MCPcopy
hub / github.com/google/osv.dev

github.com/google/osv.dev @v0.1.3 sqlite

repository ↗ · DeepWiki ↗ · release v0.1.3 ↗
1,761 symbols 5,346 edges 203 files 1,111 documented · 63%
README

[!WARNING] This Python package is archived and no longer maintained.

The Open Source Vulnerabilities (OSV) project is still active on GitHub.

If you were using this package, please refer to the following resources: - OSV Schema Protobuf Definition - OSV Documentation


OpenSSF Scorecard

Documentation

Comprehensive documentation is available here. API documentation is available here.

Data Dump

We have data dumps available from a GCS bucket at gs://osv-vulnerabilities. For more information check out our documentation.

Viewing the web UI

An instance of OSV's web UI is deployed at https://osv.dev.

Using the scanner

We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.

Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.

The scanner is located in its own repository.

This repository

This repository contains all the code for running https://osv.dev on GCP. This consists of:

directory what
bindings/ Language bindings for the OSV API (currently Go only)
deployment/ Terraform & Cloud Deploy config files

A few Cloud Build config yamls | | docker/ | CI docker files (ci, deployment, terraform)

worker-base docker image for gcp/workers/worker | | docs/ | Jekyll files for https://google.github.io/osv.dev/

build_swagger.py and tools.go | | gcp/api | OSV API server files (including files for the local ESP server)

protobuf files in /v1| | gcp/datastore | The datastore index file (index.yaml) | | gcp/functions | The Cloud Function for publishing PyPI vulnerabilities (maintained, but not developed) | | gcp/indexer | The determine version indexer | | gcp/website | The backend of the osv.dev web interface, with the frontend in frontend3

Blog posts (in blog) | | gcp/workers/ | Workers for bisection and impact analysis (worker, importer, exporter, alias)

cron/ jobs for database backups and processing oss-fuzz records | | osv/ | The core OSV Python library, used in basically all Python services

OSV ecosystem package versioning helpers in ecosystems/

Datastore model definitions in models.py | | tools/ | Misc scripts/tools, mostly intended for development (datastore stuff, linting)

The indexer-api-caller for indexer calling | | vulnfeeds/ | Go module for (mostly) the NVD CVE conversion

The Alpine feed converter (cmd/alpine)

The Debian feed converter (tools/debian, which is written in Python) |

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

Contributing

Contributions are welcome!

Learn more about code, data, and documentation contributions. We also have a mailing list.

Do you have a question or a suggestion? Please open an issue.

Third party tools and integrations

There are also community tools that use OSV. Note that these are community built tools and as such are not supported or endorsed by the core OSV maintainers. You may wish to consult the OpenSSF's Concise Guide for Evaluating Open Source Software to determine suitability for your use. Some popular third party tools are:

Extension points exported contracts — how you extend this code

Checker (Interface)
Checker interface is used to check whether a name/hash pair already exists in storage. [1 implementers]
gcp/indexer/stages/preparation/preparation.go
OSVClientInterface (Interface)
(no doc) [2 implementers]
bindings/go/osvdevexperimental/paging.go
Storer (Interface)
Storer is used to permanently store the results. [1 implementers]
gcp/indexer/stages/processing/processing.go

Core symbols most depended-on inside this repo

get
called by 171
gcp/workers/worker/worker.py
String
called by 132
vulnfeeds/cmd/nvd-cve-osv/main.go
get
called by 75
osv/cache.py
String
called by 74
vulnfeeds/cmd/cvelist2osv/version_extraction.go
sort_key
called by 68
osv/ecosystems/pub.py
get_by_id
called by 60
osv/models.py
sort_key
called by 60
osv/ecosystems/redhat.py
from_string
called by 58
osv/ecosystems/pub.py

Shape

Function 719
Method 681
Class 195
Struct 90
Route 57
TypeAlias 16
Interface 3

Languages

Python71%
Go25%
TypeScript3%

Modules by API surface

gcp/website/frontend_handlers.py97 symbols
gcp/workers/worker/worker_test.py67 symbols
osv/models.py60 symbols
gcp/workers/importer/importer_test.py53 symbols
gcp/api/server.py49 symbols
osv/third_party/univers/gem.py39 symbols
gcp/api/integration_tests.py35 symbols
gcp/workers/worker/worker.py34 symbols
gcp/workers/importer/importer.py33 symbols
vulnfeeds/vulns/vulns.go28 symbols
gcp/website/frontend3/src/search.js28 symbols
osv/impact.py27 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.24.0 · 1×
cloud.google.com/gov0.116.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.8.0 · 1×
cloud.google.com/go/datastorev1.20.0 · 1×
cloud.google.com/go/monitoringv1.24.2 · 1×
cloud.google.com/go/pubsubv1.50.1 · 1×
cloud.google.com/go/pubsub/v2v2.0.0 · 1×
cloud.google.com/go/secretmanagerv1.15.0 · 1×
cloud.google.com/go/storagev1.56.2 · 1×

For agents

$ claude mcp add osv.dev \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact