OSV.Dev CVE Integration

OSV

DeployHub uses OSV.dev to cross reference packages for gathering CVE data. Every 30 minutes DeployHub performs an OSV.dev look up for every package listed in every SBOM to determine if any vulnerabilities exist. The look-up is performed using the OSV public facing APIs. SBOM generation is required to perform this scan.

The CVE results are displayed at two levels, the Component Version and the Application Version. If you have included SBOM scanning as part of your DevOps pipeline, you will pass the name of the SBOM to DeployHub using the Ortelius CLI. DeployHub supports SPDX and CycloneDX SBOM formats. If you have not added SBOM’s as part of your DevOps Pipeline, you can include it through the Ortelius CLI process. The Ortelius CLI uses Syft to generate the SBOM.

Note: DeployHub must have access to OSV.Dev in order to continuously gather the CVE data.

Viewing Component CVE Data

CVE data is associated to a particular Component Version and can be seen by going to the Component Detail View. DeployHub gathers the CVE information every 30 minutes for all Components. For this reason it is possible for new CVEs to appear. If a new CVE is found by OSV.dev, DeployHub automatically updates your Component’s CVEs.

Viewing Application Level CVE Data

DeployHub aggregates lower-level Component data up to all consuming applications. When you view the CVEs at the Application Version level, you are seeing a combination of all CVEs aggregated from the Components which your Application depends. Your Applications CVE data can change over time based on the changes at the Component Version level.