Dependabot alert sent out 10 days after initial advisory publish - why?

[sn0opy]

I would like to understand why there's such a delay between an initial report for a CVE and the actual Dependabot alert that goes out to a maintainer.

Let's use this advisory as an example: GHSA-g4mx-q9vg-27p4

This advisory got published on Oct 17th.

I know that only reviewed advisories will trigger an alert but according to the history, I would assume that it was a reviewed advisory right from the beginning (due to the folder it is located in) https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json.

So why did I receive an alert on the 26th and not on the 17th?

[shelbyc]

👋 Hi @sn0opy, on October 17, the advisory was originally published and alerts were generated for urllib3 with the vulnerable version ranges <= 1.26.17 and >= 2.0.0, <= 2.0.6. On October 26, the vulnerable version ranges were changed to < 1.26.18 and >= 2.0.0, < 2.0.7 to match those in the PYSEC advisory for GHSA-g4mx-q9vg-27p4 and new alerts were generated. Hope this helps!

[sn0opy]

@shelbyc this is indeed an oversight on my end. Thank you very much for pointing it out.

The confusion came up due to another advisory: GHSA-v845-jxx5-vc9f. We updated urllib3 to fix this which in turn caused an overlap with GHSA-g4mx-q9vg-27p4 and thus no alert when it was initially created.

[sn0opy]

I think I found another case with GHSA-54xq-cgqr-rpm3. npm audit is reporting a vulnerability since the day it was reported. If I'm not mistaken, it is also using Github advisories. Dependabot on the other hand did not create an alert for me yet.

Am I missing something again? @shelbyc any idea?

Eventhough this repository is hosted on a GHE instance I was able to confirm, that this advisory is available on the intance and that Dependabot is enabled for this and other repositories and Dependabot was creating alerts for other dependencies in other projects in the last few days.