Data sources
Table of contents
Current data sources
This is an ongoing project. We encourage open source ecosystems to adopt the Open Source Vulnerability format to enable open source users to easily aggregate and consume vulnerabilities across all ecosystems. See our blog post for more details.
The following ecosystems have vulnerabilities encoded in this format:
- GitHub Advisory Database (CC-BY 4.0)
- PyPI Advisory Database (CC-BY 4.0)
- Go Vulnerability Database (CC-BY 4.0)
- Rust Advisory Database (CC0 1.0)
- Global Security Database (CC0 1.0)
- OSS-Fuzz (CC-BY 4.0)
- Rocky Linux (BSD)
- AlmaLinux (MIT)
- Haskell Security Advisories (CC0 1.0)
- RConsortium Advisory Database (Apache 2.0)
- OpenSSF Malicious Packages (Apache 2.0)
- Python Software Foundation Database (CC-BY 4.0)
- Bitnami Vulnerability Database (Apache 2.0)
- Haskell Security Advisory DB (CC0 1.0)
- Ubuntu (GPL v3)
Converted data
Additionally, the OSV.dev team maintains a conversion pipeline for:
- Debian Security Advisories, using the conversion tools here.
- Alpine SecDB, using the conversion tools here,
- NVD CVEs for open source software using the conversion tools here
Covered Ecosystems
Between the data served in OSV and the data converted to OSV the following ecosystems are covered.
- AlmaLinux
- Alpine
- Android
- Bitnami
- crates.io
- Curl
- Debian GNU/Linux
- Git (including C/C++)
- GitHub Actions
- Go
- Haskell
- Hex
- Linux kernel
- Maven
- npm
- NuGet
- OSS-Fuzz
- Packagist
- Pub
- PyPI
- Python
- R (CRAN and Bioconductor)
- Rocky Linux
- RubyGems
- SwiftURL
- Ubuntu OS
Data Quality
The quality of the data in OSV.dev is very important to us. The minimum quality bar for OSV records acceptable for import is documented here
Data dumps
For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV: gs://osv-vulnerabilities
This bucket contains individual entries of the format gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json
as well as a zip containing all vulnerabilities for each ecosystem at gs://osv-vulnerabilities/<ECOSYSTEM>/all.zip
.
E.g. for PyPI vulnerabilities:
# Or download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip
gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .
Some ecosystems contain a :
separator in the name (e.g. Alpine:v3.17
). For these ecosystems, the data dump will always contain an ecosystem directory without the :.*
suffix (e.g. Alpine
). This will contain all the advisories of the ecosystem with the same prefix (e.g. All Alpine:.*
).
A list of all current ecosystems is available at gs://osv-vulnerabilities/ecosystems.txt
Contributing Data
If you a work with a project such as a Linux distribution and would like to contribute your security advisories, please follow the steps outlined in CONTRIBUTING.md
Data can be supplied either through a public Git repository, a public GCS bucket or to REST API endpoints.