OSV is a distributed database and aggregator of open-source security advisories that uses a standardized vulnerability schema to track security flaws. It functions as a system for collecting and normalizing security data from diverse ecosystems into a single unified format, providing a web API for querying package vulnerabilities and submitting standardized records.
The main features of google/osv.dev are: Vulnerability Aggregators, Ecosystem Normalizers, Dataset Distribution Services, Data Normalization, Schema-Driven Data Normalizers, External Data Ingestion, Vulnerability Detail Retrievals, CVE Vulnerability Search Engines.
Open-source alternatives to google/osv.dev include: cve-search/cve-search — cve-search is a vulnerability search engine and database manager designed to index, synchronize, and query CVE and CPE… dependencytrack/dependency-track — Dependency-Track is a software composition analysis tool and vulnerability management system designed to track… wpscanteam/wpscan — WPScan is a security analysis utility and vulnerability scanner designed specifically for auditing WordPress… future-architect/vuls — Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating… strozfriedberg/windows-exploit-suggester — Windows-Exploit-Suggester is a security analysis tool designed to audit patch levels and identify vulnerabilities on… infobyte/faraday — Faraday is a vulnerability management platform and security tool aggregator designed to centralize security findings…
cve-search is a vulnerability search engine and database manager designed to index, synchronize, and query CVE and CPE security vulnerability data. It functions as a security data warehouse that imports vulnerability feeds into a local database to enable fast, keyword-based discovery of security flaws. The project provides a web-based vulnerability browser and a programmatic JSON API for retrieving records and risk scores. It utilizes full-text indexing for vulnerability descriptions and implements an identity-verified security portal using the OpenID Connect standard for user authentication.
Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity
WPScan is a security analysis utility and vulnerability scanner designed specifically for auditing WordPress installations and other content management systems. It functions as a web application security tool that identifies misconfigurations, outdated software, and security holes in core installations, plugins, and themes. The tool employs black-box scanning techniques to perform site component enumeration, identifying users, themes, and plugins by matching known file paths and response signatures. It matches these detected components against a database of known security flaws to analyze the
Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating systems, containers, and network devices without requiring the installation of permanent software agents on target machines. The project distinguishes itself by cross-referencing software versions against multiple vulnerability databases, security advisories, and known exploit catalogs. It utilizes platform-based enumeration and lockfile analysis to detect vulnerabilities in network hardware, programming libraries, and website plugins. The tool covers a broad range of securit