# OSV by Google
Кампания Google объявила о запуске опенсорсного OSV-Scanner, который должен облегчить разработчикам поиск уязвимостей в проектах с открытым исходным кодом. Сканер написан на Go и опирается на распределенную базу опенсорсных уязвимостей OSV с открытым исходным кодом, созданную Google в феврале прошлого года. По словам авторов, OSV-Scanner призван помочь в борьбе с уязвимостями цепочки поставок и предназначен для составления списка зависимостей проекта, а также уязвимостей, которые на них влияют. Идея заключается в том, чтобы определить все транзитивные зависимости и выделить соответствующие им уязвимости, используя данные из OSV.dev.
An open, precise, and distributed approach to producing and consuming vulnerability information for open source.
[Search Vulnerability Database](https://osv.dev/list) [Use the API](https://osv.dev/#use-the-api) [CLI Tools](https://osv.dev/#use-the-cli)
## Ecosystems
AlmaLinux Alpine Android crates.io Debian Go Linux Maven npm OSS-Fuzz Packagist PyPI Rocky Linux RubyGems
## OSV schema
All advisories in this database use the [OpenSSF OSV format](https://ossf.github.io/osv-schema/), which was developed in collaboration with open source communities.
The OSV schema provides a human and machine readable data format to describe vulnerabilities in a way that precisely maps to open source package versions or commit hashes.
```
{
"schema_version": "1.3.0",
"id": "GHSA-c3g4-w6cv-6v7h",
"modified": "2022-04-01T13:56:42Z",
"published": "2022-04-01T13:56:42Z",
"aliases": [ "CVE-2022-27651" ],
"summary": "Non-empty default inheritable capabilities for linux container in Buildah",
"details": "A bug was found in Buildah where containers were created ...",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/..."
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
}
]
}
```
[OSV Schema](https://ossf.github.io/osv-schema/) [Blog post](https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html)
## Data sources
This infrastructure serves as an aggregator of vulnerability databases that have adopted the [OSV schema](https://ossf.github.io/osv-schema/), including [GitHub Security Advisories](https://github.com/github/advisory-database), [PyPA](https://github.com/pypa/advisory-database), [RustSec](https://github.com/RustSec/advisory-db), and [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database), and more.
[Learn more](https://google.github.io/osv.dev/data/#current-data-sources)
## Use the API
An easy-to-use API is available to query for all known vulnerabilities by either a commit hash, or a package version.
### Query by commit hash
```
curl -d \
'{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
"https://api.osv.dev/v1/query"
```
### Query by version number
```
curl -d \
'{"version": "2.4.1",
"package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
```
[API Documentation](https://google.github.io/osv.dev/api/)
## Command Line Tools (OSV‑Scanner)
### Install OSV‑Scanner
```
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
```
### Scan SBOM or Lockfiles
```
osv-scanner --sbom=cycloned-or-spdx-sbom.json
osv-scanner --lockfile=package-lock.json
```
### Scan directory recursively
```
osv-scanner -r path/to/your/project
```
[More details](https://github.com/google/osv-scanner)
## Open source
This project is [open source](https://github.com/google/osv). If you have any ideas or questions, please feel free to reach out by [creating an issue](https://github.com/google/osv/issues/new)!