Simplify versioning and review edits

felicitymay · felicitymay · commit baaae5cda437 · 2022-04-13T14:15:57.000+01:00
diff --git a/assets/images/help/repository/dependabot-alerts-vulnerable-call-label.png b/assets/images/help/repository/dependabot-alerts-vulnerable-call-label.png
diff --git a/assets/images/help/repository/vulnerable-calls-alert-details-page.png b/assets/images/help/repository/vulnerable-calls-alert-details-page.png
diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md
diff --git a/content/code-security/security-overview/filtering-alerts-in-the-security-overview.md b/content/code-security/security-overview/filtering-alerts-in-the-security-overview.md
@@ -118,6 +118,17 @@ Available in the code scanning alert views. All code scanning alerts have one of
 |`severity:warning`|Displays {% data variables.product.prodname_code_scanning %} alerts categorized as warnings.|
 |`severity:note`|Displays {% data variables.product.prodname_code_scanning %} alerts categorized as notes.|
 
+{% if dependabot-alerts-vulnerable-calls %}
+## Filter by {% data variables.product.prodname_dependabot %} alert type
+
+Available in the {% data variables.product.prodname_dependabot %} alert views. You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.
+
+| Qualifier | Description |
+| -------- | -------- |
+|`has:patch`|Displays {% data variables.product.prodname_dependabot %} alerts for vulnerabilities where a secure version is already available.|
+|`has:vulnerable-calls`|Displays {% data variables.product.prodname_depednabot %} alerts where at least one call from the repository to a vulnerable function is detected.|
+{% endif %}
+
 {% endif %}
 
 ## Filter by secret types
diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md
@@ -50,9 +50,7 @@ As a first step, you want to make a complete inventory of your dependencies. The
 
 ### Assessment of exposure to risk from a vulnerable dependency
 
-When you discover you are using a vulnerable dependency, for example, a library or a framework, you must assess your project's level of exposure and determine what action to take. Vulnerabilities are usually reported with a severity score to show how severe their impact could be. The severity score is a useful guide but cannot tell you the full impact of the vulnerability on your code.
-
-To assess the impact of a vulnerability on your code, you also need to consider how you use the library and determine how much risk that actually poses to your system. Maybe the vulnerability is part of a feature that you don't use, and you can update the affected library and continue with your normal release cycle. Or maybe your code is badly exposed to risk, and you need to update the affected library and ship an updated build right away. This decision depends on how you're using the library in your system, and is a decision that only you have the knowledge to make.
+{% data reusables.dependabot.vulnerable-calls-beta %}
 
 ## Secure your communication tokens
 
diff --git a/data/features/dependabot-alerts-vulnerable-calls.yml b/data/features/dependabot-alerts-vulnerable-calls.yml
@@ -1,4 +1,4 @@
-# Reference: Issue #6076 in docs-content
+# Reference: Issue #6076 introduction of label for "vulnerable calls" in Dependabot alerts
 versions:
   fpt: '*'
   ghec: '*'
diff --git a/data/reusables/dependabot/assessing-risk-dependabot-alerts.md b/data/reusables/dependabot/assessing-risk-dependabot-alerts.md
@@ -0,0 +1,5 @@
+<!--When making updates to this text, remember to keep the text general. It is used in the end-to-end Supply chain guides -->
+
+When you discover you are using a vulnerable dependency, for example, a library or a framework, you must assess your project's level of exposure and determine what action to take. Vulnerabilities are usually reported with a severity score to show how severe their impact could be. The severity score is a useful guide but cannot tell you the full impact of the vulnerability on your code.
+
+To assess the impact of a vulnerability on your code, you also need to consider how you use the library and determine how much risk that actually poses to your system. Maybe the vulnerability is part of a feature that you don't use, and you can update the affected library and continue with your normal release cycle. Or maybe your code is badly exposed to risk, and you need to update the affected library and ship an updated build right away. This decision depends on how you're using the library in your system, and is a decision that only you have the knowledge to make.
diff --git a/data/reusables/dependabot/vulnerable-calls-beta.md b/data/reusables/dependabot/vulnerable-calls-beta.md
@@ -2,9 +2,13 @@
 
 {% note %}
 
-**Note:** The detection of calls to vulnerable functions by {% data variables.product.prodname_dependabot %} is in beta and subject to change. During the beta release, this feature is only available:
-- Via the {% data variables.product.prodname_dependabot_alerts %} page on {% data variables.product.company_short %}.
-- For new Python advisories created _after_ April 7, 2022, and for a prioritized set of critical historic advisories.
+**Notes:** 
+
+- The detection of calls to vulnerable functions by {% data variables.product.prodname_dependabot %} is in beta and subject to change.
+
+- During the beta release, this feature is available only for new Python advisories created _after_ April 7, 2022, and for a prioritized set of critical historic Python advisories. Vulnerable calls are highlighted only on the {% data variables.product.prodname_dependabot_alerts %} pages.
+
+- {% data reusables.gated-features.dependency-vulnerable-calls %}
 
 {% endnote %}
 
diff --git a/data/reusables/gated-features/dependency-vulnerable-calls.md b/data/reusables/gated-features/dependency-vulnerable-calls.md
@@ -0,0 +1,13 @@
+{%- ifversion fpt %}
+Detection of vulnerable calls is enabled on public repositories. This analysis is also available in private repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have licensed {% data variables.product.prodname_GH_advanced_security %}.
+
+{%- elsif ghec %}
+Detection of vulnerable calls is included in {% data variables.product.product_name %} for public repositories. To detect vulnerable calls in private repositories owned by organizations, your organization must have a license for {% data variables.product.prodname_GH_advanced_security %}.
+
+{%- elsif ghes > 3.5 %}
+Detection of vulnerable calls is available for organization-owned repositories in {% data variables.product.product_name %}. This feature requires a license for {% data variables.product.prodname_GH_advanced_security %}.
+
+{%- elsif ghae-issue-6076 %}
+Detection of vulnerable calls is available for organization-owned repositories in {% data variables.product.product_name %}. This is a {% data variables.product.prodname_GH_advanced_security %} feature (free during the beta release).
+
+{%- endif %} {% data reusables.advanced-security.more-info-ghas %}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Reference: Issue #6076 in docs-content`
	`1`	`+# Reference: Issue #6076 introduction of label for "vulnerable calls" in Dependabot alerts`
`2`	`2`	`versions:`
`3`	`3`	`fpt: '*'`
`4`	`4`	`ghec: '*'`