Skip to main content

Open Source Vulnerabilities (OSV)

OSV is a distributed vulnerability database and schema for open-source software, aggregating ecosystem advisory feeds with precise, package-native version matching.

Open Source Vulnerabilities (OSV) is a vulnerability database and interchange schema built for open-source software, operated at osv.dev. It aggregates advisories from more than 30 ecosystem sources — GitHub Security Advisories, PyPA, RustSec, and others — under one common, machine-readable schema.

How It Works

OSV's defining feature is package-native matching: advisories identify affected software by ecosystem package coordinates and exact version ranges, rather than the free-text product strings (CPE) used by the NVD. A scanner can take the packages in a lockfile and query OSV directly, getting precise affected-range and fixed-version answers.

Why It Matters

For open-source dependency scanning, coverage, version-range precision, and freshness matter more than any single feed's brand. No single database is complete, so careful scanners union OSV with sources like GHSA instead of relying on the NVD alone — a hedge that grew more important as NVD enrichment contracted.

Related Terms

OSV aggregates GHSA and other feeds, complements the NVD, and is matched against the component inventory in an SBOM or lockfile.