You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/reference/supply-chain-security/troubleshoot-dependabot/vulnerable-dependency-detection.md
+11-10Lines changed: 11 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Troubleshooting the detection of vulnerable dependencies
2
+
title: Vulnerable dependency detection
3
3
intro: If the dependency information reported by {% data variables.product.github %} is not what you expected, there are a number of points to consider, and various things you can check.
{% data reusables.dependabot.result-discrepancy %}
29
30
30
-
## Why do some dependencies seem to be missing?
31
+
## Missing or undetected dependencies
31
32
32
33
{% data variables.product.prodname_dotcom %} generates and displays dependency data differently than other tools. Consequently, if you've been using another tool to identify dependencies you will almost certainly see different results. Consider the following:
33
34
@@ -38,39 +39,39 @@ contentType: how-tos
38
39
39
40
{% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies).
40
41
41
-
## Do {% data variables.product.prodname_dependabot_alerts %} only relate to insecure dependencies in manifests and lockfiles?
42
+
## Alert coverage scope
42
43
43
44
{% data variables.product.prodname_dependabot_alerts %} advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot_security_updates %} only suggest a change where {% data variables.product.prodname_dependabot %} can directly "fix" the dependency, that is, when these are:
44
45
* Direct dependencies explicitly declared in a manifest or lockfile
45
46
* Transitive dependencies declared in a lockfile
46
47
47
48
**Check:** Is the uncaught vulnerability for a component that's not specified in the repository's manifest or lockfile?
48
49
49
-
## Why don't I get {% data variables.product.prodname_dependabot_alerts %} for some ecosystems?
50
+
## Unsupported ecosystems
50
51
51
52
{% data variables.product.prodname_dependabot_alerts %} are supported for a set of ecosystems where we can provide high-quality, actionable data. Curated advisories in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% ifversion fpt or ghec %}{% data variables.product.prodname_dependabot %} security updates, {% endif %}and {% data variables.product.prodname_dependabot_alerts %} are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. For an overview of the package ecosystems that we support for {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems).
52
53
53
54
It's worth noting that security advisories may exist for other ecosystems. The information in an unreviewed security advisory is provided by the maintainers of a particular repository. This data is not curated by {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.link-browsing-advisory-db %}
54
55
55
56
**Check:** Does the uncaught vulnerability apply to an unsupported ecosystem?
56
57
57
-
## Does {% data variables.product.prodname_dependabot %} generate alerts for vulnerabilities that have been known for many years?
58
+
## Historical vulnerabilities
58
59
59
60
The {% data variables.product.prodname_advisory_database %} was launched in November 2019, and initially back-filled to include advisories for security risks in the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software.
60
61
61
62
Some information on older vulnerabilities is available, especially where these CVEs are particularly widespread, however some old vulnerabilities are not included in the {% data variables.product.prodname_advisory_database %}. If there's a specific old vulnerability that you need to be included in the database, contact {% data variables.contact.contact_support %}.
62
63
63
64
**Check:** Does the uncaught vulnerability have a publish date earlier than 2017 in the National Vulnerability Database?
64
65
65
-
## Why does {% data variables.product.prodname_advisory_database %} use a subset of published vulnerability data?
66
+
## Advisory database scope
66
67
67
68
Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts.
68
69
69
70
Since {% data variables.product.prodname_dependabot %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant.
70
71
71
72
{% ifversion fpt or ghec %}
72
73
73
-
## Does each insecure dependency generate a separate alert?
74
+
## Alert generation and aggregation
74
75
75
76
When a dependency has multiple vulnerabilities, an alert is generated for each vulnerability at the level of advisory plus manifest.
76
77
@@ -85,11 +86,11 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var
85
86
**Check:** If there is a discrepancy in the totals you are seeing, check that you are not comparing alert numbers with dependency numbers. Also check that you are viewing all alerts and not a subset of filtered alerts.
86
87
{% endif %}
87
88
88
-
## Can Dependabot ignore specific dependencies?
89
+
## Dependency ignore options
89
90
90
91
You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies).
91
92
92
-
## Why does {% data variables.product.prodname_dependabot %} sometimes fail to detect or update {% data variables.product.prodname_actions %} versions in monorepos?
93
+
## Monorepo limitations for {% data variables.product.prodname_actions %} versions
93
94
94
95
If your repository contains multiple {% data variables.product.prodname_actions %} (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions.
0 commit comments