What is OSV?
OSV consists of:
- The OSV Schema: An easy-to-use data format that maps precisely to open source versioning schemes.
- Reference infrastructure (this site, API, and tooling) that aggregates and indexes vulnerability data from
databases that use the OSV schema.
We created OSV to address many of the shortcomings of dealing with
vulnerabilities in open source software using existing solutions.
See our blog posts for more details:
- Launching OSV
- Announcing a unified vulnerability schema for open source
Who is OSV for?
OSV can be used by both:
- Open source consumers: By querying our API and using our
tooling to find known vulnerabilities in their dependencies.
- Vulnerability database producers: By making the database
available in the OSV format.
Why a new format to describe vulnerabilities?
We found that there was no existing standard format which:
- Enforces version specification that precisely matches naming and versioning schemes used in actual open source package ecosystems. For instance, matching a vulnerability such as a CVE to a package name and set of versions in a package manager is difficult to do in an automated way using existing mechanisms such as CPEs.
- Can be used to describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them.
- Is easy to use by both automated systems and humans.
A unified format means that vulnerability databases, open source
users, and security researchers can easily share tooling and consume
vulnerabilities across all of open source. This means a more complete
view of vulnerabilities in open source for everyone, as well as
faster detection and remediation times resulting from easier
automation.
Who is using the OSV schema?
The benefits of the OSV schema have led to adoption by several
vulnerability databases, including GitHub Security Advisories, PyPA,
RustSec, and many more.
The full list of databases can be found
here.
How do I use OSV as an open source user?
OSV provides an easy-to-use API
for querying against the aggregated database of vulnerabilities.
Command line tooling is also available for
vulnerability scanning of SBOMs, language manifests, and container images.
How do I use OSV as a vulnerability database maintainer?
By making your vulnerability database available in the OSV format,
open source users will have a consistent way to consume vulnerabilities across all
open source ecosystems.
Vulnerability databases can also benefit from easier interchange
and vulnerabiltiy sharing from other databases that use the OSV
format.
How do I contribute to OSV, or ask a question?