REST API 现在已版本化。 有关更多信息,请参阅“关于 API 版本控制”。
用于 Dependabot 警报的 REST API 端点
使用 REST API 与代码仓库的 Dependabot 警报进行交互。
注意
目前,使用 REST API 管理 Dependabot 警报的功能处于公开预览阶段,可能会发生更改。
关于 Dependabot 警报
您可以查看代码仓库的 Dependabot 警报,并使用 REST API 更新各个警报。有关更多信息,请参阅“关于 Dependabot 警报”。
列出企业中的 Dependabot 警报
列出指定企业拥有的代码仓库的 Dependabot 警报。
经过身份验证的用户必须是该企业的成员才能使用此端点。
仅针对您是组织所有者或安全管理员的企业中的组织返回警报。有关安全管理员的更多信息,请参阅“在您的组织中管理安全管理员”。
OAuth 应用令牌和个人访问令牌(经典)需要 repo 或 security_events 范围才能使用此端点。
“列出企业中的 Dependabot 警报”的细粒度访问令牌
此端点不适用于 GitHub 应用用户访问令牌、GitHub 应用安装访问令牌或细粒度个人访问令牌。
“列出企业中的 Dependabot 警报”的参数
| 名称、类型、说明 |
|---|
accept 字符串建议设置为 |
| 名称、类型、说明 |
|---|
enterprise 字符串 必填企业的短名称版本。您也可以用企业 ID 替换此值。 |
| 名称、类型、说明 |
|---|
state 字符串状态的逗号分隔列表。如果指定,则仅返回具有这些状态的警报。 可以是: |
severity 字符串严重性的逗号分隔列表。如果指定,则仅返回具有这些严重性的警报。 可以是: |
ecosystem 字符串生态系统的逗号分隔列表。如果指定,则仅返回这些生态系统的警报。 可以是: |
package 字符串包名称的逗号分隔列表。如果指定,则仅返回这些包的警报。 |
scope 字符串易受攻击依赖项的范围。如果指定,则仅返回具有此范围的警报。 可以是以下之一: |
sort 字符串用于对结果排序的属性。 默认值: 可以是以下之一: |
direction 字符串用于对结果排序的方向。 默认值: 可以是以下之一: |
before 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之前的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
after 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之后的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
first 整数已弃用。每页的结果数(最大 100),从第一个匹配结果开始。此参数不得与 默认值: |
last 整数已弃用。每页的结果数(最大 100),从最后一个匹配结果开始。此参数不得与 |
per_page 整数每页的结果数(最大 100)。有关更多信息,请参阅“在 REST API 中使用分页”。 默认值: |
“列出企业中的 Dependabot 警报”的 HTTP 响应状态代码
| 状态代码 | 说明 |
|---|---|
200 | OK |
304 | 未修改 |
403 | 禁止 |
404 | 资源未找到 |
422 | 验证失败或端点已被滥用。 |
“列出企业中的 Dependabot 警报”的代码示例
请求示例
get/enterprises/{enterprise}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/dependabot/alerts响应
状态:200[ { "number": 2, "state": "已忽略", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "运行时" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态", "description": "Django 2.0(版本低于 2.0.2)以及 1.11.8 和 1.11.9 中的 django.contrib.auth.forms.AuthenticationForm 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "高", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "cwes": [ { "cwe_id": "CWE-200", "name": "向未授权的参与者公开敏感信息" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://django.ac.cn/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2", "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "用户", "site_admin": false }, "dismissed_reason": "可接受的风险", "dismissed_comment": "此警报准确,但我们使用了消毒程序。", "fixed_at": null, "repository": { "id": 217723378, "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=", "name": "octo-repo", "full_name": "octo-org/octo-repo", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "组织", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/octo-repo", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/octo-repo", "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors", "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments", "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads", "events_url": "https://api.github.com/repos/octo-org/octo-repo/events", "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks", "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages", "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges", "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription", "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags", "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams", "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}" } }, { "number": 1, "state": "打开", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "运行时" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "ansible 中敏感信息插入日志文件", "description": "ansible 中存在一个缺陷。凭据(例如密钥)默认情况下会泄露到控制台日志中,并且在使用这些模块时,不会受到 no_log 功能的保护。攻击者可以利用此信息窃取这些凭据。此漏洞带来的最大威胁是对数据机密性的威胁。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "中", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "将敏感信息插入日志文件" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null, "repository": { "id": 664700648, "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=", "name": "hello-world", "full_name": "octo-org/hello-world", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "组织", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/hello-world", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/hello-world", "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors", "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments", "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads", "events_url": "https://api.github.com/repos/octo-org/hello-world/events", "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks", "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages", "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges", "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription", "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags", "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams", "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}" } } ]列出组织的 Dependabot 警报
列出组织的 Dependabot 警报。
经过身份验证的用户必须是组织的所有者或安全管理员才能使用此端点。
OAuth 应用程序令牌和个人访问令牌(经典)需要 security_events 范围才能使用此端点。如果此端点仅与公共存储库一起使用,则令牌可以使用 public_repo 范围。
用于“列出组织的 Dependabot 警报”的细粒度访问令牌
此端点可与以下细粒度令牌类型配合使用:
细粒度令牌必须具有以下权限集
- “Dependabot 警报”存储库权限(读取)
“列出组织的 Dependabot 警报”的参数
| 名称、类型、说明 |
|---|
accept 字符串建议设置为 |
| 名称、类型、说明 |
|---|
org 字符串 必需组织名称。名称不区分大小写。 |
| 名称、类型、说明 |
|---|
state 字符串状态的逗号分隔列表。如果指定,则仅返回具有这些状态的警报。 可以是: |
severity 字符串严重性的逗号分隔列表。如果指定,则仅返回具有这些严重性的警报。 可以是: |
ecosystem 字符串生态系统的逗号分隔列表。如果指定,则仅返回这些生态系统的警报。 可以是: |
package 字符串包名称的逗号分隔列表。如果指定,则仅返回这些包的警报。 |
scope 字符串易受攻击依赖项的范围。如果指定,则仅返回具有此范围的警报。 可以是以下之一: |
sort 字符串用于对结果排序的属性。 默认值: 可以是以下之一: |
direction 字符串用于对结果排序的方向。 默认值: 可以是以下之一: |
before 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之前的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
after 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之后的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
first 整数已弃用。每页的结果数(最大 100),从第一个匹配结果开始。此参数不得与 默认值: |
last 整数已弃用。每页的结果数(最大 100),从最后一个匹配结果开始。此参数不得与 |
per_page 整数每页的结果数(最大 100)。有关更多信息,请参阅“在 REST API 中使用分页”。 默认值: |
“列出组织的 Dependabot 警报”的 HTTP 响应状态代码
| 状态代码 | 说明 |
|---|---|
200 | OK |
304 | 未修改 |
400 | 错误请求 |
403 | 禁止 |
404 | 资源未找到 |
422 | 验证失败或端点已被滥用。 |
“列出组织的 Dependabot 警报”的代码示例
请求示例
获取/orgs/{org}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/dependabot/alerts响应
状态:200[ { "number": 2, "state": "已忽略", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "运行时" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态", "description": "Django 2.0(版本低于 2.0.2)以及 1.11.8 和 1.11.9 中的 django.contrib.auth.forms.AuthenticationForm 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "高", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "cwes": [ { "cwe_id": "CWE-200", "name": "向未授权的参与者公开敏感信息" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://django.ac.cn/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octo-org/octo-repo/dependabot/alerts/2", "html_url": "https://github.com/octo-org/octo-repo/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "用户", "site_admin": false }, "dismissed_reason": "可接受的风险", "dismissed_comment": "此警报准确,但我们使用了消毒程序。", "fixed_at": null, "repository": { "id": 217723378, "node_id": "MDEwOlJlcG9zaXRvcnkyMTc3MjMzNzg=", "name": "octo-repo", "full_name": "octo-org/octo-repo", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "组织", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/octo-repo", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/octo-repo", "archive_url": "https://api.github.com/repos/octo-org/octo-repo/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/octo-repo/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/octo-repo/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/octo-repo/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/octo-repo/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/octo-repo/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/octo-repo/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/octo-repo/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/octo-repo/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/octo-repo/contributors", "deployments_url": "https://api.github.com/repos/octo-org/octo-repo/deployments", "downloads_url": "https://api.github.com/repos/octo-org/octo-repo/downloads", "events_url": "https://api.github.com/repos/octo-org/octo-repo/events", "forks_url": "https://api.github.com/repos/octo-org/octo-repo/forks", "git_commits_url": "https://api.github.com/repos/octo-org/octo-repo/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/octo-repo/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/octo-repo/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/octo-repo/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/octo-repo/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/octo-repo/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/octo-repo/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/octo-repo/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/octo-repo/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/octo-repo/languages", "merges_url": "https://api.github.com/repos/octo-org/octo-repo/merges", "milestones_url": "https://api.github.com/repos/octo-org/octo-repo/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/octo-repo/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/octo-repo/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/octo-repo/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/octo-repo/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/octo-repo/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/octo-repo/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/octo-repo/subscription", "tags_url": "https://api.github.com/repos/octo-org/octo-repo/tags", "teams_url": "https://api.github.com/repos/octo-org/octo-repo/teams", "trees_url": "https://api.github.com/repos/octo-org/octo-repo/git/trees{/sha}" } }, { "number": 1, "state": "打开", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "运行时" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "ansible 中敏感信息插入日志文件", "description": "ansible 中存在一个缺陷。凭据(例如密钥)默认情况下会泄露到控制台日志中,并且在使用这些模块时,不会受到 no_log 功能的保护。攻击者可以利用此信息窃取这些凭据。此漏洞带来的最大威胁是对数据机密性的威胁。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "中", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "将敏感信息插入日志文件" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "中", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octo-org/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octo-org/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null, "repository": { "id": 664700648, "node_id": "MDEwOlJlcG9zaXRvcnk2NjQ3MDA2NDg=", "name": "hello-world", "full_name": "octo-org/hello-world", "owner": { "login": "octo-org", "id": 6811672, "node_id": "MDEyOk9yZ2FuaXphdGlvbjY4MTE2NzI=", "avatar_url": "https://avatars3.githubusercontent.com/u/6811672?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octo-org", "html_url": "https://github.com/octo-org", "followers_url": "https://api.github.com/users/octo-org/followers", "following_url": "https://api.github.com/users/octo-org/following{/other_user}", "gists_url": "https://api.github.com/users/octo-org/gists{/gist_id}", "starred_url": "https://api.github.com/users/octo-org/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octo-org/subscriptions", "organizations_url": "https://api.github.com/users/octo-org/orgs", "repos_url": "https://api.github.com/users/octo-org/repos", "events_url": "https://api.github.com/users/octo-org/events{/privacy}", "received_events_url": "https://api.github.com/users/octo-org/received_events", "type": "组织", "site_admin": false }, "private": true, "html_url": "https://github.com/octo-org/hello-world", "description": null, "fork": false, "url": "https://api.github.com/repos/octo-org/hello-world", "archive_url": "https://api.github.com/repos/octo-org/hello-world/{archive_format}{/ref}", "assignees_url": "https://api.github.com/repos/octo-org/hello-world/assignees{/user}", "blobs_url": "https://api.github.com/repos/octo-org/hello-world/git/blobs{/sha}", "branches_url": "https://api.github.com/repos/octo-org/hello-world/branches{/branch}", "collaborators_url": "https://api.github.com/repos/octo-org/hello-world/collaborators{/collaborator}", "comments_url": "https://api.github.com/repos/octo-org/hello-world/comments{/number}", "commits_url": "https://api.github.com/repos/octo-org/hello-world/commits{/sha}", "compare_url": "https://api.github.com/repos/octo-org/hello-world/compare/{base}...{head}", "contents_url": "https://api.github.com/repos/octo-org/hello-world/contents/{+path}", "contributors_url": "https://api.github.com/repos/octo-org/hello-world/contributors", "deployments_url": "https://api.github.com/repos/octo-org/hello-world/deployments", "downloads_url": "https://api.github.com/repos/octo-org/hello-world/downloads", "events_url": "https://api.github.com/repos/octo-org/hello-world/events", "forks_url": "https://api.github.com/repos/octo-org/hello-world/forks", "git_commits_url": "https://api.github.com/repos/octo-org/hello-world/git/commits{/sha}", "git_refs_url": "https://api.github.com/repos/octo-org/hello-world/git/refs{/sha}", "git_tags_url": "https://api.github.com/repos/octo-org/hello-world/git/tags{/sha}", "hooks_url": "https://api.github.com/repos/octo-org/hello-world/hooks", "issue_comment_url": "https://api.github.com/repos/octo-org/hello-world/issues/comments{/number}", "issue_events_url": "https://api.github.com/repos/octo-org/hello-world/issues/events{/number}", "issues_url": "https://api.github.com/repos/octo-org/hello-world/issues{/number}", "keys_url": "https://api.github.com/repos/octo-org/hello-world/keys{/key_id}", "labels_url": "https://api.github.com/repos/octo-org/hello-world/labels{/name}", "languages_url": "https://api.github.com/repos/octo-org/hello-world/languages", "merges_url": "https://api.github.com/repos/octo-org/hello-world/merges", "milestones_url": "https://api.github.com/repos/octo-org/hello-world/milestones{/number}", "notifications_url": "https://api.github.com/repos/octo-org/hello-world/notifications{?since,all,participating}", "pulls_url": "https://api.github.com/repos/octo-org/hello-world/pulls{/number}", "releases_url": "https://api.github.com/repos/octo-org/hello-world/releases{/id}", "stargazers_url": "https://api.github.com/repos/octo-org/hello-world/stargazers", "statuses_url": "https://api.github.com/repos/octo-org/hello-world/statuses/{sha}", "subscribers_url": "https://api.github.com/repos/octo-org/hello-world/subscribers", "subscription_url": "https://api.github.com/repos/octo-org/hello-world/subscription", "tags_url": "https://api.github.com/repos/octo-org/hello-world/tags", "teams_url": "https://api.github.com/repos/octo-org/hello-world/teams", "trees_url": "https://api.github.com/repos/octo-org/hello-world/git/trees{/sha}" } } ]列出存储库的 Dependabot 警报
OAuth 应用程序令牌和个人访问令牌(经典)需要 security_events 范围才能使用此端点。如果此端点仅与公共存储库一起使用,则令牌可以使用 public_repo 范围。
用于“列出存储库的 Dependabot 警报”的细粒度访问令牌
此端点可与以下细粒度令牌类型配合使用:
细粒度令牌必须具有以下权限集
- “Dependabot 警报”存储库权限(读取)
“列出存储库的 Dependabot 警报”的参数
| 名称、类型、说明 |
|---|
accept 字符串建议设置为 |
| 名称、类型、说明 |
|---|
owner 字符串 必需存储库的帐户所有者。名称不区分大小写。 |
repo 字符串 必需存储库的名称,不含 |
| 名称、类型、说明 |
|---|
state 字符串状态的逗号分隔列表。如果指定,则仅返回具有这些状态的警报。 可以是: |
severity 字符串严重性的逗号分隔列表。如果指定,则仅返回具有这些严重性的警报。 可以是: |
ecosystem 字符串生态系统的逗号分隔列表。如果指定,则仅返回这些生态系统的警报。 可以是: |
package 字符串包名称的逗号分隔列表。如果指定,则仅返回这些包的警报。 |
manifest 字符串完整清单路径的逗号分隔列表。如果指定,则仅返回这些清单的警报。 |
scope 字符串易受攻击依赖项的范围。如果指定,则仅返回具有此范围的警报。 可以是以下之一: |
sort 字符串用于对结果排序的属性。 默认值: 可以是以下之一: |
direction 字符串用于对结果排序的方向。 默认值: 可以是以下之一: |
page 整数关闭通知。要获取的结果的页面编号。请改用基于光标的分页,使用 默认值: |
per_page 整数每页的结果数(最大 100)。有关更多信息,请参阅“在 REST API 中使用分页”。 默认值: |
before 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之前的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
after 字符串游标,如 链接标头 中所示。如果指定,则查询仅搜索此游标之后的结果。有关更多信息,请参阅“在 REST API 中使用分页”。 |
first 整数已弃用。每页的结果数(最大 100),从第一个匹配结果开始。此参数不得与 默认值: |
last 整数已弃用。每页的结果数(最大 100),从最后一个匹配结果开始。此参数不得与 |
“列出存储库的 Dependabot 警报”的 HTTP 响应状态代码
| 状态代码 | 说明 |
|---|---|
200 | OK |
304 | 未修改 |
400 | 错误请求 |
403 | 禁止 |
404 | 资源未找到 |
422 | 验证失败或端点已被滥用。 |
“列出存储库的 Dependabot 警报”的代码示例
请求示例
get/repos/{owner}/{repo}/dependabot/alerts
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts响应
状态:200[ { "number": 2, "state": "dismissed", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态", "description": "Django 2.0(版本早于 2.0.2)以及 1.11.8 和 1.11.9 中的 django.contrib.auth.forms.AuthenticationForm 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "high", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "cwes": [ { "cwe_id": "CWE-200", "name": "将敏感信息泄露给未经授权的参与者" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://django.ac.cn/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "high", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "tolerable_risk", "dismissed_comment": "此警报准确,但我们使用了消毒程序。", "fixed_at": null }, { "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "ansible 中的敏感信息插入日志文件", "description": "在 ansible 中发现了一个缺陷。凭据(例如密钥)默认情况下会显示在控制台日志中,并且在使用这些模块时不会受到 no_log 功能的保护。攻击者可以利用此信息窃取这些凭据。此漏洞带来的最大威胁是对数据机密性的威胁。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "将敏感信息插入日志文件" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null } ]获取 Dependabot 警报
OAuth 应用程序令牌和个人访问令牌(经典)需要 security_events 范围才能使用此端点。如果此端点仅与公共存储库一起使用,则令牌可以使用 public_repo 范围。
“获取 Dependabot 警报”的细粒度访问令牌
此端点可与以下细粒度令牌类型配合使用:
细粒度令牌必须具有以下权限集
- “Dependabot 警报”存储库权限(读取)
“获取 Dependabot 警报”的参数
| 名称、类型、说明 |
|---|
accept 字符串建议设置为 |
| 名称、类型、说明 |
|---|
owner 字符串 必需存储库的帐户所有者。名称不区分大小写。 |
repo 字符串 必需存储库的名称,不含 |
alert_number 整数 必需标识其存储库中 Dependabot 警报的编号。您可以在 GitHub 中 Dependabot 警报的 URL 末尾找到它,或者在来自 |
“获取 Dependabot 警报”的 HTTP 响应状态代码
| 状态代码 | 说明 |
|---|---|
200 | OK |
304 | 未修改 |
403 | 禁止 |
404 | 资源未找到 |
“获取 Dependabot 警报”的代码示例
请求示例
get/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER响应
状态:200{ "number": 1, "state": "open", "dependency": { "package": { "ecosystem": "pip", "name": "ansible" }, "manifest_path": "path/to/requirements.txt", "scope": "runtime" }, "security_advisory": { "ghsa_id": "GHSA-8f4m-hccc-8qph", "cve_id": "CVE-2021-20191", "summary": "ansible 中的敏感信息插入日志文件", "description": "在 ansible 中发现了一个缺陷。凭据(例如密钥)默认情况下会显示在控制台日志中,并且在使用这些模块时不会受到 no_log 功能的保护。攻击者可以利用此信息窃取这些凭据。此漏洞带来的最大威胁是对数据机密性的威胁。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.9.0, < 2.9.18", "first_patched_version": { "identifier": "2.9.18" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": ">= 2.10.0, < 2.10.7", "first_patched_version": { "identifier": "2.10.7" } } ], "severity": "medium", "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "score": 8.5 } }, "cwes": [ { "cwe_id": "CWE-532", "name": "将敏感信息插入日志文件" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-8f4m-hccc-8qph" }, { "type": "CVE", "value": "CVE-2021-20191" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20191" }, { "url": "https://access.redhat.com/security/cve/cve-2021-20191" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813" } ], "published_at": "2021-06-01T17:38:00Z", "updated_at": "2021-08-12T23:06:00Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "ansible" }, "severity": "medium", "vulnerable_version_range": "< 2.8.19", "first_patched_version": { "identifier": "2.8.19" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/1", "html_url": "https://github.com/octocat/hello-world/security/dependabot/1", "created_at": "2022-06-14T15:21:52Z", "updated_at": "2022-06-14T15:21:52Z", "dismissed_at": null, "dismissed_by": null, "dismissed_reason": null, "dismissed_comment": null, "fixed_at": null }更新 Dependabot 警报
经过身份验证的用户必须有权访问存储库的安全警报才能使用此端点。有关更多信息,请参阅“授予对安全警报的访问权限”。
OAuth 应用程序令牌和个人访问令牌(经典)需要 security_events 范围才能使用此端点。如果此端点仅与公共存储库一起使用,则令牌可以使用 public_repo 范围。
“更新 Dependabot 警报”的细粒度访问令牌
此端点可与以下细粒度令牌类型配合使用:
细粒度令牌必须具有以下权限集
- “Dependabot 警报”存储库权限(写入)
“更新 Dependabot 警报”的参数
| 名称、类型、说明 |
|---|
accept 字符串建议设置为 |
| 名称、类型、说明 |
|---|
owner 字符串 必需存储库的帐户所有者。名称不区分大小写。 |
repo 字符串 必需存储库的名称,不含 |
alert_number 整数 必需标识其存储库中 Dependabot 警报的编号。您可以在 GitHub 中 Dependabot 警报的 URL 末尾找到它,或者在来自 |
| 名称、类型、说明 |
|---|
state 字符串 必需Dependabot 警报的状态。将状态设置为 可以是以下之一: |
dismissed_reason 字符串当 可以是以下之一: |
dismissed_comment 字符串与驳回警报相关的可选注释。 |
“更新 Dependabot 警报”的 HTTP 响应状态代码
| 状态代码 | 说明 |
|---|---|
200 | OK |
400 | 错误请求 |
403 | 禁止 |
404 | 资源未找到 |
409 | 冲突 |
422 | 验证失败或端点已被滥用。 |
“更新 Dependabot 警报”的代码示例
请求示例
patch/repos/{owner}/{repo}/dependabot/alerts/{alert_number}
curl -L \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/dependabot/alerts/ALERT_NUMBER \ -d '{"state":"dismissed","dismissed_reason":"tolerable_risk","dismissed_comment":"此警报准确,但我们使用了消毒程序。"}'响应
状态:200{ "number": 2, "state": "已忽略", "dependency": { "package": { "ecosystem": "pip", "name": "django" }, "manifest_path": "path/to/requirements.txt", "scope": "运行时" }, "security_advisory": { "ghsa_id": "GHSA-rf4j-j272-fj86", "cve_id": "CVE-2018-6188", "summary": "Django 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态", "description": "Django 2.0(版本低于 2.0.2)以及 1.11.8 和 1.11.9 中的 django.contrib.auth.forms.AuthenticationForm 允许远程攻击者通过利用 confirm_login_allowed() 方法的数据泄露来获取潜在的敏感信息,例如发现用户帐户是否处于非活动状态。", "vulnerabilities": [ { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 1.11.8, < 1.11.10", "first_patched_version": { "identifier": "1.11.10" } } ], "severity": "高", "cvss": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5 }, "cvss_v4": { "vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "score": 8.7 } }, "cwes": [ { "cwe_id": "CWE-200", "name": "向未授权的参与者公开敏感信息" } ], "identifiers": [ { "type": "GHSA", "value": "GHSA-rf4j-j272-fj86" }, { "type": "CVE", "value": "CVE-2018-6188" } ], "references": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" }, { "url": "https://github.com/advisories/GHSA-rf4j-j272-fj86" }, { "url": "https://usn.ubuntu.com/3559-1/" }, { "url": "https://django.ac.cn/weblog/2018/feb/01/security-releases/" }, { "url": "http://www.securitytracker.com/id/1040422" } ], "published_at": "2018-10-03T21:13:54Z", "updated_at": "2022-04-26T18:35:37Z", "withdrawn_at": null }, "security_vulnerability": { "package": { "ecosystem": "pip", "name": "django" }, "severity": "高", "vulnerable_version_range": ">= 2.0.0, < 2.0.2", "first_patched_version": { "identifier": "2.0.2" } }, "url": "https://api.github.com/repos/octocat/hello-world/dependabot/alerts/2", "html_url": "https://github.com/octocat/hello-world/security/dependabot/2", "created_at": "2022-06-15T07:43:03Z", "updated_at": "2022-08-23T14:29:47Z", "dismissed_at": "2022-08-23T14:29:47Z", "dismissed_by": { "login": "octocat", "id": 1, "node_id": "MDQ6VXNlcjE=", "avatar_url": "https://github.com/images/error/octocat_happy.gif", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "dismissed_reason": "可容忍的风险", "dismissed_comment": "此警报准确,但我们使用了消毒程序。", "fixed_at": null }