This is an ongoing project. We encourage open source ecosystems to adopt the Open Source Vulnerability format to enable open source users to easily aggregate and consume vulnerabilities across all ecosystems. See our blog post for more details.
The following ecosystems have vulnerabilities encoded in this format:
- GitHub Advisory Database (CC-BY 4.0)
- PyPI Advisory Database (CC-BY 4.0)
- Go Vulnerability Database (CC-BY 4.0)
- Rust Advisory Database (CC0 1.0)
- Global Security Database (CC0 1.0)
- OSS-Fuzz (CC-BY 4.0)
- Rocky Linux (BSD)
- AlmaLinux (MIT)
- Haskell Security Advisories (CC0 1.0)
- RConsortium Advisory Database (Apache 2.0)
- Python Software Foundation Database (CC-BY 4.0)
Additionally, the OSV.dev team maintains a conversion pipeline for:
- Debian Security Advisories, using the conversion tools here.
- Alpine SecDB, using the conversion tools here.
Between the data served in OSV and the data converted to OSV the following ecosystems are covered.
- Debian GNU/Linux
- GitHub Actions
- Linux kernel
- R (CRAN and Bioconductor)
- Rocky Linux
For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV:
This bucket contains individual entries of the format
gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json as well as a zip containing all vulnerabilities for each ecosystem at
E.g. for PyPI vulnerabilities:
# Or download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .
A list of all current ecosystems is available at