Comprehensive documentation is available here. API documentation is available here.
An instance of OSV's web UI is deployed at https://osv.dev.
We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.
Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.
The scanner is located in its own repository.
This repository contains all the code for running https://osv.dev on GCP. This consists of:
| directory | what |
|---|---|
deployment/ |
Terraform, Cloud Deploy & App Engine config files A few Cloud Build config yamls Old (no longer used?) api-staging and api-test Cloud Run configs |
docker/ |
CI docker files (ci, deployment, terraform) Workers for bisection and impact analysis ( worker, importer, exporter, alias, worker-base) The determine version indexercron/ jobs for database backups and processing oss-fuzz records |
docs/ |
Jekyll files for https://google.github.io/osv.dev/ build_swagger.py and tools.go |
gcp/api |
OSV API server files (including files for the local ESP server) protobuf files in /v1 |
gcp/appengine |
The backend of the osv.dev web interface, with the frontend in frontend3 Blog posts (in blog) App Engine Cron Handlers (to be removed) The datastore indexes file ( index.yaml) |
gcp/functions |
The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed) |
osv/ |
The core OSV Python library, used in basically all Python services OSV ecosystem package versioning helpers in ecosystems/ Datastore model definitions in models.py |
tools/ |
Misc scripts/tools, mostly intended for development (datastore stuff, linting) The indexer-api-caller for indexer calling |
vulnfeeds/ |
Go module for (mostly) the NVD CVE conversion The Alpine feed converter ( cmd/alpine) The Debian feed converter ( tools/debian, which is written in Python) |
You'll need to check out submodules as well for many local building steps to work:
git submodule update --init --recursiveContributions are welcome!
Learn more about code, data, and documentation contributions. We also have a mailing list.
Do you have a question or a suggestion? Please open an issue.
There are also community tools that use OSV. Note that these are community built tools and as such are not supported or endorsed by the core OSV maintainers. You may wish to consult the OpenSSF's Concise Guide for Evaluating Open Source Software to determine suitability for your use.
- Betterscan.io: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC)
- bomber
- Cortex XSOAR
- dependency-management-data
- Dependency-Track
- dep-scan
- G-Rath/osv-detector: A scanner that uses the OSV database.
- GUAC
- it-depends
- .NET client library and support for the schema
- OSS Review Toolkit
- OSV4k: a Java/Kotlin MPP library for serialization and deserialization of OSV schema
- Packj
- pip-audit
- Renovate
- rosv: an R package to access the OSV database and help administer Posit Package Manager
- Rust client library
- Skjold: Security audit python project dependencies against several security advisory databases
- Trivy
- IronDome: SCA scanner for Ruby applications
- OSV module in x-cmd: A shell CLI for OSV.dev API with osv-scanner integration
Feel free to send a PR to add your project here. We ask that you consider adopting OpenSSF Scorecard for your repo to help boost the security credibility of the project.