A distributed vulnerability database for Open Source

An open, precise, and distributed approach to producing and consuming vulnerability information for open source.

OSV schema

All advisories in this database use the OpenSSF OSV format, which was developed in collaboration with open source communities.

The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.

{
  "schema_version": "1.3.0",
  "id": "GHSA-c3g4-w6cv-6v7h",
  "modified": "2022-04-01T13:56:42Z",
  "published": "2022-04-01T13:56:42Z",
  "aliases": [ "CVE-2022-27651" ],
  "summary": "Non-empty default inheritable capabilities for linux container in Buildah",
  "details": "A bug was found in Buildah where containers were created ...",
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/commit/..."
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/buildah"
    }
  ]
}

Data sources

This infrastructure serves as an aggregator of vulnerability databases that have adopted the OSV schema, including GitHub Security Advisories, PyPA, RustSec, and Global Security Database, and more.

Use the API

An easy-to-use API is available to query for all known vulnerabilities by either a commit hash, or a package version.

Query by commit hash

curl -d \
  '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
  "https://api.osv.dev/v1/query"

Query by version number

curl -d \
  '{"version": "2.4.1",
    "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
  "https://api.osv.dev/v1/query"

Command Line Tools (OSV‑Scanner)

Install OSV‑Scanner

go install github.com/google/osv-scanner/cmd/osv-scanner@v1
          

Scan SBOM or Lockfiles

osv-scanner --sbom=cycloned-or-spdx-sbom.json
osv-scanner --lockfile=package-lock.json
          

Scan directory recursively

osv-scanner -r path/to/your/project
          

Open source

This project is open source. If you have any ideas or questions, please feel free to reach out by creating an issue!