Skip to content

Open source vulnerability DB and triage service.

License

Notifications You must be signed in to change notification settings

zahraaalizadeh/osv.dev

 
 

Repository files navigation

OpenSSF Scorecard

Documentation

Comprehensive documentation is available here. API documentation is available here.

Viewing the web UI

An instance of OSV's web UI is deployed at https://osv.dev.

Using the scanner

We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.

Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.

The scanner is located in its own repository.

This repository

This repository contains all the code for running https://osv.dev on GCP. This consists of:

directory what
deployment/ Terraform, Cloud Deploy & App Engine config files
A few Cloud Build config yamls
Old (no longer used?) api-staging and api-test Cloud Run configs
docker/ CI docker files (ci, deployment, terraform)
Workers for bisection and impact analysis (worker, importer, exporter, alias, worker-base)
The determine version indexer
cron/ jobs for database backups and processing oss-fuzz records
docs/ Jekyll files for https://google.github.io/osv.dev/
build_swagger.py and tools.go
gcp/api OSV API server files (including files for the local ESP server)
protobuf files in /v1
gcp/appengine The backend of the osv.dev web interface, with the frontend in frontend3
Blog posts (in blog)
App Engine Cron Handlers (to be removed)
The datastore indexes file (index.yaml)
gcp/functions The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed)
osv/ The core OSV Python library, used in basically all Python services
OSV ecosystem package versioning helpers in ecosystems/
Datastore model definitions in models.py
tools/ Misc scripts/tools, mostly intended for development (datastore stuff, linting)
The indexer-api-caller for indexer calling
vulnfeeds/ Go module for (mostly) the NVD CVE conversion
The Alpine feed converter (cmd/alpine)
The Debian feed converter (tools/debian, which is written in Python)

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

Contributing

Contributions are welcome!

Learn more about code, data, and documentation contributions. We also have a mailing list.

Do you have a question or a suggestion? Please open an issue.

Third party tools and integrations

There are also community tools that use OSV. Note that these are community built tools and unsupported by the core OSV maintainers.

Feel free to send a PR to add your project here.

About

Open source vulnerability DB and triage service.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 55.3%
  • Go 28.5%
  • Shell 4.7%
  • HTML 3.8%
  • HCL 2.7%
  • SCSS 2.3%
  • Other 2.7%