As part of this service, users will be provided with an API that allows them to automate the formation of requests to obtain data on vulnerabilities. Vulnerabilities entering the Google database will receive separate identifiers that supplement the CVE with extended information. For example, the OSV database records the status of a fix for a problem, the range of vulnerable software versions, and much more.

The project’s goal is to simplify the process of informing package maintainers about vulnerabilities by more accurately identifying the versions and commits affected by the problem. The data collected in the OSV database allows at the level of commits and tags to track the manifestation of vulnerabilities and analyze the vulnerability of derivative products. Among other things, users will be able to use the service to request data on the presence of a vulnerability by the commit number or software version.

Currently, the OSV database consists of about 25 thousand vulnerabilities that were identified as a result of automatic testing using the OSS-Fuzz system, which covers over 380 open projects in C and C ++. In the future, the developers intend to expand the base by integrating new information sources about vulnerabilities. Work is already underway to add information about vulnerabilities in Go projects.