a project by Google, collects vulnerabilities in open source projects from various sources and publish them in Open Source Vulnerability format. We regularly pull and process data published by and add it to our database, correlating OSV data with CVEs. This allows users to access additional information about CVEs, for example debian or github advisories, malware data and much more.

OSV data also includes items without CVEs, such as malware, issues discovered by fuzzing etc.

Additionally OSV data is grouped by ecosystem (e.g Maven, npm etc) and package names, unlike CVEs OSV does not use CPEs to provide affected product and version information. Using package names allows OSV data to be used for scanning SBOM or Lockfiles.

OSV provides data for the following ecosystems:

  • Go
  • Maven (Java)
  • NuGet (.net)
  • npm (JavaScript)
  • Packagist (PHP)
  • PyPI (Python)
  • RubyGems (Ruby)
  • (Rust)
  • OSS-Fuzz
  • GSD
  • GitHub Actions
  • Pub (Dart & Flutter)
  • Hackage (Haskell)
  • Hex (Erlang)
  • R (CRAN)
  • OpenSSF Malicious Packages
  • Android security bulletins
  • Linux Kernel vulnerabilities by Global Security Database project
  • Debian
  • Alpine
  • AlmaLinux
  • Rocky Linux
  • Bitnami
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!