Sure! Here’s the translation into American English:
—
The GitHub Advisory Database has become an indispensable resource for developers, providing a comprehensive list of security vulnerabilities and malware that affect open source code packages. In an analysis of Advisory DB trends for 2024, a notable increase in the number of reviewed advisories is highlighted, as well as an improvement in ecosystem coverage and contributions from various sources.
The database categorizes vulnerabilities into three main groups: advisories reviewed by GitHub, unreviewed advisories, and malware advisories. Reviewed advisories focus on verified vulnerabilities in packages within supported ecosystems, while unreviewed ones are automatically sourced from the National Vulnerability Database (NVD) and may not relate to supported packages. Malware advisories, on the other hand, target specific threats identified by the npm security team.
Since its launch, the number of reviewed advisories has significantly increased, rising from fewer than 400 in 2019 to over 20,000 by October 2024. This growth has been facilitated by an influx of advisories from multiple sources, as well as the expansion of ecosystem coverage and previous advisory review campaigns.
Package ecosystems have seen a significant uptick in reported vulnerabilities. While npm was initially the predominant ecosystem in the database, the inclusion of other ecosystems like Maven and Composer has notably changed the distribution of advisories. Currently, nearly half of the advisories pertain to vulnerabilities in Maven and Composer packages.
The review and publication process of advisories is enriched by various sources, including contributions from the community and specialized sources like PyPA and Go Vulncheck. These sources allow developers to gain a broader perspective on potential vulnerabilities and prioritize their attention on the most critical ones. To facilitate these decisions, GitHub provides actionable data, such as severity ratings and an exploitation prediction scoring system, which helps developers identify vulnerabilities that require immediate attention.
Additionally, GitHub acts as a CVE Numbering Authority, issuing identifiers for reported vulnerabilities, ensuring their registration in the broader CVE community. In 2024, over 2,000 CVE records were published, solidifying GitHub’s position as a major player in this field.
In summary, the GitHub Advisory Database not only serves as a repository of vulnerabilities but also feeds tools like Dependabot, which assist developers in managing risks and safeguarding the security of their projects effectively.
—
Let me know if you need any further assistance!
Source: MiMub in Spanish