Skip to content

joshbuker/osv

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

225 Commits

.github/workflows

.github/workflows

 
 

actions/analyze

actions/analyze

 
 

docker

docker

 
 

docs

docs

 
 

gcp

gcp

 
 

lib

lib

 
 

tools

tools

 
 

vulnfeeds

vulnfeeds

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.pylintrc

.pylintrc

 
 

.style.yapf

.style.yapf

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

cloudbuild.yaml

cloudbuild.yaml

 
 

Repository files navigation

OSV - Open Source Vulnerabilities

OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

For open source maintainers, OSV's automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges.

For open source consumers, OSV provides an API that lets users of these projects query whether or not their versions are impacted.

Current data sources

This is an ongoing project. We encourage open source ecosystems to adopt the OpenSSF Vulnerability format for the benefit of the open source community. See our blog post for more details.

The following ecosystems have vulnerabilities encoded in this format:

For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV: gs://osv-vulnerabilities.

This bucket contains individual entries of the format gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json as well as a zip containing all vulnerabilities for each ecosystem at gs://osv-vulnerabilities/<ECOSYSTEM>/all.zip.

E.g. for PyPI vulnerabilities:

# Or download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip
gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .

Viewing the web UI

An instance of OSV's web UI is deployed at https://osv.dev.

Using the API

  curl -X POST -d \
      '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
      "https://api.osv.dev/v1/query"

  curl -X POST -d \
      '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
      "https://api.osv.dev/v1/query"

Detailed documentation for using the API can be found at https://osv.dev/docs/.

Architecture

You can find an overview of OSV's architecture here.

This repository

This repository contains all the code for running OSV on GCP. This consists of:

  • API server (gcp/api)
  • Web interface (gcp/appengine)
  • Workers for bisection and impact analysis (docker/worker)
  • Sample tools (tools)

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

Contributions are welcome! We also have a mailing list and a FAQ.

About

Open source vulnerability DB and triage service.

osv.dev

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages

  • Python 74.9%
  • Go 12.3%
  • Vue 6.2%
  • Shell 3.4%
  • Dockerfile 1.7%
  • JavaScript 0.9%
  • HTML 0.6%