Skip to content

Vulnerability scanning from OSV database

The components of a product can be scanned for vulnerabilities using the OSV database. The OSV database is a database of open-source vulnerabilities, maintained by Google and is available at https://osv.dev/.

There are 2 preconditions for a product to be met before using the OSV database for vulnerability scanning:

  • License information has to be imported, only then all components are available for scanning.
  • The flag OSV scanning enabled in the product settings has to be activated.

OSV scanning settings

OSV delivers vulnerabilities for a component, without regard to the version of the component, plus a list of affected versions. Currently these package managers are supported directly to get the affected versions, by using information from the PURL of the component:

  • bitnami: Bitnami
  • conan: ConanCenter
  • cran: CRAN
  • cargo: crates.io
  • golang: Go
  • hackage: Hackage
  • hex: Hex
  • maven: Maven
  • npm: npm
  • nuget: NuGet
  • pub: Pub
  • pypi: PyPI
  • gem: RubyGems
  • swift: SwiftURL

For Alpine and Ubuntu (only the free version, not Pro) packages, the the Linux distribution and version are determined automatically by information from the PURL of the component.

To correctly identify other Linux packages, the Linux distribution and version has to be set in the product or branch settings according to OSV affected package specification. If it is not set for a branch, the product settings are used. Examples are:

Linux distribution Version
Debian 12
Red Hat rhel_aus:8.4::appstream
Ubuntu Pro:24.04:LTS

Manual import

If both preconditions are met, the OSV scan can be started manually from the Import menu. If a branch is selected, the scan will be performed on the components of the branch. If no branch is selected, the scan will be performed on the components of all branches and components without a branch.

OSV scanning import

Automatic import

OSV scanning can be configured to run automatically at a specific time. There is a general setting and a setting per API configuration.

General setting

In the Features section of the Settings the automatic OSV scanning can be enabled or disabled for the whole SecObserve instance.

Settings automatic OSV scanning

The hour (in UTC time) and minute, when the automatic API imports and OSV scanning will run, can be set in the Background tasks section. A restart of the SecObserve instance is required to apply the changes.

Settings automatic OSV scanning

Setting per product

Only products that have Automatic OSV scanning enabled turned on will be imported automatically.

OSV scanning settings