Files
wehub-resource-sync 9b395f5cc3
Build Chrome Extension / build (push) Waiting to run
Trigger Website Rebuild (Docs Updated) / dispatch (push) Waiting to run
E2E Headed Chrome / e2e-headed (macos-15) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (ubuntu-latest) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (windows-latest) (push) Has been cancelled
CI / build (macos-latest) (push) Has been cancelled
CI / build (ubuntu-latest) (push) Has been cancelled
CI / build (windows-latest) (push) Has been cancelled
CI / unit-test (push) Has been cancelled
CI / bun-test (push) Has been cancelled
CI / adapter-test (push) Has been cancelled
CI / smoke-test (macos-latest) (push) Has been cancelled
CI / smoke-test (ubuntu-latest) (push) Has been cancelled
Security Audit / audit (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:39:48 +08:00

3.0 KiB
Raw Permalink Blame History

OSV.dev

Mode: 🌐 Public · Domain: osv.dev

Look up open-source vulnerabilities by id (GHSA / CVE / PYSEC / etc.), or query by package + ecosystem (+ optional version) to find every vuln affecting it. Hits the unauthenticated api.osv.dev directly.

Commands

Command Description
opencli osv vulnerability <id> Single OSV.dev vulnerability detail (severity, affected packages, CVE/GHSA aliases)
opencli osv query <package> --ecosystem <eco> Vulnerabilities affecting a package (optionally pinned to a version)

Usage Examples

# Specific advisory by GHSA id
opencli osv vulnerability GHSA-29mw-wpgm-hmr9

# Same advisory by CVE alias
opencli osv vulnerability CVE-2020-28500

# All known npm-lodash vulns (newest first)
opencli osv query lodash --ecosystem npm

# Vulns affecting a pinned version
opencli osv query lodash --ecosystem npm --version 4.17.20

# Cross-ecosystem queries
opencli osv query django --ecosystem PyPI --limit 10
opencli osv query log4j-core --ecosystem Maven

Output Columns

Command Columns
vulnerability id, summary, severity, aliases, published, modified, affectedPackages, cwes, referenceCount, url
query rank, id, summary, severity, aliases, published, modified, affectedPackages, url

The id column from query round-trips into vulnerability.

Options

vulnerability

Option Description
id (positional) OSV vulnerability id (e.g. GHSA-29mw-wpgm-hmr9, CVE-2020-28500, PYSEC-2021-1)

query

Option Description
package (positional) Package name (e.g. lodash, django, log4j-core)
--ecosystem OSV ecosystem (npm, PyPI, Go, Maven, NuGet, RubyGems, crates.io, Packagist, Pub, Hex, Hackage, CRAN, Bitnami, GitHub Actions, SwiftURL)
--version Optional version pin (e.g. 4.17.20); omit to get all known vulns
--limit Max rows to return (1200, default: 30)

Notes

  • Ecosystem strings are case-sensitive — they match the OSV defined ecosystem list verbatim. npm is lowercase, PyPI capitalised, etc. Bad values → ArgumentError.
  • severity prefers database_specific.severity (LOW/MODERATE/HIGH/CRITICAL); falls back to the first severity[].score (CVSS string) when the registry didn't compute a label. null when both are missing.
  • affectedPackages is a flat ecosystem:name list across all entries in affected[] — useful for a quick "what packages does this advisory touch" view.
  • query results are sorted newest-first by published; pre-sort makes "what's the latest issue for X?" a single read.
  • No API key required. Rate-limit hits → CommandExecutionError.
  • Errors. Bad id / ecosystem / limit → ArgumentError (before fetch); unknown id or no vulns matched → EmptyResultError; transport / non-200 → CommandExecutionError.