The Open Source Vulnerability (OSV) schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
This format is currently exported by:
- AlmaLinux
- BellSoft Security Advisory
- Bitnami Vulnerability Database
- Chainguard
- Curl
- GitHub Security Advisories
- Global Security Database
- Go Vulnerability Database
- Haskell Security Advisories
- LoopBack Advisory Database
- Malicious Packages Repository
- Mageia Advisories
- MinimOS
- openEuler
- OSS-Fuzz
- OSV.dev maintained converters (Debian, Alpine, NVD)
- PyPI Advisory Database
- Python Software Foundation Database
- RConsortium Advisory Database
- Red Hat
- Rocky Linux
- Rust Advisory Database
- SUSE
- Ubuntu
- VMWare Photon OS (unofficial)
Together, these include vulnerabilities from:
- AlmaLinux
- Alpine
- Alpaquita Linux
- Android
- BellSoft Hardened Containers
- Bitnami
- Chainguard
- crates.io
- Debian GNU/Linux
- GitHub Actions
- Go
- Haskell
- Hex
- Linux kernel
- Mageia
- Maven
- MinimOS
- npm
- NuGet
- openEuler
- openSUSE
- OSS-Fuzz
- Packagist
- Photon OS
- Pub
- PyPI
- Python
- R (CRAN and Bioconductor)
- Red Hat
- SUSE
- Rocky Linux
- RubyGems
- Ubuntu
These vulnerabilities are aggregated by https://osv.dev.
Join the discussion in the OpenSSF Slack channel #osv_schema
Reference tooling (e.g. converters) can be found in the tools/ directory
The current version of the specification is rendered here.
The OSV-Schema specification and the tools here are maintained by the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures Working Group (WG).