osv.dev

module

v0.0.13 Latest Latest Go to latest Published: Feb 15, 2022 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/google/osv.dev

Links

README ¶

OSV - Open Source Vulnerabilities

osv.dev is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

This repository contains the infrastructure code that serves osv.dev (and other user tooling). This infrastructure serves as an aggregator of vulnerability databases that have adopted the OpenSSF Vulnerability format.

osv.dev additionally provides infrastructure to ensure affected versions are accurately represented in each vulnerability entry, through bisection and version analysis.

Current data sources

This is an ongoing project. We encourage open source ecosystems to adopt the OpenSSF Vulnerability format to enable open source users to easily aggregate and consume vulnerabilities across all ecosystesm. See our blog post for more details.

The following ecosystems have vulnerabilities encoded in this format:

OSS-Fuzz
Python
Go
Rust
GSD
npm (from GitHub Security Advisories).
Maven (from GitHub Security Advisories).

For convenience, these sources are aggregated and continuously exported to a GCS bucket maintained by OSV: gs://osv-vulnerabilities.

This bucket contains individual entries of the format gs://osv-vulnerabilities/<ECOSYSTEM>/<ID>.json as well as a zip containing all vulnerabilities for each ecosystem at gs://osv-vulnerabilities/<ECOSYSTEM>/all.zip.

E.g. for PyPI vulnerabilities:

# Or download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip
gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .

Viewing the web UI

An instance of OSV's web UI is deployed at https://osv.dev.

Using the API

  curl -X POST -d \
      '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
      "https://api.osv.dev/v1/query"

  curl -X POST -d \
      '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
      "https://api.osv.dev/v1/query"

Detailed documentation for using the API can be found at https://osv.dev/docs/.

Architecture

You can find an overview of OSV's architecture here.

This repository

This repository contains all the code for running https://osv.dev on GCP. This consists of:

API server (gcp/api)
Web interface (gcp/appengine)
Workers for bisection and impact analysis (docker/worker)
Sample tools (tools)

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

Contributions are welcome! We also have a mailing list and a FAQ.

Directories ¶

Path	Synopsis
docker
indexer module
gcp
indexer module
go module
tools
scanner command
osv-scanner module

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL