OSV is an open format for describing software vulnerabilities. It provides security researchers, vendors, and consumers with an easy to understand format for exchanging vulnerability information. OSV.dev is a database that hosts and aggregates OSV data. There are several advantages to using OSV and OSV.dev. First, it enables easy sharing and understanding of open source vulnerability information. Second, it facilitates the creation of vulnerability databases and tools. Third, it promotes collaboration among security researchers, vendors and the open source community.
Within the open source community, Red Hat has consistently prioritized transparency in its vulnerability disclosure policy. “Recognizing that our users employ software from various upstream and downstream vendors, we prioritize flexibility in consuming security advisories related to their software” said Jason Shepherd, Principal Software Engineer, Red Hat. To facilitate this, Red Hat strongly advocates utilizing Red Hat Security Data to scan Red Hat software for vulnerabilities. Consequently, Red Hat has collaborated with Google’s OSV.dev and the OpenSSF Vulnerability Disclosures working group to ensure that past, present, and future Red Hat security advisories are also published in the OSV format, and available via OSV.dev.
By working with OSV.dev and the OpenSSF, Red Hat expanded its current disclosure formats — the Red Hat CVE database, CSAF security advisories, and Per-CVE CSAF VEX — to also include OSV. Additionally, Red Hat plans to work closely with Google’s OSV-Scanner team to include support for Red Hat containers and containers built from them. This approach mirrors how various security scanners participate in the Red Hat Vulnerability Scanners Certification program and utilize Red Hat security data.
In the spirit of transparency and open source principles, the code used to create OSV data records is available in the OSV schema code repository. The generated OSV data can be retrieved directly from OSV.dev or through the OSV REST API. Additionally, it is accessible alongside existing CSAF-VEX and Per CVE-VEX data on the Red Hat Product Security Data site. Currently, OSV records primarily consist of RPM content, but future releases aim to encompass all content types. For more detailed information about the conversion process, please refer to the readme documentation in the source code.
Enhance your understanding of Red Hat security vulnerabilities and their potential impact on your organization by utilizing OSV formatted data via OSV.dev and related tooling today.
About the authors
Jason Shepherd, Principal Software Engineer, Red Hat: Jason has 20 years experience as a software engineer, having spent half of his career at Red Hat. He’s passionate about software security and enjoys collaborating with other enthusiastic engineers.
Charl de Nysschen, Senior Product Manager, Google: With more than two decades of experience gained across three continents, Charl has cultivated a versatile professional background. His resume includes successful startups such as Shape Security and renowned companies like Meta and Google. His breadth of knowledge positions him exceptionally well to address the numerous challenges encountered by modern day organizations.
Andrew Pollock, Senior Software Engineer, Google: Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. His focus is on the comprehensiveness and data quality of data available in the OSV format.