Output

Table of contents

Explanation of output data

For every vulnerability found, OSV-Scanner will display the following information:

  • OSV URL: Link to the osv.dev entry for the vulnerability
  • CVSS: CVSS v2 or v3, calculated from the severity[].score field.
  • Ecosystem: Ecosystem associated with the package
  • Package: Package name
  • Version: Package version
  • Source: Path to the sbom or lockfile where the package originated

Output formats

You can control the format used by the scanner to output results with the --format flag.

Table (Default)

The default format, which outputs the results as a human-readable table.

osv-scanner --format table your/project/dir
Sample table output
╭─────────────────────────────────────┬──────┬───────────┬──────────────────────────┬─────────┬────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │  PACKAGE                 │ VERSION │ SOURCE             │
├─────────────────────────────────────┼──────┼───────────┼──────────────────────────┼─────────┼────────────────────┤
│ https://osv.dev/GHSA-c3h9-896r-86jm | 8.6  │ Go        │ github.com/gogo/protobuf │ 1.3.1   │ path/to/go.mod     │
│ https://osv.dev/GHSA-m5pq-gvj9-9vr8 | 7.5  │ crates.io │ regex                    │ 1.3.1   │ path/to/Cargo.lock │
╰─────────────────────────────────────┴──────┴───────────┴──────────────────────────┴─────────┴────────────────────╯

Markdown Table

osv-scanner --format markdown your/project/dir
Sample markdown output

Raw output:

| OSV URL | CVSS | Ecosystem | Package | Version | Source |
| --- | --- | --- | --- | --- | --- |
| https://osv.dev/GHSA-c3h9-896r-86jm<br/>https://osv.dev/GO-2021-0053 | 8.6 | Go | github.com/gogo/protobuf | 1.3.1 | ../scorecard-check-osv-e2e/go.mod |
| https://osv.dev/GHSA-m5pq-gvj9-9vr8<br/>https://osv.dev/RUSTSEC-2022-0013 | 7.5 | crates.io | regex | 1.5.1 | ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock |

Rendered:

OSV URL CVSS Ecosystem Package Version Source
https://osv.dev/GHSA-c3h9-896r-86jm
https://osv.dev/GO-2021-0053
8.6 Go github.com/gogo/protobuf 1.3.1 ../scorecard-check-osv-e2e/go.mod
https://osv.dev/GHSA-m5pq-gvj9-9vr8
https://osv.dev/RUSTSEC-2022-0013
7.5 crates.io regex 1.5.1 ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock

JSON

osv-scanner --format json your/project/dir

Outputs the results as a JSON object to stdout, with all other output being directed to stderr - this makes it safe to redirect the output to a file with

osv-scanner --format json -L path/to/lockfile > /path/to/file.json
Sample JSON output
{
  "results": [
    {
      "source": {
        "path": "/absolute/path/to/go.mod",
        // One of: lockfile, sbom, git, docker
        "type": "lockfile"
      },
      "packages": [
        {
          "package": {
            "name": "github.com/gogo/protobuf",
            "version": "1.3.1",
            "ecosystem": "Go"
          },
          "vulnerabilities": [
            {
              "id": "GHSA-c3h9-896r-86jm",
              "aliases": ["CVE-2021-3121"]
              // ... Full OSV
            },
            {
              "id": "GO-2021-0053",
              "aliases": ["CVE-2021-3121", "GHSA-c3h9-896r-86jm"]
              // ... Full OSV
            }
          ],
          // Grouping based on aliases, if two vulnerability share the same alias, or alias each other,
          // they are considered the same vulnerability, and is grouped here under the id field.
          "groups": [
            {
              "ids": ["GHSA-c3h9-896r-86jm", "GO-2021-0053"],
              // Call stack analysis is done using the `--experimental-call-analysis` flag
              // and result is matched against data provided by the advisory to check if
              // affected code is actually being executed.
              "experimentalAnalysis": {
                "GO-2021-0053": {
                  "called": false
                }
              }
            }
          ]
        }
      ]
    },
    {
      "source": {
        "path": "/absolute/path/to/Cargo.lock",
        "type": "lockfile"
      },
      "packages": [
        {
          "package": {
            "name": "regex",
            "version": "1.5.1",
            "ecosystem": "crates.io"
          },
          "vulnerabilities": [
            {
              "id": "GHSA-m5pq-gvj9-9vr8",
              "aliases": ["CVE-2022-24713"]
              // ... Full OSV
            },
            {
              "id": "RUSTSEC-2022-0013",
              "aliases": ["CVE-2022-24713"]
              // ... Full OSV
            }
          ],
          "groups": [
            {
              "ids": ["GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013"]
            }
          ]
        }
      ]
    }
  ]
}

SARIF

osv-scanner --format sarif your/project/dir

Outputs the result in the SARIF v2.1.0 format. Each vulnerability (grouped by aliases) is a separate rule, and each package containing a vulnerable dependency is a rule violation. The help text within the SARIF report contains detailed information about the vulnerability and remediation instructions for how to resolve it.

Sample SARIF output
{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://github.com/google/osv-scanner",
          "name": "osv-scanner",
          "rules": [
            {
              "id": "CVE-2022-24713",
              "shortDescription": {
                "text": "CVE-2022-24713: <advisory summary>"
              },
              "fullDescription": {
                "text": "<Full advisory details>...",
                "markdown": "<Full advisory details>..."
              },
              // Deprecated IDs field contains all alias IDs
              "deprecatedIds": [
                "CVE-2022-24713",
                "RUSTSEC-2022-0013",
                "GHSA-m5pq-gvj9-9vr8"
              ],
              "help": {
                "text": "<Markdown help text>...",
                "markdown": "<Markdown help text>..."
              }
            }
          ],
          "version": "1.4.1"
        }
      },
      "artifacts": [
        {
          "location": {
            "uri": "file:///path/to/sub-rust-project/Cargo.lock"
          },
          "length": -1
        }
      ],
      "results": [
        {
          "ruleId": "CVE-2022-24713",
          "ruleIndex": 0,
          "level": "warning",
          "message": {
            "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///path/to/sub-rust-project/Cargo.lock"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}
Sample SARIF Help Text

Your dependency is vulnerable to CVE-2022-24713 (Also published as: RUSTSEC-2022-0013, GHSA-m5pq-gvj9-9vr8, ).

RUSTSEC-2022-0013

Details > Full advisory details...

GHSA-m5pq-gvj9-9vr8

Details > Full advisory details...

Affected Packages

Source Package Name Package Version
lockfile:/path/to/rust-project/Cargo.lock regex 1.5.1

Remediation

To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.

Fixed Versions

Vulnerability ID Package Name Fixed Version
GHSA-m5pq-gvj9-9vr8 regex 1.5.5
RUSTSEC-2022-0013 regex 1.5.5

If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an osv-scanner.toml file located in the same directory as the lockfile containing the vulnerable dependency.

See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/

Add or append these values to the following config files to ignore this vulnerability:

/path/to/rust-project/osv-scanner.toml

[[IgnoredVulns]]
id = "CVE-2022-24713"
reason = "Your reason for ignoring this vulnerability"

Call analysis

With --experimental-call-analysis flag enabled, call information will be included in the output.

Table

In the table output format, call analysis info is used to split output between vulnerabilities that affects code called by your project, and vulnerabilities that only affect code paths not called by your code.

osv-scanner --format table --experimental-call-analysis your/project/dir
Sample table output
╭─────────────────────────────────────┬──────┬───────────┬─────────────────┬─────────┬────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE         │ VERSION │ SOURCE             │
├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
│ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1  │ crates.io │ crossbeam-utils │ 0.6.6   │ path/to/Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0041   │      │           │                 │         │                    │
│ https://osv.dev/GHSA-43w2-9j62-hq99 │ 9.8  │ crates.io │ smallvec        │ 1.6.0   │ path/to/Cargo.lock │
│ https://osv.dev/RUSTSEC-2021-0003   │      │           │                 │         │                    │
├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
│ Uncalled vulnerabilities            │      │           │                 │         │                    │
├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤
│ https://osv.dev/GHSA-xcf7-rvmh-g6q4 │      │ crates.io │ openssl         │ 0.10.52 │ path/to/Cargo.lock │
│ https://osv.dev/RUSTSEC-2023-0044   │      │           │                 │         │                    │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────┴─────────┴────────────────────╯

JSON

The JSON output will include analysis results for each vulnerability group.

osv-scanner --format json --experimental-call-analysis -L path/to/lockfile > /path/to/file.json
Sample JSON output
{
  "results": [
    {
      "source": {
        "path": "path/to/Cargo.lock",
        "type": "lockfile"
      },
      "packages": [
        {
          "package": {
            "name": "crossbeam-utils",
            "version": "0.6.6",
            "ecosystem": "crates.io"
          },
          "vulnerabilities": [
            {
              "id": "GHSA-qc84-gqf4-9926",
              "aliases": ["CVE-2022-23639"]
              // ... Full OSV
            },
            {
              "id": "RUSTSEC-2022-0041",
              "aliases": ["GHSA-qc84-gqf4-9926", "CVE-2022-23639"]
              // ... Full OSV
            }
          ],
          "groups": [
            {
              // This vuln has no function info, so no call analysis done
              "ids": ["GHSA-qc84-gqf4-9926", "RUSTSEC-2022-0041"]
            }
          ]
        },
        {
          "package": {
            "name": "memoffset",
            "version": "0.5.6",
            "ecosystem": "crates.io"
          },
          "vulnerabilities": [
            {
              "id": "GHSA-wfg4-322g-9vqv"
              // ... Full OSV
            },
            {
              "id": "RUSTSEC-2023-0045",
              "aliases": ["GHSA-wfg4-322g-9vqv"]
              // ... Full OSV
            }
          ],
          "groups": [
            {
              "ids": ["GHSA-wfg4-322g-9vqv", "RUSTSEC-2023-0045"],
              // RUSTSEC-2023-0045 does have function info, call analysis is performed
              // the vulnerable function is not called
              "experimentalAnalysis": {
                "RUSTSEC-2023-0045": {
                  "called": false
                }
              }
            }
          ]
        },
        {
          "package": {
            "name": "smallvec",
            "version": "1.6.0",
            "ecosystem": "crates.io"
          },
          "vulnerabilities": [
            {
              "id": "GHSA-43w2-9j62-hq99",
              "aliases": ["CVE-2021-25900"]
              // ... Full OSV
            },
            {
              "id": "RUSTSEC-2021-0003",
              "aliases": ["CVE-2021-25900", "GHSA-43w2-9j62-hq99"]
              // ... Full OSV
            }
          ],
          "groups": [
            {
              "ids": ["GHSA-43w2-9j62-hq99", "RUSTSEC-2021-0003"],
              // RUSTSEC-2021-0003 does have function info, call analysis is performed
              // the vulnerable function does get called.
              "experimentalAnalysis": {
                "RUSTSEC-2021-0003": {
                  "called": true
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Return Codes

Exit Code Reason
0 Packages were found when scanning, but does not match any known vulnerabilities.
1 Packages were found when scanning, and there are vulnerabilities.
1-126 Reserved for vulnerability result related errors.
127 General Error.
128 No packages found (likely caused by the scanning format not picking up any files to scan).
129-255 Reserved for non result related errors.