The Year in Review

2024 has been an even more eventful year for OSV.

New ecosystems support

OSV Schema adoption momentum continued, with 2024 being the year of the Linux distributions with four adopting the schema, and now included in our OSV.dev database:

• Ubuntu
• Chainguard
• Red Hat
• SUSE/openSUSE

We also expanded our existing coverage of Debian GNU/Linux, by including CVE data from their Security Tracker in our existing CVE record conversion.

Additionally, the curl project started contributing vulnerability records.

This has brought the total number of supported ecosystems to 30. The significantly increased coverage of Linux distributions has been very encouraging, and will enable a comprehensive container image scanning story in 2025.

Impact of the NVD’s analysis challenges on Git commit range coverage

Last year, we announced the expansion of coverage of C/C++ software with Git range coverage of CVEs programmatically converted from the NVD. The reduction of the NVD’s analysis capabilities has had a broad impact on vulnerability management, and it has also impacted the effectiveness and comprehensiveness of this CVE conversion. Even with this unexpected challenge, slightly over 50% of in-scope CVEs have been able to be converted to OSV records with the current implementation.

On the expectation that this may persist into 2025, and in light of related developments this year, we will be exploring additionally converting CVEs directly from the CVE List.

Data Quality

We announced our approach to data quality, publishing a definition of the Properties of a High Quality OSV Record, and work on this project is ongoing into 2025.

Infrastructure

We added support for importing records published at a REST API endpoint, (with the curl project being the pilot home database to do so).

We also made improvements to the record import and ingestion processes, to be more tolerant of records with GIT ranges that are semantically valid, but incorrect, enabling more existing converted CVEs to be partially imported successfully.

A very impactful change to the OSV.dev API has been the ability to perform queries on existing and future data that OSV.dev did not have version enumeration support for. This unlocked the usage of existing data for vulnerability discovery via the API, and reduces the effort required to onboard additional ecosystems into the future.

We also continued to make performance and reliability improvements to the API, and transitioned the website serving infrastructure from Google App Engine to Cloud Run.

OSV.dev API usage of peaked at over 900 QPS in October, with at least 140 QPS specifically attributable to OSV-Scanner (including OpenSSF Scorecard’s use of OSV-Scanner).

With the growth in ecosystems, we took the opportunity to simplify the exported data in our public GCS bucket.

Community

Integrations

Noteworthy integrations that happened this year:

• Google Cloud used OSV to expand Artifact Registry’s vulnerability detection

Code

Interest and external contributions continue:

• OSV Schema
  • 18 total contributors
• OSV.dev
  • 28 total contributors
• OSV-Scanner
  • 32 total contributors
• OSV-Scanner GitHub Action
  • 8 total contributors
  • Over 400 GitHub repositories have adopted

Conferences and events

We gave OSV-related presentations at:

• The inaugural VulnCon in Raleigh, North Carolina, USA in February
• The SOSS Community Day in Seattle, Washington, USA in April
• The Open Source Summit, Japan in Tokyo, Japan in October

Tooling

OSV-Scanner

This year, OSV-Scanner gained these noteworthy new features:

• Guided Remediation for npm
• Transitive dependency scanning for Maven
• Support for private Maven registries
• The ability to override findings in specific packages
• Additional support for scanning
  • NuGet version 2 lock files
  • pdm lockfiles
  • PNPM v9 lockfiles
  • gradle/verification-metadata.xml
  • CycloneDX 1.4 and 1.5

A linter for OSV records

As part of the our data quality program, work commencing on an OSV record linting tool, which will carry on into 2025.

More to come in 2025

The team is looking forward to much more to come in 2025 and the OSV Schema and OSV.dev’s fourth birthday in February, and OSV-Scanner’s second birthday in December.

With a growing list of OSV-supported databases, our main priorities for 2025 continue to be centered around improving data quality and providing accurate and actionable vulnerability scanning results that lead to easy remediation.

Stay tuned for more details on a few exciting things that we’ll be working on throughout 2025! These are focused around:

• A comprehensive library for vulnerability management that will expose OSV-Scanner CLI functionality (OSV-SCALIBR)
• Better, layer-focused container scanning support, including base layer identification
• Guided Remediation for Maven
• Improvements to reachability analysis and VEX autogeneration
• And much more!