osv.dev is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

This repository contains the infrastructure code that serves osv.dev(and other user tooling). This infrastructure serves as an aggregator of vulnerability databases that have adopted the OpenSSF Vulnerability format.

osv.dev additionally provides infrastructure to ensure affected versions are accurately represented in each vulnerability entry, through bisection and version analysis.

This is an ongoing project. We encourage open source ecosystems to adopt the OpenSSF Vulnerability format to enable open source users to easily aggregate and consume vulnerabilities across all ecosystems. See our blog post for more details.

The following ecosystems have vulnerabilities encoded in this format:

• GitHub Advisory Database (CC-BY 4.0)
• PyPI Advisory Database (CC-BY 4.0)
• Go Vulnerability Database (CC-BY 4.0)
• Rust Advisory Database (CC0 1.0)
• Global Security Database (CC0 1.0)
• OSS-Fuzz (CC-BY 4.0)

Additionally, the OSV.dev team maintains a conversion pipeline for:

• Debian Security Advisories, using the conversion tools here.
• Alpine SecDB, using the conversion tools here.

Together, these include vulnerabilities from:

• Android
• crates.io
• Debian GNU/Linux
• GitHub Actions
• Go
• Hex
• Linux kernel
• Maven
• npm
• NuGet
• OSS-Fuzz
• Packagist
• Pub
• PyPI
• RubyGems

For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV: gs://osv-vulnerabilities.

This bucket contains individual entries of the format gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json as well as a zip containing all vulnerabilities for each ecosystem at gs://osv-vulnerabilities/<ECOSYSTEM>/all.zip.

E.g. for PyPI vulnerabilities:

# Or download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip
gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .

An instance of OSV's web UI is deployed at https://osv.dev.

  curl -X POST -d \
      '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
      "https://api.osv.dev/v1/query"

  curl -X POST -d \
      '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
      "https://api.osv.dev/v1/query"

Detailed documentation for using the API can be found at https://osv.dev/docs/.

We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.

Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.

The scanner is located in it's own repository here.

You can find an overview of OSV's architecture here.

This repository contains all the code for running https://osv.dev on GCP. This consists of:

• API server (gcp/api)
• Web interface (gcp/appengine)
• Workers for bisection and impact analysis (docker/worker)

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

See CONTRIBUTING.md.

There are also community tools that use OSV. Note that these are community built tools and unsupported by the core OSV maintainers.

• G-Rath/osv-detector: A scanner that uses the OSV database.
• Rust client library
• Golang support for the schema
• pip-audit
• .NET client library and support for the schema
• EZE-CLI: The one stop shop for security testing in modern development
• OSS Review Toolkit
• Skjold: Security audit python project dependencies against several security advisory databases
• Cortex XSOAR
• Dependency-Track
• dep-scan
• bomber
• it-depends
• Packj
• Trivy
• Betterscan.io: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC)

Feel free to send a PR to add your project here.

Contributions are welcome! We also have a mailing list and a FAQ.