Trial
OSV.dev is Google's open-source vulnerability database that aggregates data from 24+ ecosystems into the standardized OSV Schema. Unlike CVE/NVD, it provides precise version-to-vulnerability mapping — dramatically improving accuracy for developers triaging dependency issues.
Why It Matters for AI-Assisted Development
When AI agents add dependencies, you need precise vulnerability information — not just "this package has a CVE somewhere":
- OSV-Scanner: CLI that scans lockfiles, Docker containers, SBOMs, and Git repos against the OSV database.
- Guided Remediation: Interactively or automatically prioritize and fix vulnerabilities.
- Precise Mapping: Maps vulnerabilities to exact affected version ranges and commit ranges, unlike NVD's broader categorization.
- Free API: Public API for querying vulnerabilities programmatically.
Strengths
- Precise version-affected mapping (better than NVD for developers)
- Multi-ecosystem aggregation (24+ ecosystems)
- Free API and tooling
- Guided remediation
- 99.9% availability SLO; actively maintained by Google
Limitations
- Only covers known/disclosed vulnerabilities
- No behavioral analysis or malicious package detection
- Data quality depends on upstream ecosystem reporting
Pricing
Fully free and open-source. API free to use.