OSV consists of:
We created OSV to address many of the shortcomings of dealing with vulnerabilities in open source software using existing solutions.
See our blog posts for more details:
OSV can be used by both:
We found that there was no existing standard format which:
A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source. This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.
OSV provides an easy-to-use API for querying against the aggregated database of vulnerabilities.
Command line tooling is currently being developed to enable easy vulnerability scanning of SBOMs, language manifests, and container images. Stay tuned!
By making your vulnerability database available in the OSV format, open source users will have a consistent way to consume vulnerabilities across all open source ecosystems.
Vulnerability databases can also benefit from easier interchange and vulnerabiltiy sharing from other databases that use the OSV format.
OSV is completely open source!
If you have any questions, please feel free to create an issue in either repo!