into the search bar.

| Option | Description | Example |
|:---|:---|:---|
| `ecosystem` | Displays alerts for the selected ecosystem | Use `ecosystem:npm` to show {% data variables.product.prodname_dependabot_alerts %} for npm |{% ifversion fpt or ghec or ghes > 3.5 %}
| `has` | Displays alerts meeting the selected filter criteria | Use `has:patch` to show alerts related to advisories that have a patch{% ifversion dependabot-alerts-vulnerable-calls %}</br>Use `has:vulnerable-calls` to show alerts relating to calls to vulnerable functions{% endif %} |{% endif %}
| `is` | Displays alerts based on their state | Use `is:open` to show open alerts |
| `manifest` | Displays alerts for the selected manifest | Use `manifest:webwolf/pom.xml` to show alerts on the pom.xml file of the webwolf application |
| `package` | Displays alerts for the selected package | Use `package:django` to show alerts for django |
| `resolution` | Displays alerts of the selected resolution status | Use `resolution:no-bandwidth` to show alerts previously parked due to lack of resources or time to fix them |
| `repo` | Displays alerts based on the repository they relate to</br>Note that this filter is only available on the security overview. For more information, see "[About the security overview](/code-security/security-overview/about-the-security-overview)" | Use `repo:octocat-repo` to show alerts in the repository called `octocat-repo` |{%- ifversion dependabot-alerts-development-label %}
| `scope` | Displays alerts based on the scope of the dependency they relate to | Use `scope:development` to show alerts for dependencies that are only used during development |{% endif %}
| `severity` | Displays alerts based on their level of severity | Use `severity:high` to show alerts with a severity of High |{%- ifversion dependabot-most-important-sort-option %}
| `sort` | Displays alerts according to the selected sort order | The default sorting option for alerts is `sort:most-important`, which ranks alerts by importance</br>Use `sort:newest` to show the latest alerts reported by {% data variables.product.prodname_dependabot %} |{% endif %}
28 changes: 14 additions & 14 deletions lib/rest/static/decorated/api.github.com.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -544619,8 +544619,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -545351,8 +545351,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -546131,8 +546131,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -553319,8 +553319,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -554089,8 +554089,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -554778,8 +554778,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -561942,8 +561942,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down
28 changes: 14 additions & 14 deletions lib/rest/static/decorated/ghes-3.2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430488,8 +430488,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -431204,8 +431204,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -431968,8 +431968,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -438934,8 +438934,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -439688,8 +439688,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -440361,8 +440361,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down Expand Up @@ -447303,8 +447303,8 @@
]
},
"organization": {
"title": "Organization Full",
"description": "Organization Full",
"title": "Team Organization",
"description": "Team Organization",
"type": "object",
"properties": {
"login": {
Expand Down
Loading

0 comments on commit 439056e

Please sign in to comment.