Home

OSV

OSV, short for Open Source Vulnerability database, is a centralized, machine-readable repository of security vulnerabilities affecting open-source software. It aims to provide a single, consistent source of vulnerability data that can be consumed by automated tooling across different ecosystems, enabling faster and more reliable identification and remediation of insecure dependencies.

The project is hosted at osv.dev and was initiated to improve the accuracy, completeness, and interoperability

A typical OSV record includes fields such as an identifier, publication and modification timestamps, and references

OSV is widely used to augment vulnerability detection and remediation across ecosystems, offering a unified schema

of
open-source
vulnerability
information.
It
is
maintained
by
Google
in
collaboration
with
the
broader
software
security
community.
OSV
publishes
vulnerability
records
in
a
public
API
and
data
format
designed
to
be
ecosystem-agnostic,
facilitating
integration
with
various
package
managers,
security
scanners,
and
CI/CD
pipelines.
to
related
advisories.
Each
record
contains
an
applies-to
section
that
lists
affected
packages
by
ecosystem
(for
example
npm,
Maven,
PyPI,
RubyGems,
Go
modules)
and
specifies
vulnerable
version
ranges
using
defined
event-based
ranges.
Records
also
include
a
concise
summary,
detailed
description,
and
severity
information,
often
informed
by
CVSS
scores.
The
database
provides
stable
IDs
and
cross-links
to
related
advisories
and
external
references,
enabling
traceability
across
solutions
and
dashboards.
that
supports
programmatic
querying
by
package,
ecosystem,
version,
or
OSV
identifier.
While
extensive,
its
coverage
depends
on
ongoing
contributions
from
the
community
and
participating
vendors.