Skip to main content

Vulnerabilities (CVEs)

Trusty integrates with osv.dev, a distributed vulnerability database for open-source software, to gather and process vulnerability data. The OSV database aggregates vulnerability information from various sources and standardizes it in the OpenSSF OSV format. Trusty retrieves and updates this information hourly, ensuring that our supported ecosystems have the latest vulnerability data.

Once the vulnerability data is ingested, Trusty performs the following actions:

  • Package Version Matching: Identifies specific package versions affected by the reported vulnerabilities.
  • Risk Scoring: Calculates risk scores for each vulnerability using the Common Vulnerability Scoring System (CVSS) metrics and the relevant version data from the reports.

These computed scores, along with the affected package versions and detailed vulnerability information from OSV, are made accessible via Trusty's API and user interface.

In addition, the OSV database includes data on malicious packages, which Trusty also ingests and processes. More details on this feature are available in the Malicious Packages section.