Add tools/osv/ as a read-only bridge to OSV.dev (Google's open-source vulnerability database). Complements the existing tools/cve-org/ and tools/vulnogram/ by providing OSV's per-ecosystem (PyPI, npm, Maven, Go, RubyGems, crates.io, Packagist, …) vulnerability records.
Suggested capabilities:
query --package <name> --ecosystem <pypi|npm|maven|...> — list known vulns for a package
query --commit <sha> --repo <url> — does a commit fix or introduce a known vuln?
vuln <OSV-ID> — full record (references, affected ranges, fix commits, aliases including CVE/GHSA)
aliases <id> — cross-walk CVE ↔ GHSA ↔ OSV (the alias graph is the most valuable single piece of OSV)
Why: During security-issue-triage, before allocating a CVE, it's high-value to check whether OSV already has a record — to detect duplicates, to find the matching GHSA, and to find which downstream consumers are already warned. OSV is the best machine-readable vulnerability cross-reference available, and integrates cleanly with the existing CVE workflow.
Concrete consumers:
security-issue-triage — early dedupe against the known-vuln set
security-issue-deduplicate — alias resolution before merging trackers
security-cve-allocate — sanity check that no existing OSV/GHSA already covers the report
Reference:
Add
tools/osv/as a read-only bridge to OSV.dev (Google's open-source vulnerability database). Complements the existingtools/cve-org/andtools/vulnogram/by providing OSV's per-ecosystem (PyPI, npm, Maven, Go, RubyGems, crates.io, Packagist, …) vulnerability records.Suggested capabilities:
query --package <name> --ecosystem <pypi|npm|maven|...>— list known vulns for a packagequery --commit <sha> --repo <url>— does a commit fix or introduce a known vuln?vuln <OSV-ID>— full record (references, affected ranges, fix commits, aliases including CVE/GHSA)aliases <id>— cross-walk CVE ↔ GHSA ↔ OSV (the alias graph is the most valuable single piece of OSV)Why: During
security-issue-triage, before allocating a CVE, it's high-value to check whether OSV already has a record — to detect duplicates, to find the matching GHSA, and to find which downstream consumers are already warned. OSV is the best machine-readable vulnerability cross-reference available, and integrates cleanly with the existing CVE workflow.Concrete consumers:
security-issue-triage— early dedupe against the known-vuln setsecurity-issue-deduplicate— alias resolution before merging trackerssecurity-cve-allocate— sanity check that no existing OSV/GHSA already covers the reportReference:
tools/cve-org/,tools/vulnogram/