OSV vulnerability format

March 10, 2026 ยท View on GitHub

The Open Source Vulnerability (OSV) schema is an open, precise, and human-readable format for describing vulnerabilities, maintained by the OpenSSF. It is designed to be interoperable across ecosystems and tooling.

This format can be activated with the useFormat option set to "OSV".

TypeScript interfaces

export interface OSV {
  schema_version?: string;
  id: string;
  modified: string;
  published: string;
  withdraw?: string;
  aliases: string[];
  upstream: string[];
  related?: string[];
  summary: string;
  details: string;
  severity: OSVSeverity[];
  affected: OSVAffected[];
  references: {
    type: OSVReferenceType;
    url: string;
  }[];
  credits: {
    name: string;
    contact: string[];
    type: OSVCreditType;
  }[];
  database_specific: Record<string, any>;
}

export interface OSVAffected {
  package: {
    ecosystem: "npm";
    name: string;
    purl: string;
  };
  severity: OSVSeverity[];
  ranges: OSVRange[];
  versions: string[];
  ecosystem_specific: Record<string, any>;
  database_specific: Record<string, any>;
}

export interface OSVRange {
  type: string;
  repo?: string; // Only required for GIT type
  events: {
    introduced?: string;
    fixed?: string;
    last_affected?: string;
    limit?: string;
  }[];
  database_specific: Record<string, any>;
}

export interface OSVSeverity {
  type: string;
  score: string;
}

export type OSVReferenceType =
  | "ADVISORY"
  | "ARTICLE"
  | "DETECTION"
  | "DISCUSSION"
  | "REPORT"
  | "FIX"
  | "GIT"
  | "INTRODUCED"
  | "PACKAGE"
  | "EVIDENCE"
  | "WEB";

export type OSVCreditType =
  | "FINDER"
  | "REPORTER"
  | "ANALYST"
  | "COORDINATOR"
  | "REMEDIATION_DEVELOPER"
  | "REMEDIATION_REVIEWER"
  | "REMEDIATION_VERIFIER"
  | "TOOL"
  | "SPONSOR"
  | "OTHER";