osv.dev
→ View on GitHubAI Summary: The OSV.dev tool provides a platform for scanning software dependencies against a comprehensive database of known vulnerabilities. It features a Go-based scanner capable of analyzing various types of lockfiles, Docker containers, SBOMs, and git repositories, while enabling users to access a web UI and APIs for data integration and management. Notably, it includes tools for vulnerability data publishing, bisection, impact analysis, and leverages Google Cloud Platform for deployment and scalability.
README
Documentation
Comprehensive documentation is available here. API documentation is available here.
Data Dump
We have data dumps available from a GCS bucket at gs://osv-vulnerabilities. For more information check out our documentation.
Viewing the web UI
An instance of OSV’s web UI is deployed at https://osv.dev.
Using the scanner
We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.
Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.
The scanner is located in its own repository.
This repository
This repository contains all the code for running https://osv.dev on GCP. This consists of:
| directory | what |
|---|---|
bindings/ | Language bindings for the OSV API (currently Go only) |
deployment/ | Terraform & Cloud Deploy config files A few Cloud Build config yamls |
docker/ | CI docker files (ci, deployment, terraform)worker-base docker image for gcp/workers/worker |
docs/ | Jekyll files for https://google.github.io/osv.dev/build_swagger.py and tools.go |
gcp/api | OSV API server files (including files for the local ESP server) protobuf files in /v1 |
gcp/datastore | The datastore index file (index.yaml) |
gcp/functions | The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed) |
gcp/indexer | The determine version indexer |
gcp/website | The backend of the osv.dev web interface, with the frontend in frontend3Blog posts (in blog) |
gcp/workers/ | Workers for bisection and impact analysis (worker, importer, alias)cron/ jobs for database backups and processing oss-fuzz records |
go/ | Go module for shared libraries and commands (cmd/exporter, cmd/recordchecker) |
osv/ | The core OSV Python library, used in basically all Python services OSV ecosystem package versioning helpers in ecosystems/Datastore model definitions in models.py |
tools/ | Misc scripts/tools, mostly intended for development (datastore stuff, linting) The indexer-api-caller for indexer calling |
vulnfeeds/ | Go module for (mostly) the NVD CVE conversion The Alpine feed converter ( cmd/alpine)The Debian feed converter ( tools/debian, which is written in Python) |
You’ll need to check out submodules as well for many local building steps to work:
git submodule update --init --recursive
Contributing
Contributions are welcome!
Learn more about code, data, and documentation contributions. We also have a mailing list.
Do you have a question or a suggestion? Please open an issue.
Third party tools and integrations
There are also community tools that use OSV. Note that these are community built tools and as such are not supported or endorsed by the core OSV maintainers. You may wish to consult the OpenSSF’s Concise Guide for Evaluating Open Source Software to determine suitability for your use. Some popular third party tools are: