OSV.dev Vulnerabilities Scraper

Scrape Google's OSV.dev — the open vulnerability database covering NPM, PyPI, Go, Maven, NuGet, Cargo, RubyGems, GitHub Actions, OS distros, and 20+ other ecosystems. Look up vulnerabilities by package, fetch a specific OSV/GHSA/CVE record. HTTP-only via the public api.osv.dev/v1 API. No auth, no proxy.

What this actor does

• Two modes: queryPackages (search by package list) and byVulnIds (lookup by ID)
• Universal IDs: OSV (OSV-...), GHSA (GHSA-...), CVE (CVE-...), PYSEC, RUSTSEC, etc.
• Filters: min CVSS severity (LOW / MEDIUM / HIGH / CRITICAL), published-after date, ecosystem
• Severity normalization: parses CVSS scores from multiple OSV variants, classifies into LOW/MEDIUM/HIGH/CRITICAL buckets

Output per vulnerability

• id, aliases[], related[]
• summary, details
• publishedAt, modifiedAt, withdrawnAt
• severityScore (0–10 CVSS), severityBucket (LOW/MEDIUM/HIGH/CRITICAL)
• affected[] — [{name, ecosystem, purl, ranges, versions}, ...]
• ecosystems[] — flat list across all affected packages
• references[] — advisory / fix / web URLs (capped at 25)
• osvUrl — canonical link
• recordType: "vulnerability", scrapedAt

Input

Field	Type	Default	Description
mode	string	queryPackages	queryPackages / byVulnIds
packages	array	–	ecosystem:name[@version] strings (e.g. PyPI:requests, npm:lodash@4.17.20)
vulnIds	array	–	OSV / GHSA / CVE / PYSEC IDs
minSeverity	string	any	any / LOW / MEDIUM / HIGH / CRITICAL
publishedAfter	string	–	YYYY-MM-DD
ecosystemAnyOf	array	[]	Filter to specific ecosystems
maxItems	int	50	Hard cap (1–5000)

Example: audit a Python project's deps

{
  "mode": "queryPackages",
  "packages": [
    "PyPI:requests",
    "PyPI:django",
    "PyPI:flask",
    "PyPI:numpy"
  ],
  "minSeverity": "HIGH"
}

Example: NPM packages with version

{
  "mode": "queryPackages",
  "packages": [
    "npm:lodash@4.17.15",
    "npm:axios@0.21.0",
    "npm:express@4.16.0"
  ]
}

Example: lookup a specific advisory

{
  "mode": "byVulnIds",
  "vulnIds": ["GHSA-652x-xj99-gmcc", "CVE-2024-12345"]
}

Example: recent critical vulns across Python ecosystem

{
  "mode": "queryPackages",
  "packages": [
    "PyPI:requests", "PyPI:urllib3", "PyPI:django", "PyPI:flask",
    "PyPI:fastapi", "PyPI:pillow", "PyPI:cryptography", "PyPI:numpy"
  ],
  "minSeverity": "CRITICAL",
  "publishedAfter": "2024-01-01"
}

Use cases

• Security audits — bulk-check a dependency tree for known CVEs
• CI/CD gates — block builds when severityBucket >= HIGH is detected
• Vendor assessment — audit third-party libraries before adoption
• Patch planning — surface fix versions per advisory
• Compliance — maintain an SBOM-grade vulnerability register
• Research — bulk-export vulnerabilities by ecosystem / time period

Supported ecosystems

OSV covers: npm, PyPI, Go, Maven, NuGet, RubyGems, crates.io (Rust), Packagist (PHP/Composer), Pub (Dart/Flutter), Hex (Elixir), SwiftURL, GitHub Actions, plus OS-level (Debian, Ubuntu, Alpine, RockyLinux, Photon, OSS-Fuzz, Linux, Android).

FAQ

What's OSV? Google's open Vulnerability database. Aggregates GitHub Security Advisories, RustSec, PYSEC, OSV-Schema-conformant feeds from upstream sources. See osv.dev.

Is the API really free? Yes. No auth, no signup. Reasonable rate limit (~25 QPS for most use cases).

What's the difference between OSV and CVE? CVE is the international identifier (MITRE). OSV is the database that lifts CVEs + ecosystem-specific advisories (GHSA, RustSec, PYSEC) into a unified machine-readable schema. Each OSV entry usually has CVE / GHSA aliases.

Why are some severity scores missing? Older advisories (especially auto-imported from MITRE) sometimes lack CVSS scores. The actor falls back to database_specific.cvss.score and then to GHSA's severity string when available.

What's a purl? Package URL — a compact spec for naming a package across ecosystems (e.g. pkg:pypi/requests@2.31.0). Useful when feeding our output to other security tools.

How does the affected filter work? We extract the introduced and fixed versions from each range. For deeper version-range checking against a specific version of your dep, supply ecosystem:name@version in packages and OSV's API will only return advisories that affect that version.

How fresh is the data? Daily — OSV re-aggregates from upstream feeds nightly. Critical advisories typically appear within 24h of their primary publication.

Should I run this regularly? Yes — schedule a daily run on your dependency list, gate builds on the dataset content. Pairs naturally with our NPM Registry and PyPI scrapers for SBOM-style auditing.