我该如何通过GitHub API获取https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen上可用的Dependabot警报列表?
谢谢!
谢谢!
2个回答
22
在 Graphql API 中,有一个名为 RepositoryVulnerabilityAlert 的对象。
例如针对某个特定仓库,您可以使用以下查询语句获取所有警报(请在 此浏览器 中查看):
{
repository(name: "repo-name", owner: "repo-owner") {
vulnerabilityAlerts(first: 100) {
nodes {
createdAt
dismissedAt
securityVulnerability {
package {
name
}
advisory {
description
}
}
}
}
}
}
dismissedAt 字段进行识别。但是似乎没有办法仅过滤出“活动”的警报。
示例输出:
{
"data": {
"repository": {
"vulnerabilityAlerts": {
"nodes": [
{
"createdAt": "2018-03-05T19:13:26Z",
"dismissedAt": null,
"securityVulnerability": {
"package": {
"name": "moment"
},
"advisory": {
"description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.\n\n\n## Recommendation\n\nUpdate to version 2.19.3 or later."
}
}
},
....
]
}
}
}
}
- Bertrand Martel
5
5
自2022年9月22日起,根据官方文档,现在有一个REST端点以及GitHub CLI支持,用于列出Dependabot警报。
它允许您列出以下警报:
以下示例是获取特定存储库警报的方法。
GitHub CLI(Bash):
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/[owner]/[repo-name]/dependabot/alerts
GitHub CLI (Powershell):
gh api `
-H "Accept: application/vnd.github+json" `
-H "X-GitHub-Api-Version: 2022-11-28" `
/repos/[owner]/[repo-name]/dependabot/alerts
直接调用REST API(Bash):
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer [your-token]" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/[owner]/[repo-name]/dependabot/alerts
直接调用 REST API(PowerShell):
$headers = @{
"Accept" = "application/vnd.github+json"
"Authorization" = "Bearer [your-token]"
"X-GitHub-Api-Version" = "2022-11-28"
}
Invoke-WebRequest `
-Uri "https://api.github.com/repos/[owner]/[repo-name]/dependabot/alerts" `
-Headers $headers
示例截断的JSON响应:
[
{
"number": 11,
"state": "open",
"dependency": {
"package": {
"ecosystem": "npm",
"name": "url-parse"
},
"manifest_path": "webapp/src/main/react-app/yarn.lock",
"scope": "runtime"
},
"security_advisory": {
"ghsa_id": "GHSA-jf5r-8hm2-f872",
"cve_id": "CVE-2022-0691",
"summary": "Incorrect hostname / protocol due to unstripped leading control characters.",
"description": "Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.\n\nIf url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.\n\nThis can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:\n`````\nconst parse = require('url-parse')\nconst express = require('express')\nconst app = express()\nconst port = 3000\n\nurl = parse(\\\"\\\\bjavascript:alert(1)\\\")\n\nconsole.log(url)\n\napp.get('/', (req, res) => {\n if (url.protocol !== \\\"javascript:\\\") {res.send(\\\"<a href=\\\\'\\\" + url.href + \\\"\\\\'>CLICK ME!</a>\\\")}\n })\n\napp.listen(port, () => {\n console.log(`Example app listening on port ${port}`)\n })\n`````",
"severity": "medium",
"identifiers": [
{
"value": "GHSA-jf5r-8hm2-f872",
"type": "GHSA"
},
{
"value": "CVE-2022-0691",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0691"
},
{
"url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63"
},
{
"url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220325-0006/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html"
},
{
"url": "https://github.com/advisories/GHSA-jf5r-8hm2-f872"
}
],
"published_at": "2022-02-22T00:00:30Z",
"updated_at": "2023-02-23T22:08:49Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "npm",
"name": "url-parse"
},
"severity": "medium",
"vulnerable_version_range": "< 1.5.9",
"first_patched_version": {
"identifier": "1.5.9"
}
}
],
"cvss": {
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"score": 6.5
},
"cwes": [
{
"cwe_id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
}
]
},
"security_vulnerability": {
"package": {
"ecosystem": "npm",
"name": "url-parse"
},
"severity": "medium",
"vulnerable_version_range": "< 1.5.9",
"first_patched_version": {
"identifier": "1.5.9"
}
},
"url": "https://api.github.com/repos/xxx/yyy/dependabot/alerts/11",
"html_url": "https://github.com/xxx/yyy/security/dependabot/11",
"created_at": "2023-04-26T21:44:23Z",
"updated_at": "2023-04-26T21:44:23Z",
"dismissed_at": null,
"dismissed_by": null,
"dismissed_reason": null,
"dismissed_comment": null,
"fixed_at": null,
"auto_dismissed_at": null
},
...
]
请注意,此功能仍处于公共测试阶段。端点可能会发生变化,但应该对所有帐户可用。
- Ermiya Eskandary
网页内容由stack overflow 提供, 点击上面的可以查看英文原文,
原文链接
原文链接
- 相关问题
- 6 GitHub Dependabot是否需要dependabot.yml文件?
- 29 如何通过GitHub API获取文件
- 15 通过 Github API 获取令牌
- 25 在GitHub上禁用一个仓库的Dependabot警报
- 44 GitHub Dependabot警报:nth-check中无效的正则表达式复杂性
- 5 如何使用Github API检查存储库是否启用了Dependabot?
- 35 如何通过Github API获取流行的Github仓库列表?
- 3 如何通过GitHub API获取项目徽章?
- 3 在 Dependabot 在 Github 上发出警报后,升级特定软件包的 yarn lock。
- 20 能否通过Github API获取Github Wiki内容?
state,fixed/open/dismissed,具体请参考:https://docs.github.com/en/graphql/reference/objects#repositoryvulnerabilityalert - DTrejo$GITHUB_TOKEN来读取这些数据? - piotrekkr