Dependabot: How problematic are unreviewed CVEs? #50031
Replies: 1 comment
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Hello,
first of all, I really like dependabot - it's a great tool and easy to use! And I am just started to use it.
But since dependabot only considers CVEs in https://github.com/github/advisory-database, which are in status REVIEWED, I really like to understand, when a reported CVE get's reviewed and when not?
Also the number (as of writing) of unreviewed advisories 185.444 vs reviewed advisories 11.655 seems high. Does the number of unreviewed advisories just seem high and what does it mean for dependabots dependability?
The concrete artificial example I discovered this for me, is the python package scikit-learn==0.23.2. There are two CVEs for this package with status UNREVIEWED, which I originally expected to be found by dependabot, but of course are not because of their status:
Happy about any insights or hints :)
Beta Was this translation helpful? Give feedback.
All reactions