GitHub’s database of security advisories is now open source

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Logging Elixir Apache Security API

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • Apache Log4j 2

    Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.

  • elixir-security-advisories

    Discontinued Public database of Elixir security advisories

    • That’s awesome to hear. And I hear you on Elixir/Erlang. I have personal skin in the game on that one - in my Dependabot days I created the open source Elixir Advisory Database and very much want to transition that to the GitHub Advisory Database (and get alerts and PRs working).

    https://github.com/dependabot/elixir-security-advisories

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • advisory-database

    Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

    • We already have fixed versions (where they exist) - example link below.

    On backfilling the data to include advisories from before 2017 - absolutely. So far we've done this in a relatively ad-hoc way - you should already find that the most important (severe and wide-reaching) CVEs from before 2017 are in the database (and if there are any that aren't you think should be we'd love you to open an issue on the DB). We want to do a more complete backfill in the near future.

    https://github.com/github/advisory-database/blob/main/adviso...

  • GHSA-896r-f27r-55mw

    • What is the rationale behind GHSA advisory score having a lower score for vulnerability severity than what the security community thinks. I've come across this again and again where the CVSS score was higher than the GHSA. Example:

    GHSA has moderate severity:

    https://github.com/advisories/GHSA-896r-f27r-55mw

    The CVSS3 score of the CVE is actually critical!!

    If GHSA is "self-reporting" then why is it allowed to deviate in a direction that is harmful (downplaying the issue). If this means what I think it means (and I might be wrong) then the GHSA score is broken.

    Also it breaks security workflows that build on GHSA: If a manager looking at the conflicting severity levels lowers the urgency of the backlog ticket because severity is only moderate.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

    2 projects | news.ycombinator.com | 5 Mar 2024

  • Create an alternative async logger implementation using JCTools

    1 project | news.ycombinator.com | 22 Jan 2024

  • Log4j requesting feedback on which modules/features to drop

    1 project | news.ycombinator.com | 28 Sep 2023

  • Studying Log4Shell

    1 project | /r/java | 5 Mar 2023

  • Apache POI Setup Logging Error

    1 project | /r/learnjava | 9 Feb 2023