CURL joins OSV thanks to new REST API Contribution Support
Posted by Jess Lowe on Feb 14, 2024

As part of OSV’s strategy to be a comprehensive, accurate and timely database of known vulnerabilities, we’re excited to announce that we now support CURL advisories in the OSV database, thanks to REST API contribution support. CURL has been providing vulnerability records in the OSV format for a while, but they haven’t been able to be imported until now.

Read more...

The Year in Review
Posted by The OSV Team on Dec 11, 2023

2023 has been a very eventful year for OSV.

Read more...

Introducing license scanning with OSV-Scanner
Posted by Josie Anugerah on Dec 5, 2023
OSV-Scanner’s primary goal is to help developers match project dependencies to known vulnerabilities. But vulnerability information is not the only metric used to determine packages (and versions) to include in a project. Understanding which licenses your dependencies use can help you decide whether to include a particular package in your project. Packages can also be relicensed, which means that license checking is important not only at ingestion, but as part of long-term dependency maintenance and management.

Read more...

Introducing broad C/C++ vulnerability management support
Posted by Andrew Pollock and Oliver Chang on Nov 6, 2023

OSV is committed to bringing our users comprehensive, accurate and timely open source vulnerability information. Over the last year, we’ve released a number of new features in pursuit of this goal including:

Today we are announcing that OSV advisories now include vulnerable commit ranges. Vulnerable commit ranges, along with the previously announced experimental determineversion API, will enable vulnerability management for software with C and C++ dependencies, which has been one of the last gaps in coverage in OSV.dev’s database. Additionally OSV-Scanner is now compatible with C and C++ projects.

Read more...

Using the determineversion API to find C/C++ vulnerabilities
Posted by OSV Team on Jul 20, 2023

With the increasing incidence of software supply chain attacks, it is more important than ever for developers to understand the known vulnerabilities in their open source dependencies, regardless of the ecosystem of origin. The determineversion API is OSV’s newest tool that will help C/C++ developers match their dependencies to known vulnerabilities.

Within the C/C++ ecosystem it is difficult to match dependencies to vulnerabilities for a few reasons:

  • C/C++ does not have a centralized package manager like npm or pyPI
  • Software projects typically pull in C/C++ by submodules or vendoring
  • Source code identifiers (e.g. git hashes) are the best way to identify libraries, but vulnerabilities are typically associated to versions, not git hashes

OSV has had C/C++ vulnerability data from OSS-Fuzz keyed on git hashes from day 1. However, a remaining challenge for C/C++ users is being able to accurately identify the closest upstream git hash of their C/C++ dependencies in order to make use of this vulnerability data. The OSV team is committed to bridging the gap between what C/C++ users need and the constraints of the ecosystem and the determineversion API is part of our plan for comprehensive C/C++ support.

Read more...

AlmaLinux and Rocky Linux join OSV
Posted by OSV Team on May 8, 2023

Two new Linux distributions have been added to the OSV database. With the addition of AlmaLinux and Rocky Linux, the OSV database is now made up of advisories from 18 sources, including language ecosystems and Linux distributions.

Read more...

Announcing OSV's Service Level Objectives
Posted by OSV Team on Mar 27, 2023

We are excited to announce that OSV has published our new service level objectives (SLOs).

Read more...

Automating and Scaling Vex Generation
Posted by Brandon Lum, Oliver Chang, and Meder Kydyraliev on Mar 5, 2023

If you’ve recently been in the space of vulnerability management and the discussions around the White House Executive Order on Improving the Nation’s Cybersecurity (EO), you’re probably familiar with concepts such as Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX).

A VEX document/statement—a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities—provides a great starting point in prioritizing vulnerability response and automating risk evaluation of software, especially for software consumers. There has already been a lot of coverage on consuming and using VEX for vulnerability management. However, there has not been much conversation around the generation of VEX documents. For producers, the process of creating a VEX statement today is largely a manual and cost-intensive process.

Read more...

Renovate adds OSV database check
Posted by OSV Team on Feb 27, 2023

We are pleased to announce that Renovate has incorporated an OSV database check as an experimental feature.

Read more...

Welcome to the OSV blog
Posted by OSV Team on Nov 28, 2022

We’re excited to launch our own OSV blog, where we’ll be posting project news and technical blog posts related to vulnerability management.

Read more...