{"id":13846598,"url":"https://github.com/google/oss-fuzz-vulns","last_synced_at":"2025-04-05T01:06:17.236Z","repository":{"id":40599251,"uuid":"350597741","full_name":"google/oss-fuzz-vulns","owner":"google","description":"OSS-Fuzz vulnerabilities for OSV.","archived":false,"fork":false,"pushed_at":"2025-03-29T14:36:13.000Z","size":9364,"stargazers_count":149,"open_issues_count":2,"forks_count":40,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-03-29T15:29:58.625Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://osv.dev","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-23T06:04:38.000Z","updated_at":"2025-03-29T14:36:17.000Z","dependencies_parsed_at":"2024-03-16T15:47:57.560Z","dependency_job_id":"a77723c1-dd16-44c6-941b-6c081d1723ec","html_url":"https://github.com/google/oss-fuzz-vulns","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Foss-fuzz-vulns","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Foss-fuzz-vulns/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Foss-fuzz-vulns/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Foss-fuzz-vulns/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/oss-fuzz-vulns/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271528,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T18:00:42.078Z","updated_at":"2025-04-05T01:06:17.220Z","avatar_url":"https://github.com/google.png","language":"Python","funding_links":[],"categories":["Vulnerabilities Database \u0026 Tools"],"sub_categories":[],"readme":"# OSS-Fuzz vulnerabilities\n\nThis is a repo for recording disclosed [OSS-Fuzz](https://github.com/google/oss-fuzz)\nvulnerabilities, and acts as the source of truth for OSS-Fuzz vulnerabilities in\n[OSV].\n\nEach OSS-Fuzz vulnerability has precise impacted version and commit version\ninformation added by OSV.\n\nUsers may submit PRs to update any information here.\n\n## Format spec\n\nThe format is described [here](https://ossf.github.io/osv-schema/).\n\n## Automation\n\nVulnerabilities undergo **automated bisection** and **repository analysis** as part of \n[OSV] to determine the affected commit ranges and versions. They are then\nautomatically imported in this repository.\n\nAny user changes to vulnerability files in this repository will trigger a\nre-analysis by OSV within a few minutes (\n[example change](https://github.com/google/oss-fuzz-vulns/commit/8546454f8ad92bee001ca3be5b4c236bcc2df3d5),\n[re-analysis](https://github.com/google/oss-fuzz-vulns/commit/5a1e660f6e8ddd3d3db513f976f4987287fc258e)).\n\nOSV will also regularly recompute affected versions and detect cherry picks\nacross different branches for each vulnerability\n([example](https://github.com/google/oss-fuzz-vulns/commit/76395230e992d4de9bae19b39d27dbad16ec389d)).\n\nOSV also provides an [API](https://osv.dev/docs/) to let users easily query this information.\n\n[OSV]: https://github.com/google/osv\n\n## Missing entries\n\nAn OSS-Fuzz vulnerability may be missing here for a few reasons.\n\n### The automated bisection failed\n\nSometimes the bisection is unable to resolve the introduced and fixed\nranges to an acceptably small range. In these cases, we opt to keep the database\nhigher quality and avoid showing such results by default. \n\nFailure cases are recorded at the public GCS bucket `gs://oss-fuzz-osv-vulns`.\nYou may use the script `scripts/import.py` to import any existing details about\nthese failed vulnerabilities.\n\n```bash\n$ python scripts/import.py \u003coss-fuzz issue ID\u003e\n```\n\nAny missing details may be filled in manually and submitted as part of a PR to this repo.\nSee [this example](https://github.com/google/oss-fuzz-vulns/commit/8546454f8ad92bee001ca3be5b4c236bcc2df3d5).\n\n### The bug was not marked as security by OSS-Fuzz\n\nWe only include bugs that are marked as security by OSS-Fuzz. If you are a\nproject maintainer, you may edit the security flag on the corresponding testcase\ndetails page. Marking a bug as security will automatically cause it to be fed into OSV,\nif the bug is reliably reproducible.\n\n## Removing an entry\n\nIf a vulnerability in this repository is not considered a security vulnerability,\nit may be removed by submitting a PR to add a [`withdrawn`](https://ossf.github.io/osv-schema/#withdrawn-field)\nfield to the relevant entry. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Foss-fuzz-vulns","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Foss-fuzz-vulns","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Foss-fuzz-vulns/lists"}