GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them

The GitHub Advisory Database is an essential tool for developers, offering a detailed list of known security vulnerabilities and malware affecting open-source packages. It categorizes advisories into GitHub-reviewed, unreviewed, and malware advisories, with GitHub-reviewed advisories having grown significantly over the years due to increased ecosystem coverage and source contributions. The database sources advisories from various channels, including the National Vulnerability Database and community contributions, and is supported by GitHub's role as a CVE Numbering Authority, which allows it to issue CVE IDs for vulnerabilities. By providing additional data such as CVSS and EPSS scores, the Advisory Database helps users prioritize their remediation efforts based on the severity and likelihood of exploitation of vulnerabilities. Services like Dependabot utilize the Advisory DB to identify vulnerabilities in projects, suggest fixes, and reduce noise by only notifying users about relevant issues. In 2024, the database expanded its coverage and saw a significant increase in the number of advisories imported, marking GitHub as a prominent player in the realm of open-source security.