# google/osv.dev

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/google-osv-dev).**

2,494 stars · 283 forks · Python · apache-2.0

## Links

- GitHub: https://github.com/google/osv.dev
- Homepage: https://osv.dev
- awesome-repositories: https://awesome-repositories.com/repository/google-osv-dev.md

## Topics

`security` `security-tools` `vulnerability` `vulnerability-databases` `vulnerability-management` `vulnerability-scanners`

## Description

OSV is a distributed database and aggregator of open-source security advisories that uses a standardized vulnerability schema to track security flaws. It functions as a system for collecting and normalizing security data from diverse ecosystems into a single unified format, providing a web API for querying package vulnerabilities and submitting standardized records.

The project distinguishes itself through a security advisory distribution service that supports bulk dataset exports via cloud storage buckets and incremental synchronization of security record updates. It also employs sandbox-based impact analysis, using version bisections in isolated containers to determine the exact range of affected software versions.

The system provides capabilities for software dependency scanning, allowing users to identify known flaws by mapping project versions and commit hashes against the vulnerability database. It includes tools for batch package querying, library version identification, and vulnerability record validation to ensure data integrity.

The project also provides auditing utilities to identify and report ingestion failures and data integrity issues during the import process.

## Tags

### Security & Cryptography

- [Vulnerability Aggregators](https://awesome-repositories.com/f/security-cryptography/vulnerability-aggregators.md) — Functions as a centralized aggregator that collects and normalizes security data from various open-source ecosystems.
- [Ecosystem Normalizers](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/vulnerability-aggregator-synchronizers/ecosystem-normalizers.md) — Functions as a centralized system that collects and normalizes security data from diverse ecosystems into a unified format.
- [Vulnerability Detail Retrievals](https://awesome-repositories.com/f/security-cryptography/cve-vulnerability-aggregators/vulnerability-detail-retrievals.md) — Fetches comprehensive information about a specific vulnerability using its unique identifier. ([source](https://google.github.io/osv.dev/api/))
- [CVE Vulnerability Search Engines](https://awesome-repositories.com/f/security-cryptography/cve-vulnerability-search-engines.md) — Provides a searchable distributed aggregator of open-source vulnerability databases to identify risks in dependencies. ([source](https://google.github.io/osv.dev))
- [Dependency Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/dependency-vulnerability-scanners.md) — Provides tools for identifying known security flaws in project dependencies by cross-referencing versions against a vulnerability database.
- [Dependency Vulnerability Scanning](https://awesome-repositories.com/f/security-cryptography/security-auditing/dependency-vulnerability-scanning.md) — Checks software dependencies and lockfiles against a distributed database to identify known security flaws.
- [Vulnerability Database Management](https://awesome-repositories.com/f/security-cryptography/security/offensive-operations/vulnerability-research-analysis/research-reference-knowledge/vulnerability-database-management.md) — Provides systems for synchronizing and maintaining local copies of security metadata through bulk exports and incremental updates.
- [Vulnerability Databases](https://awesome-repositories.com/f/security-cryptography/security/offensive-operations/vulnerability-research-analysis/research-reference-knowledge/vulnerability-databases.md) — Provides a system for submitting vulnerability information to a database via web API to keep security data current. ([source](https://google.github.io/osv.dev/data/new/rest-api))
- [Vulnerability Data Query Engines](https://awesome-repositories.com/f/security-cryptography/security/offensive-operations/vulnerability-research-analysis/research-reference-knowledge/vulnerability-databases/vulnerability-data-query-engines.md) — Determines if a specific software version or commit is affected by a vulnerability using precise version ranges and identifiers. ([source](https://google.github.io/osv.dev/data_quality.html))
- [Vulnerability Analysis Tools](https://awesome-repositories.com/f/security-cryptography/vulnerability-analysis-tools.md) — Executes bisections and impact analysis tasks in sandboxed containers to determine the scope of software vulnerabilities. ([source](https://google.github.io/osv.dev/architecture/))
- [Affected Version Bisections](https://awesome-repositories.com/f/security-cryptography/vulnerability-analysis/affected-version-bisections.md) — Determines the exact range of affected software versions using bisection and version analysis. ([source](https://google.github.io/osv.dev))
- [Vulnerability Contributions](https://awesome-repositories.com/f/security-cryptography/vulnerability-contributions.md) — Supports the submission and validation of new vulnerability records via API to keep open source security data current.
- [Vulnerability Database APIs](https://awesome-repositories.com/f/security-cryptography/vulnerability-database-apis.md) — Offers a programmatic web interface for querying package vulnerabilities and submitting standardized security records.
- [Vulnerability Data Aggregators](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/vulnerability-data-aggregators.md) — Collects and serves security information from multiple sources that follow a standardized open-source vulnerability format. ([source](https://google.github.io/osv.dev/))
- [Vulnerability Data Synchronization](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/vulnerability-data-synchronization.md) — Imports security records from public repositories, web APIs, or cloud storage buckets after validating they match a specific schema. ([source](https://google.github.io/osv.dev/data/new))
- [Vulnerability Schema Validations](https://awesome-repositories.com/f/security-cryptography/vulnerability-schema-validations.md) — Provides validation to ensure that vulnerability data conforms to a standardized open-source schema. ([source](https://google.github.io/osv.dev/data_quality.html))

### Part of an Awesome List

- [Dataset Distribution Services](https://awesome-repositories.com/f/awesome-lists/security/security-advisories/advisory-mirrors/dataset-distribution-services.md) — Ships a cloud-based distribution service for bulk vulnerability dataset exports and incremental updates.

### Data & Databases

- [Data Normalization](https://awesome-repositories.com/f/data-databases/data-normalization.md) — Collects and normalizes security advisories from diverse open-source ecosystems and external databases into a single unified format. ([source](https://google.github.io/osv.dev/data/))
- [Schema-Driven Data Normalizers](https://awesome-repositories.com/f/data-databases/data-processing-pipelines/data-processing/data-normalization-schema-enforcement/schema-driven-data-normalizers.md) — Converts diverse security advisories from multiple ecosystems into a single unified format using a standardized open source schema.
- [External Data Ingestion](https://awesome-repositories.com/f/data-databases/external-data-ingestion.md) — Provides web endpoints to ingest vulnerability contributions and updates from external sources to maintain a real-time database.
- [Sandbox-Based Analysis](https://awesome-repositories.com/f/data-databases/data-pipelines/data-quality-monitors/impact-analyzers/code-impact-analysis/sandbox-based-analysis.md) — Runs version bisections and vulnerability tests inside isolated containers to determine the exact range of affected software versions.
- [Bulk Dataset Export](https://awesome-repositories.com/f/data-databases/in-memory-data-stores/columnar-formats/bulk-dataset-export.md) — Exports bulk vulnerability datasets as compressed archives stored in public cloud buckets for high-throughput offline downloading.
- [Incremental Data Synchronization](https://awesome-repositories.com/f/data-databases/incremental-data-synchronization.md) — Tracks modification dates for vulnerability records to allow clients to fetch only new or updated data since a specific point.
- [Vulnerability Datasets](https://awesome-repositories.com/f/data-databases/public-datasets/vulnerability-datasets.md) — Exports the complete vulnerability database or ecosystem-specific subsets as compressed archives via a public cloud bucket. ([source](https://google.github.io/osv.dev/data/))
- [Vulnerability Package Queries](https://awesome-repositories.com/f/data-databases/query-batching/vulnerability-package-queries.md) — Allows retrieving vulnerability IDs and modification dates for a batch of packages in a single request. ([source](https://google.github.io/osv.dev/post-v1-querybatch/))

### Development Tools & Productivity

- [Cross-Ecosystem Relation Mappings](https://awesome-repositories.com/f/development-tools-productivity/dependency-graph-runners/vulnerability-dependency-graphs/cross-ecosystem-relation-mappings.md) — Links vulnerability records to equivalent identifiers and tracks dependencies across diverse package ecosystems. ([source](https://google.github.io/osv.dev/data_quality.html))
- [Package and Version Identification](https://awesome-repositories.com/f/development-tools-productivity/package-and-version-identification.md) — Matches source code hashes of libraries to the closest upstream library and version for accurate identification. ([source](https://google.github.io/osv.dev/post-v1-determineversion/))

### DevOps & Infrastructure

- [Hash-Based Resolutions](https://awesome-repositories.com/f/devops-infrastructure/dependency-resolution/library-version-resolution/hash-based-resolutions.md) — Matches software source code hashes to upstream library versions to identify the exact release affected by a flaw.

### Software Engineering & Architecture

- [Vulnerability Dependency Mapping](https://awesome-repositories.com/f/software-engineering-architecture/vulnerability-dependency-mapping.md) — Identifies known vulnerabilities by mapping a project's list of dependencies against a distributed database of security advisories. ([source](https://google.github.io/osv-scanner/))