📦 OSV Vulnerabilities Scraper

🚀 Export open source vulnerability data in seconds. Pull advisories from the OSV.dev catalogue covering 30+ ecosystems including PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and major Linux distributions. No sign-up, no token, no manual pagination.

🕒 Last updated: 2026-05-15 · 📊 16 fields per record · 📦 200,000+ advisories · 🌐 30+ ecosystems · 🔗 Cross-database aliases

The OSV Vulnerabilities Scraper pulls open source vulnerability records from the OSV.dev community catalogue and returns 16 normalised fields per record, including affected package ranges, severity scores, cross-database aliases (GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx), patched version events, references, and credits. The underlying catalogue is the de facto open source vulnerability database, aggregating data from GitHub, PyPA, RustSec, Go vulnerability database, OSS-Fuzz, and dozens of distro security teams.

The catalogue covers 30+ package ecosystems from language registries (PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage) to operating system distributions (Debian, Ubuntu, Alpine, Rocky, AlmaLinux, SUSE, openSUSE, Wolfi, Chainguard) plus Bioconductor and CRAN for R. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Filters apply at the source, so you skip pagination, deduplication, and ecosystem-specific quirks entirely.

🎯 Target Audience	💡 Primary Use Cases
DevSecOps teams, SBOM tool builders, open source maintainers, package registry operators, supply-chain security vendors, container security teams	Dependency scanning, SBOM enrichment, package risk reports, ecosystem trend analysis, cross-database aliasing, container vulnerability triage

---

📋 What the OSV Vulnerabilities Scraper does

Three workflows in a single Actor:

• 📦 Package query. Look up every advisory affecting a package, optionally pinned to a version (e.g. requests on PyPI, lodash on npm, log4j-core on Maven).
• 🔍 Commit query. Search by Git commit SHA to surface vulnerabilities introduced in a specific revision.
• 🆔 Vulnerability ID lookup. Fetch a single record or a batch of records by their identifier (GHSA-xxxx, CVE-xxxx, PYSEC-xxxx, RUSTSEC-xxxx, GO-xxxx, OSV-xxxx).

Each record includes the OSV ID, summary and full details, all known cross-database aliases, affected package list with version ranges and PURLs, severity entries with CVSS vectors, references, and credits.

💡 Why it matters: SBOMs are only useful when paired with a fresh vulnerability feed. Building your own ingestion means handling 30+ ecosystem schemas, alias deduplication, version-range parsing, and the OSV pagination model. This Actor skips all of that and gives you a clean, downloadable dataset.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded vulnerability dataset.

---

⚙️ Input

Input	Type	Default	Behavior
mode	enum	"query"	query searches by package or commit, byId fetches by vulnerability ID.
packageName	string	""	Package to look up (e.g. requests, lodash).
ecosystem	enum	""	One of 30 ecosystems. Empty for cross-ecosystem search.
packageVersion	string	""	Pin to a version. Without a package, returns vulnerabilities affecting that version across packages.
commit	string	""	Git commit SHA to search by.
vulnerabilityId	string	""	Single vulnerability ID for mode=byId.
vulnerabilityIds	string[]	[]	Batch list of IDs (recommended max ~100 per run).
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.

Example: every advisory affecting npm lodash.

{
    "mode": "query",
    "packageName": "lodash",
    "ecosystem": "npm",
    "maxItems": 100
}

Example: batch lookup of the Log4Shell aliases.

{
    "mode": "byId",
    "vulnerabilityIds": ["GHSA-jfh8-c2jp-5v3q", "CVE-2021-44228", "GHSA-7rjr-3q55-vv33"]
}

⚠️ Good to Know: OSV records use cross-database aliases, so the same vulnerability can appear under several IDs (e.g. GHSA-jfh8-c2jp-5v3q aliases CVE-2021-44228). When you batch-fetch related IDs, expect duplicate records pointing to the same root advisory.

---

📊 Output

Each record contains 16 fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 id	string	"GHSA-jfh8-c2jp-5v3q"
🔗 url	string	"https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q"
📝 summary	string | null	"Remote code injection in Log4j"
📄 details	string | null	"Apache Log4j2 versions 2.0-beta9 through 2.15.0..."
🔗 aliases	string[]	["CVE-2021-44228"]
🔗 related	string[]	["CVE-2021-45046"]
🕒 modified	ISO 8601 | null	"2025-01-14T08:36:01Z"
📅 published	ISO 8601 | null	"2021-12-10T00:00:35Z"
🚫 withdrawn	ISO 8601 | null	null
🧱 schema_version	string | null	"1.4.0"
📦 affected	object[]	[{ "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "ranges": [...] }]
🪪 purls	string[]	["pkg:maven/org.apache.logging.log4j/log4j-core"]
📚 references	object[]	[{ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }]
🎯 severity	object[]	[{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }]
🎯 maxSeverityScore	number | null	null
🙌 credits	object[] | null	[{ "name": "Chen Zhaojun" }]
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"

📦 Sample record

---

✨ Why choose this Actor

	Capability
📦	30+ ecosystems. PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, plus Linux distros and R registries.
🔗	Cross-database aliases. GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx all surfaced in one record.
🪪	PURL identifiers. Each affected package is tagged with a Package URL ready to join with SBOM tools.
📐	Structured version ranges. ECOSYSTEM, SEMVER, and GIT range types with introduced / fixed events.
🎯	Severity vectors. CVSS v2 / v3 / v4 strings preserved verbatim from the source.
🔁	Always fresh. Every run hits the live OSV catalogue, so the dataset reflects current entries.
🚫	No sign-up. Works with public open source security data. No login or token needed.

📊 OSV is the de facto open source vulnerability database. Owning a clean local copy is a multiplier for SBOM tooling, dependency scanners, and supply-chain risk dashboards.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Ecosystems	Setup
⭐ OSV Vulnerabilities Scraper (this Actor)	$5 free credit, then pay-per-use	200,000+ records	Live per run	30+	⚡ 2 min
Commercial SCA platforms	$20,000+/year	Curated subset	Streaming	5-15	⏳ Days
Single-ecosystem feeds	Free	Subset	Variable	1	🛠️ Hours
Self-built ingestion	Engineering time	Full	Custom	Custom	🐢 Weeks

Pick this Actor when you want broad ecosystem coverage with cross-database aliases and no parser maintenance.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the OSV Vulnerabilities Scraper page on the Apify Store.
3. 🎯 Set input. Pick a mode, enter a package + ecosystem, a commit SHA, or a vulnerability ID, then set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛠️ DevSecOps & SBOM Daily SBOM enrichment with vulnerability metadata CI gate that fails builds when dependencies have known fixes PURL-based joins between asset inventory and OSV records Alert when patched versions land for tracked dependencies	📦 Package Registry Operators Surface advisories on package detail pages Notify maintainers when their package gets a new advisory Build ecosystem-wide vulnerability trend dashboards Cross-link aliases across CVE / GHSA / OSV identifiers
🐳 Container & Image Security Scan distro layers (Debian, Ubuntu, Alpine, Wolfi) against OSV Build image-risk reports filtered by base OS Track Wolfi and Chainguard advisories for hardened images Continuous monitoring of running container fleets	🔍 Supply-Chain Risk Analysis Vendor due-diligence reports based on dependency graphs Open-source risk scoring for procurement teams M&A technical due diligence on target codebases Insurance underwriting models for cyber risk

---

🔌 Automating OSV Vulnerabilities Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream SBOM tooling and dependency scanners in sync automatically.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia Open source ecosystem vulnerability studies Cross-ecosystem co-occurrence and aliasing research Coursework on supply-chain security and SBOM tooling Reproducible studies with cited, versioned dataset pulls	🎨 Personal and creative Hobbyist dependency dashboards for your own projects Newsletter research on the latest open source advisories Portfolio projects that show off security data engineering Personal alerting bots for libraries you maintain
🤝 Non-profit and civic Open-source maintainers monitoring their package risk Civic-tech projects mapping vulnerability exposure Educational outreach for open-source security literacy Community advocacy around responsible disclosure	🧪 Experimentation Train ML models on advisory text and severity Prototype agent pipelines that summarise advisories Test SBOM diff tooling against historical waves Build dashboards on top of live ecosystem feeds

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Configure your filters in the input form, click Start, and the Actor pulls matching records from the official OSV catalogue, normalises the schema, and emits one clean record per advisory.

📏 How accurate is the data?

Records are mirror-copies of the OSV catalogue at run time. Affected ranges, severity entries, references, and credits are taken verbatim from the source.

🔁 How often is the dataset refreshed?

OSV updates continuously as upstream feeds (GitHub, PyPA, RustSec, Go vulnerability database, distro security teams) publish new entries. Every run reflects the catalogue as of run time.

🌐 Which ecosystems are supported?

PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, Linux kernel, plus Debian, Ubuntu, Alpine, Rocky Linux, AlmaLinux, SUSE, openSUSE, Android, ConanCenter, Bitnami, Photon OS, Mageia, Wolfi, Chainguard, Bioconductor and CRAN. Leave the field empty for cross-ecosystem search.

🔗 Why are the same vulnerabilities listed under multiple IDs?

OSV uses cross-database aliasing. The same root advisory may surface as a GHSA on GitHub, a CVE in NVD, a PYSEC in PyPA, and an OSV-xxxx in the OSV namespace. The aliases field links them together.

🪪 What is a PURL?

PURL (Package URL) is the standard for naming a package across ecosystems, e.g. pkg:npm/lodash or pkg:maven/org.apache.logging.log4j/log4j-core. PURLs are the canonical join key against most SBOM formats.

🎯 Why is maxSeverityScore sometimes null?

The Actor parses numeric severity scores when the source supplies them as raw numbers. CVSS vector strings (e.g. CVSS:3.1/AV:N/...) are preserved in the severity array but their base score is not re-derived. Use the vector string with a CVSS calculator if you need the exact number.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is a daily schedule that pulls every advisory across the npm and PyPI ecosystems and pushes them into a SBOM tool.

⚖️ Is this data legal to use?

OSV is published under permissive open licensing. You should review the upstream source license for your specific application but raw vulnerability metadata is generally public.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

OSV Vulnerabilities Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get advisory alerts in your security channels
• Airbyte - Pipe OSV data into your warehouse
• GitHub - Trigger runs from commits and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh advisory data into your SBOM tooling, or alert your team in Slack when a new advisory hits a tracked package.

---

🔗 Recommended Actors

• 🛡️ NIST NVD CVE Scraper - Official NVD catalogue with CVSS v4/v3/v2 scores
• 🚨 CISA KEV Scraper - Known Exploited Vulnerabilities catalogue with due dates
• 📈 EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
• 🐙 GitHub Security Advisories Scraper - GHSA + CVE advisories with patched versions
• 🔬 CIRCL CVE Scraper - CIRCL Luxembourg CVE catalogue with CWE and CAPEC

💡 Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by OSV.dev, Google, or any of the upstream feed maintainers. All trademarks mentioned are the property of their respective owners. Only publicly available open source vulnerability data is collected.