What is the overlap between OSV and GitHub Advisory Database?

OSV and GHSA together cover nearly 100% of the 312k canonical OSS vulns, with OSV at 99.95% and GHSA-reviewed just 9.1%.

Does Dependabot miss most OSS vulnerabilities ?

No—it uses GHSA fully, including 95% unreviewed—but quality varies wildly between reviewed and mirrored data.

How do I reconcile OSS vulnerability databases myself?

Download bulks from OSV, GHSA, etc., use union-find on vuln_id and aliases with Package URLs for canonicalization.

📦 Open Source

869k Vulnerability Records from 15 OSS Databases Collapse to Just 608k—Here's the Real Overlap

Imagine firing up your OSS project's vuln scanner, only to wonder: is it catching everything? One dev's entity-resolution magic on 15 databases uncovers the chaotic truth.

theAIcatchup Apr 10, 2026 3 min read

Overlapping circles diagram of 15 OSS vulnerability databases merging into canonical clusters

⚡ Key Takeaways

869k records from 15 OSS databases merge into 608k canonical vulns, with OSV/GHSA dominating. 𝕏
GitHub-reviewed advisories cover only 9.1%—the rest is mostly automated NVD mirrors. 𝕏
Build your own pipeline with union-find for multi-source scanning; OSS data's cross-links make it easy. 𝕏

Published by

theAIcatchup

Ship faster. Build smarter.

#GHSA #OSS vulnerabilities #OSS vulnerability databases #OSV #dependency scanning #entity-resolution #vuln databases #vulnerability databases

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

The OSS Entity Resolution Trap: Dedupe's Hidden Toll on 500K Records

SmartReview Cracks Product Matching Across 50 Sites—No ML PhD Required

Timsort: The One-Man Algorithm Sorting Billions of Devices Daily

Your Digital Shadow: Mastering OSINT to Uncover Hidden Online Trails

Stay in the loop