An open, precise, and distributed approach to producing and consuming vulnerability information for open source.
All advisories in this database use the OpenSSF OSV format, which was developed in collaboration with open source communities.
The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
{
"schema_version": "1.3.0",
"id": "GHSA-c3g4-w6cv-6v7h",
"modified": "2022-04-01T13:56:42Z",
"published": "2022-04-01T13:56:42Z",
"aliases": [ "CVE-2022-27651" ],
"summary": "Non-empty default inheritable capabilities for linux container in Buildah",
"details": "A bug was found in Buildah where containers were created ...",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/..."
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
}
]
}
This infrastructure serves as an aggregator of vulnerability databases that have adopted the OSV schema, including GitHub Security Advisories, PyPA, RustSec, and Global Security Database, and more.
An easy-to-use API is available to query for all known vulnerabilities by either a commit hash, or a package version.
curl -d \ '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \ "https://api.osv.dev/v1/query"
curl -d \ '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \ "https://api.osv.dev/v1/query"
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
osv-scanner --sbom=cycloned-or-spdx-sbom.json osv-scanner --lockfile=package-lock.json
osv-scanner -r path/to/your/project
osv-scanner fix --non-interactive --strategy=in-place -L path/to/package-lock.json osv-scanner fix --non-interactive --strategy=relock -M path/to/package.json -L path/to/package-lock.json
osv-scanner fix -M path/to/package.json -L path/to/package-lock.json
OSV-Scanner also provides reusable GitHub workflows that can be easily integrated into CI/CD pipelines to provide continuous vulnerability scanning coverage. This can scan newly added dependencies in pull requests for introduced vulnerabilities, as well as perform regular vulnerability scans for the entire project.