Data sources

Table of contents

Current data sources

This is an ongoing project.
We encourage open source ecosystems to adopt the OpenSSF Vulnerability format to enable open source users to easily aggregate and consume vulnerabilities across all ecosystems. See our blog post for more details.

The following ecosystems have vulnerabilities encoded in this format:

Converted data

Additionally, the team maintains a conversion pipeline for:

Covered Ecosystems

Between the data served in OSV and the data converted to OSV the following ecosystems are covered.

  • AlmaLinux
  • Alpine
  • Android
  • Debian GNU/Linux
  • GitHub Actions
  • Go
  • Hex
  • Linux kernel
  • Maven
  • npm
  • NuGet
  • OSS-Fuzz
  • Packagist
  • Pub
  • PyPI
  • Rocky Linux
  • RubyGems

Data dumps

For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV: gs://osv-vulnerabilities

This bucket contains individual entries of the format gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json as well as a zip containing all vulnerabilities for each ecosystem at gs://osv-vulnerabilities/<ECOSYSTEM>/

E.g. for PyPI vulnerabilities:

# Or download over HTTP via
gsutil cp gs://osv-vulnerabilities/PyPI/ .

A list of all current ecosystems is available at gs://