A distributed vulnerability database for Open Source
An open, precise, and distributed approach to producing and consuming vulnerability information for open source.
Ecosystems
- AlmaLinux
- 3444 View AlmaLinux vulnerabilities
- Alpine
- 3652 View Alpine vulnerabilities
- Android
- 2769 View Android vulnerabilities
- Bitnami
- 5100 View Bitnami vulnerabilities
- Chainguard
- 20748 View Chainguard vulnerabilities
- crates.io
- 1609 View crates.io vulnerabilities
- Debian
- 44720 View Debian vulnerabilities
- GIT
- 27234 View GIT vulnerabilities
- Go
- 3976 View Go vulnerabilities
- Hex
- 34 View Hex vulnerabilities
- Linux
- 13573 View Linux vulnerabilities
- Mageia
- 5540 View Mageia vulnerabilities
- Maven
- 5326 View Maven vulnerabilities
- npm
- 24134 View npm vulnerabilities
- NuGet
- 1419 View NuGet vulnerabilities
- openSUSE
- 9196 View openSUSE vulnerabilities
- OSS-Fuzz
- 3574 View OSS-Fuzz vulnerabilities
- Packagist
- 4413 View Packagist vulnerabilities
- PyPI
- 15299 View PyPI vulnerabilities
- Red Hat
- 15394 View Red Hat vulnerabilities
- Rocky Linux
- 1630 View Rocky Linux vulnerabilities
- RubyGems
- 1671 View RubyGems vulnerabilities
- SUSE
- 15560 View SUSE vulnerabilities
- SwiftURL
- 35 View SwiftURL vulnerabilities
- Ubuntu
- 44527 View Ubuntu vulnerabilities
- Wolfi
- 12026 View Wolfi vulnerabilities
OSV schema
All advisories in this database use theOpenSSF OSV format, which was developed in collaboration with open source communities.
The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
{ "schema_version": "1.3.0", "id": "GHSA-c3g4-w6cv-6v7h", "modified": "2022-04-01T13:56:42Z", "published": "2022-04-01T13:56:42Z", "aliases": [ "CVE-2022-27651" ], "summary": "Non-empty default inheritable capabilities for linux container in Buildah", "details": "A bug was found in Buildah where containers were created ...", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/containers/buildah" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.25.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/containers/buildah/commit/..." }, { "type": "PACKAGE", "url": "https://github.com/containers/buildah" } ]}Data sources
This infrastructure serves as an aggregator of vulnerability databases that have adopted theOSV schema, includingGitHub Security Advisories,PyPA,RustSec, andGlobal Security Database, and more.
Use the API
An easy-to-use API is available to query for all known vulnerabilities by either a commit hash, or a package version.
Query by commit hash
curl -d \ '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \ "https://api.osv.dev/v1/query"Query by version number
curl -d \ '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \ "https://api.osv.dev/v1/query"Vulnerability Scanner
Install OSV‑Scanner
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
Scan SBOM or Lockfiles
osv-scanner --sbom=cycloned-or-spdx-sbom.jsonosv-scanner --lockfile=package-lock.json
Scan directory recursively
osv-scanner -r path/to/your/project
Remediation Tools
Guided Remediation (basic)
osv-scanner fix --non-interactive --strategy=in-place -L path/to/package-lock.jsonosv-scanner fix --non-interactive --strategy=relock -M path/to/package.json -L path/to/package-lock.json
Guided Remediation (interactive)
osv-scanner fix -M path/to/package.json -L path/to/package-lock.json
GitHub Workflows
OSV-Scanner also provides reusable GitHub workflows that can be easily integrated into CI/CD pipelines to provide continuous vulnerability scanning coverage. This can scan newly added dependencies in pull requests for introduced vulnerabilities, as well as perform regular vulnerability scans for the entire project.
Open source
This project isopen source. If you have any ideas or questions, please feel free to reach out bycreating an issue!