Movatterモバイル変換

google/osv.devPublic

NotificationsYou must be signed in to change notification settings
Fork198
Star1.8k

Open source vulnerability DB and triage service.

osv.dev

License

Apache-2.0 license

1.8k stars 198 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 2,352 Commits
.github		.github
actions/analyze		actions/analyze
deployment		deployment
docker		docker
docs		docs
gcp		gcp
osv		osv
tools		tools
vulnfeeds		vulnfeeds
.gitignore		.gitignore
.gitmodules		.gitmodules
.markdownlint.json		.markdownlint.json
.pylintrc		.pylintrc
.ruff.toml		.ruff.toml
.style.yapf		.style.yapf
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
cloudbuild.yaml		cloudbuild.yaml
osv-scanner.toml		osv-scanner.toml
poetry.lock		poetry.lock
pyproject.toml		pyproject.toml
renovate.json		renovate.json
run_tests.sh		run_tests.sh
source.yaml		source.yaml
source_test.yaml		source_test.yaml

Repository files navigation

Documentation

Comprehensive documentation is availablehere.API documentation is availablehere.

Viewing the web UI

An instance of OSV's web UI is deployed athttps://osv.dev.

Using the scanner

We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.

Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.

The scanner is located in itsown repository.

This repository

This repository contains all the code for runninghttps://osv.dev on GCP. Thisconsists of:

directory	what
`deployment/`	Terraform & Cloud Deploy config files A few Cloud Build config yamls
`docker/`	CI docker files (`ci`,`deployment`,`terraform`) `worker-base` docker image for`gcp/workers/worker`
`docs/`	Jekyll files forhttps://google.github.io/osv.dev/ `build_swagger.py` and`tools.go`
`gcp/api`	OSV API server files (including files for the local ESP server) protobuf files in`/v1`
`gcp/datastore`	The datastore index file (`index.yaml`)
`gcp/functions`	The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed)
`gcp/indexer`	The determine version`indexer`
`gcp/website`	The backend of the osv.dev web interface, with the frontend in`frontend3` Blog posts (in`blog`)
`gcp/workers/`	Workers for bisection and impact analysis (`worker`,`importer`,`exporter`,`alias`) `cron/` jobs for database backups and processing oss-fuzz records
`osv/`	The core OSV Python library, used in basically all Python services OSV ecosystem package versioning helpers in`ecosystems/` Datastore model definitions in`models.py`
`tools/`	Misc scripts/tools, mostly intended for development (datastore stuff, linting) The`indexer-api-caller` for indexer calling
`vulnfeeds/`	Go module for (mostly) the NVD CVE conversion The Alpine feed converter (`cmd/alpine`) The Debian feed converter (`tools/debian`, which is written in Python)

You'll need to check out submodules as well for many local building steps towork:

git submodule update --init --recursive

Contributing

Contributions are welcome!

Learn more aboutcode,data, anddocumentation contributions.We also have amailing list.

Do you have a question or a suggestion? Pleaseopen an issue.

Third party tools and integrations

There are also community tools that use OSV. Note that these are community builttools and as such are not supported or endorsed by the core OSV maintainers. You may wishto consult theOpenSSF's Concise Guide for Evaluating Open Source Softwareto determine suitability for your use. Some popular third party tools are: