Packages - Vulnerabilities - Osv - List

affected

array of objects | null

required

array of objects

object

database_specific

| null

optional

a JSON object holding additional information about the vulnerability as defined by the database from which the record was obtained. The meaning of the values within the object is entirely defined by the database. In general, the canonical database for a particular ecosystem should record its information in ecosystem_specific, allowing other aggregator databases to put their own summaries in database_specific. For example, databases that add additional information such as computed CVSS scores for ecosystems that do not provide them could add that information here. Note that this is a single field with key “database_specific”, which itself contains a JSON object with unspecified fields.

ecosystem_specific

| null

optional

A JSON object holding additional information about the vulnerability as defined by the ecosystem for which the record applies. The meaning of the values within the object is entirely defined by the ecosystem. For example, the Go ecosystem includes here information about the affected functions and which modules the packages were found in, along with severity in the Go project-specific severity scale. Note that this is a single field with key “ecosystem_specific”, which itself contains a JSON object with unspecified fields.

package

| null

required

Must match all schemas

ranges

| null

optional

The affected object’s ranges field is a JSON array of objects describing the affected ranges of versions. In the range object, the type property is required. It specifies the type of version range being recorded and defines the interpretation of the events object’s introduced, fixed, and any type-specific fields. The ranges object’s events field is a JSON array of objects. Each object describes a single version that either introduces a vulnerability, fixes a vulnerability, describes the last known affected version, or sets an upper limit on the range being described.

severity

array of objects | null

required

array of objects

object

type

required

Must match all schemas

The type of severity being described. The type indicates how the associated score should be interpreted. * `Ubuntu` - An "Ubuntu" severity type indicates that the associated score is a lowercased string representing the Ubuntu priority. If a severity has this type, the associated "score" will be one of "negligible", "low", "medium", "high", or "critical". See https://ubuntu.com/security/cves/about#priority for more information. * `CVSS_V2` - A "CVSS_V2" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is == 2.0 (e.g."AV:L/AC:M/Au:N/C:N/I:P/A:C"). * `CVSS_V3` - A "CVSS_V3" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is >= 3.0 and < 4.0 (e.g."CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"). * `CVSS_V4` - A "CVSS_V4" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is >= 4.0 and < 5.0 (e.g. "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N").

score

string

required

numerical_score

double | null

required

cvss_components

object | null

required

versions

array of strings | null

optional

aliases

array of strings | null

optional

A list of IDs of the same vulnerability in other databases. This allows one database to claim that its own entry describes the same vulnerability as one or more entries in other databases. Note that the vulnerability IDs referenced here may or may not exist in the overall data set. Aliases should be considered symmetric (if A is an alias of B, then B is an alias of A) and transitive (If A aliases B and B aliases C, then A aliases C).

string

credits

| null

optional

A JSON array providing a way to give credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability. Each of the objects in the credits array must contain at minimum a name field specifying the name of the individual or entity being credited, using whatever notation they prefer. It can also optionally include a contact JSON array.

database_specific

| null

optional

Additional information about the vulnerability as defined by the database from which the record was obtained. This is a JSON object with unspecified fields, and the meaning of the values within the object is entirely defined by the database.

details

string | null

optional

Additional English textual details about the vulnerability. This field contains CommonMark markdown (a subset of GitHub-Flavored Markdown).

id

string

required

modified

date-time

required

The time the osv.dev vulnerability entry was last modified.

published

date-time | null

optional

The time the entry should be considered to have been published

references

| null

optional

a list of JSON objects describing references. Each object has a string field type specifying the type of reference, and a string field url. The url is the fully-qualified URL (including the scheme, typically “https://”) linking to additional information, advisories, issue tracker entries, and so on about the vulnerability itself. The type specifies what kind of reference the URL is.

optional

A list of closely related vulnerabilities, such as a similar but completely different vulnerability or cases that do not satisfy the strict definition of aliases or upstream. Related vulnerabilities are symmetric but not transitive.

string

schema_version

string | null

optional

length ≤ 128

The version of the OSV schema a particular vulnerability was exported with. The value should be a string matching the OSV Schema version, which follows the SemVer 2.0.0 format, with no leading “v” prefix. If no value is specified, it should be assumed to be 1.0.0, matching version 1.0 of the OSV Schema.

severity

array of objects | null

required

array of objects

object

type

required

Must match all schemas

The type of severity being described. The type indicates how the associated score should be interpreted. * `Ubuntu` - An "Ubuntu" severity type indicates that the associated score is a lowercased string representing the Ubuntu priority. If a severity has this type, the associated "score" will be one of "negligible", "low", "medium", "high", or "critical". See https://ubuntu.com/security/cves/about#priority for more information. * `CVSS_V2` - A "CVSS_V2" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is == 2.0 (e.g."AV:L/AC:M/Au:N/C:N/I:P/A:C"). * `CVSS_V3` - A "CVSS_V3" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is >= 3.0 and < 4.0 (e.g."CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"). * `CVSS_V4` - A "CVSS_V4" severity type indicates that the associated score is a CVSS vector string using a version of the Common Vulnerability Scoring System notation that is >= 4.0 and < 5.0 (e.g. "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N").

score

string

required

numerical_score

double | null

required

cvss_components

object | null

required

summary

string | null

optional

A one-line, English textual summary of the vulnerability. It is recommended that this field be kept short, on the order of no more than 120 characters.

upstream

array of strings | null

optional

A list of IDs of upstream vulnerabilities that are referred to by the vulnerability entry. For example, a downstream package ecosystem (such as a Linux distribution) may issue its own advisories that include (possibly multiple) upstream vulnerabilities. Upstream should be considered transitive but not symmetric.

string

Osv

Packages Vulnerabilities Osv List

Request

Response

Osv

Packages Vulnerabilities Osv List

Request

Response