OSV.Dev CVE Integration

Cross Referencing Packages with CVE Database


Ortelius uses OSV.dev to cross reference packages for gathering CVE data. Every 30 minutes Ortelius performs an OSV.dev look up for every package listed in every SBOM to determine if any vulnerabilities exist. The look-up is performed using the OSV public facing APIs. SBOM generation is required to perform this scan.

The CVE results are displayed at two levels, the Component Version and the Application Version. If you have included SBOM scanning as part of your DevOps pipeline, you will pass the name of the SBOM to Ortelius using the Ortelius CLI. Ortelius supports SPDX and CycloneDX SBOM formats. If you have not added SBOM’s as part of your DevOps Pipeline, you can include it through the Ortelius CLI process. The Ortelius CLI uses Syft to generate the SBOM.

Note: Ortelius must have access to OSV.Dev in order to continuously gather the CVE data.

Viewing Component CVE Data

CVE data is associated to a particular Component Version and can be seen by going to the Component Detail View. Ortelius gathers the CVE information every 30 minutes for all Components. For this reason it is possible for new CVEs to appear. If a new CVE is found by OSV.dev, Ortelius automatically updates your Component’s CVEs.

Viewing Application Level CVE Data

Ortelius aggregates lower-level Component data up to all consuming applications. When you view the CVEs at the Application Version level, you are seeing a combination of all CVEs aggregated from the Components which your Application depends. Your Applications CVE data can change over time based on the changes at the Component Version level.

Last modified December 7, 2022: Added OSV.dev integrations (6014ab1)