Pricing
from $22.87 / 1,000 results
OSV Open Source Vulnerabilities Scraper
Query the OSV.dev open-source vulnerabilities database. Search by package (PyPI/npm/Go/Maven/RubyGems/crates.io/NuGet/Packagist), commit hash, or fetch a specific vulnerability by ID. Returns affected ranges, CVE aliases, severity, and references.
Pricing
from $22.87 / 1,000 results
Rating
0.0
(0)
Developer
Actor stats
0
Bookmarked
2
Total users
1
Monthly active users
a month ago
Last modified
Categories
Share
๐ฆ OSV Vulnerabilities Scraper
๐ Export open source vulnerability data in seconds. Pull advisories from the OSV.dev catalogue covering 30+ ecosystems including PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and major Linux distributions. No sign-up, no token, no manual pagination.
๐ Last updated: 2026-05-15 ยท ๐ 16 fields per record ยท ๐ฆ 200,000+ advisories ยท ๐ 30+ ecosystems ยท ๐ Cross-database aliases
The OSV Vulnerabilities Scraper pulls open source vulnerability records from the OSV.dev community catalogue and returns 16 normalised fields per record, including affected package ranges, severity scores, cross-database aliases (GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx), patched version events, references, and credits. The underlying catalogue is the de facto open source vulnerability database, aggregating data from GitHub, PyPA, RustSec, Go vulnerability database, OSS-Fuzz, and dozens of distro security teams.
The catalogue covers 30+ package ecosystems from language registries (PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage) to operating system distributions (Debian, Ubuntu, Alpine, Rocky, AlmaLinux, SUSE, openSUSE, Wolfi, Chainguard) plus Bioconductor and CRAN for R. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Filters apply at the source, so you skip pagination, deduplication, and ecosystem-specific quirks entirely.
| ๐ฏ Target Audience | ๐ก Primary Use Cases |
|---|---|
| DevSecOps teams, SBOM tool builders, open source maintainers, package registry operators, supply-chain security vendors, container security teams | Dependency scanning, SBOM enrichment, package risk reports, ecosystem trend analysis, cross-database aliasing, container vulnerability triage |
๐ What the OSV Vulnerabilities Scraper does
Three workflows in a single Actor:
- ๐ฆ Package query. Look up every advisory affecting a package, optionally pinned to a version (e.g.
requestson PyPI,lodashon npm,log4j-coreon Maven). - ๐ Commit query. Search by Git commit SHA to surface vulnerabilities introduced in a specific revision.
- ๐ Vulnerability ID lookup. Fetch a single record or a batch of records by their identifier (GHSA-xxxx, CVE-xxxx, PYSEC-xxxx, RUSTSEC-xxxx, GO-xxxx, OSV-xxxx).
Each record includes the OSV ID, summary and full details, all known cross-database aliases, affected package list with version ranges and PURLs, severity entries with CVSS vectors, references, and credits.
๐ก Why it matters: SBOMs are only useful when paired with a fresh vulnerability feed. Building your own ingestion means handling 30+ ecosystem schemas, alias deduplication, version-range parsing, and the OSV pagination model. This Actor skips all of that and gives you a clean, downloadable dataset.
๐ฌ Full Demo
๐ง Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded vulnerability dataset.
โ๏ธ Input
| Input | Type | Default | Behavior |
|---|---|---|---|
| mode | enum | "query" | query searches by package or commit, byId fetches by vulnerability ID. |
| packageName | string | "" | Package to look up (e.g. requests, lodash). |
| ecosystem | enum | "" | One of 30 ecosystems. Empty for cross-ecosystem search. |
| packageVersion | string | "" | Pin to a version. Without a package, returns vulnerabilities affecting that version across packages. |
| commit | string | "" | Git commit SHA to search by. |
| vulnerabilityId | string | "" | Single vulnerability ID for mode=byId. |
| vulnerabilityIds | string[] | [] | Batch list of IDs (recommended max ~100 per run). |
| maxItems | integer | 10 | Records to return. Free plan caps at 10, paid plan at 1,000,000. |
Example: every advisory affecting npm lodash.
Example: batch lookup of the Log4Shell aliases.
โ ๏ธ Good to Know: OSV records use cross-database aliases, so the same vulnerability can appear under several IDs (e.g.
GHSA-jfh8-c2jp-5v3qaliasesCVE-2021-44228). When you batch-fetch related IDs, expect duplicate records pointing to the same root advisory.
๐ Output
Each record contains 16 fields. Download the dataset as CSV, Excel, JSON, or XML.
๐งพ Schema
| Field | Type | Example |
|---|---|---|
๐ id | string | "GHSA-jfh8-c2jp-5v3q" |
๐ url | string | "https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q" |
๐ summary | string | null | "Remote code injection in Log4j" |
๐ details | string | null | "Apache Log4j2 versions 2.0-beta9 through 2.15.0..." |
๐ aliases | string[] | ["CVE-2021-44228"] |
๐ related | string[] | ["CVE-2021-45046"] |
๐ modified | ISO 8601 | null | "2025-01-14T08:36:01Z" |
๐
published | ISO 8601 | null | "2021-12-10T00:00:35Z" |
๐ซ withdrawn | ISO 8601 | null | null |
๐งฑ schema_version | string | null | "1.4.0" |
๐ฆ affected | object[] | [{ "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "ranges": [...] }] |
๐ชช purls | string[] | ["pkg:maven/org.apache.logging.log4j/log4j-core"] |
๐ references | object[] | [{ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }] |
๐ฏ severity | object[] | [{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }] |
๐ฏ maxSeverityScore | number | null | null |
๐ credits | object[] | null | [{ "name": "Chen Zhaojun" }] |
๐ scrapedAt | ISO 8601 | "2026-05-15T00:00:00.000Z" |
๐ฆ Sample record
โจ Why choose this Actor
| Capability | |
|---|---|
| ๐ฆ | 30+ ecosystems. PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, plus Linux distros and R registries. |
| ๐ | Cross-database aliases. GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx all surfaced in one record. |
| ๐ชช | PURL identifiers. Each affected package is tagged with a Package URL ready to join with SBOM tools. |
| ๐ | Structured version ranges. ECOSYSTEM, SEMVER, and GIT range types with introduced / fixed events. |
| ๐ฏ | Severity vectors. CVSS v2 / v3 / v4 strings preserved verbatim from the source. |
| ๐ | Always fresh. Every run hits the live OSV catalogue, so the dataset reflects current entries. |
| ๐ซ | No sign-up. Works with public open source security data. No login or token needed. |
๐ OSV is the de facto open source vulnerability database. Owning a clean local copy is a multiplier for SBOM tooling, dependency scanners, and supply-chain risk dashboards.
๐ How it compares to alternatives
| Approach | Cost | Coverage | Refresh | Ecosystems | Setup |
|---|---|---|---|---|---|
| โญ OSV Vulnerabilities Scraper (this Actor) | $5 free credit, then pay-per-use | 200,000+ records | Live per run | 30+ | โก 2 min |
| Commercial SCA platforms | $20,000+/year | Curated subset | Streaming | 5-15 | โณ Days |
| Single-ecosystem feeds | Free | Subset | Variable | 1 | ๐ ๏ธ Hours |
| Self-built ingestion | Engineering time | Full | Custom | Custom | ๐ข Weeks |
Pick this Actor when you want broad ecosystem coverage with cross-database aliases and no parser maintenance.
๐ How to use
- ๐ Sign up. Create a free account with $5 credit (takes 2 minutes).
- ๐ Open the Actor. Go to the OSV Vulnerabilities Scraper page on the Apify Store.
- ๐ฏ Set input. Pick a mode, enter a package + ecosystem, a commit SHA, or a vulnerability ID, then set
maxItems. - ๐ Run it. Click Start and let the Actor collect your data.
- ๐ฅ Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.
โฑ๏ธ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.
๐ผ Business use cases
๐ ๏ธ DevSecOps & SBOM
|
๐ฆ Package Registry Operators
|
๐ณ Container & Image Security
|
๐ Supply-Chain Risk Analysis
|
๐ Automating OSV Vulnerabilities Scraper
Control the scraper programmatically for scheduled runs and pipeline integrations:
- ๐ข Node.js. Install the
apify-clientNPM package. - ๐ Python. Use the
apify-clientPyPI package. - ๐ See the Apify documentation for full details.
The Apify Schedules feature lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream SBOM tooling and dependency scanners in sync automatically.
๐ Beyond business use cases
Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.
๐ Research and academia
|
๐จ Personal and creative
|
๐ค Non-profit and civic
|
๐งช Experimentation
|
๐ค Ask an AI assistant about this scraper
Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:
- ๐ฌ ChatGPT
- ๐ง Claude
- ๐ Perplexity
- ๐ Copilot
โ Frequently Asked Questions
๐งฉ How does it work?
Configure your filters in the input form, click Start, and the Actor pulls matching records from the official OSV catalogue, normalises the schema, and emits one clean record per advisory.
๐ How accurate is the data?
Records are mirror-copies of the OSV catalogue at run time. Affected ranges, severity entries, references, and credits are taken verbatim from the source.
๐ How often is the dataset refreshed?
OSV updates continuously as upstream feeds (GitHub, PyPA, RustSec, Go vulnerability database, distro security teams) publish new entries. Every run reflects the catalogue as of run time.
๐ Which ecosystems are supported?
PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, Linux kernel, plus Debian, Ubuntu, Alpine, Rocky Linux, AlmaLinux, SUSE, openSUSE, Android, ConanCenter, Bitnami, Photon OS, Mageia, Wolfi, Chainguard, Bioconductor and CRAN. Leave the field empty for cross-ecosystem search.
๐ Why are the same vulnerabilities listed under multiple IDs?
OSV uses cross-database aliasing. The same root advisory may surface as a GHSA on GitHub, a CVE in NVD, a PYSEC in PyPA, and an OSV-xxxx in the OSV namespace. The aliases field links them together.
๐ชช What is a PURL?
PURL (Package URL) is the standard for naming a package across ecosystems, e.g. pkg:npm/lodash or pkg:maven/org.apache.logging.log4j/log4j-core. PURLs are the canonical join key against most SBOM formats.
๐ฏ Why is maxSeverityScore sometimes null?
The Actor parses numeric severity scores when the source supplies them as raw numbers. CVSS vector strings (e.g. CVSS:3.1/AV:N/...) are preserved in the severity array but their base score is not re-derived. Use the vector string with a CVSS calculator if you need the exact number.
โฐ Can I schedule regular runs?
Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is a daily schedule that pulls every advisory across the npm and PyPI ecosystems and pushes them into a SBOM tool.
โ๏ธ Is this data legal to use?
OSV is published under permissive open licensing. You should review the upstream source license for your specific application but raw vulnerability metadata is generally public.
๐ณ Do I need a paid Apify plan to use this Actor?
No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.
๐ What if I need help?
Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.
๐ Integrate with any app
OSV Vulnerabilities Scraper connects to any cloud service via Apify integrations:
- Make - Automate multi-step workflows
- Zapier - Connect with 5,000+ apps
- Slack - Get advisory alerts in your security channels
- Airbyte - Pipe OSV data into your warehouse
- GitHub - Trigger runs from commits and releases
- Google Drive - Export datasets straight to Sheets
You can also use webhooks to trigger downstream actions when a run finishes. Push fresh advisory data into your SBOM tooling, or alert your team in Slack when a new advisory hits a tracked package.
๐ Recommended Actors
- ๐ก๏ธ NIST NVD CVE Scraper - Official NVD catalogue with CVSS v4/v3/v2 scores
- ๐จ CISA KEV Scraper - Known Exploited Vulnerabilities catalogue with due dates
- ๐ EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
- ๐ GitHub Security Advisories Scraper - GHSA + CVE advisories with patched versions
- ๐ฌ CIRCL CVE Scraper - CIRCL Luxembourg CVE catalogue with CWE and CAPEC
๐ก Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.
๐ Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.
โ ๏ธ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by OSV.dev, Google, or any of the upstream feed maintainers. All trademarks mentioned are the property of their respective owners. Only publicly available open source vulnerability data is collected.
