GitLab Advisory Database
The GitLab Advisory Database serves as a repository for security advisories related to software dependencies.
The database is an essential component of both Dependency Scanning and Container Scanning.
A free and open-source version of the GitLab Advisory Database is also available as GitLab Advisory Database (Open Source Edition). However, there is a 30-day delay in updates.
Standardization
In our advisories, we adopt standardized practices to effectively communicate vulnerabilities and their impact.
Explore the database
To view the database content, go to the GitLab Advisory Database home page. On the home page you can:
- Search the database, by identifier, package name, and description.
- View advisories that were added recently.
- View statistical information, including coverage and update frequency.
Search
Each advisory has a page with the following details:
-
Identifiers: Public identifiers. For example, CVE ID, GHSA ID, or the GitLab internal ID (
GMS-<year>-<nr>
). - Package Slug: Package type and package name separated by a slash.
- Vulnerability: A short description of the security flaw.
- Description: A detailed description of the security flaw and potential risks.
- Affected Versions: The affected versions.
- Solution: How to remediate the vulnerability.
- Last Modified: The date when the advisory was last modified.
Statistics
The home page also offers a statistic section that provides valuable insights into advisory distribution, the origins of vulnerabilities, dependency scanning coverage, and timelines for vulnerability resolution.
Open Source Edition
GitLab provides a free and open-source version of the database, the GitLab Advisory Database (Open Source Edition).
The open-source version is a time-delayed clone of the GitLab Advisory Database, MIT-licensed and contains all advisories from the GitLab Advisory Database that are older than 30 days or with the community-sync
flag.
Integrations
- Dependency Scanning
- Container Scanning
- Third-party tools
How the database can be used
As an example, we highlight the use of the database as a source for an Advisory Ingestion process as part of Continuous Vulnerability Scans.
Maintenance
The Vulnerability Research team is responsible for the maintenance and regular updates of the GitLab Advisory Database and the GitLab Advisory Database (Open Source Edition).
Community contributions are accessible in advisories-community via the community-sync
flag.
Contributing to the vulnerability database
If you know about a vulnerability that is not listed, you can contribute to the GitLab Advisory Database by either opening an issue or submit the vulnerability.
For more information, see Contribution Guidelines.
License
The GitLab Advisory Database is freely accessible in accordance with the GitLab Advisory Database Terms.