What is the overlap between OSV and GHSA in OSS vulnerabilities ?

OSV and GHSA together cover nearly all 870k ingested records, collapsing to 312k uniques; OSV hits 99.95% of the union.

Does Dependabot miss most OSS vulnerabilities?

No — it uses full GHSA (reviewed + unreviewed), covering 95.1% via NVD mirrors, but lacks OSV or niche exclusives.

Why only 9.1% GitHub-reviewed OSS vulns?

GitHub curates 28k deeply; the rest (91%) are automated NVD mirrors filtered to tracked packages — quantity over quality.

🔒 Security & Privacy

869,771 OSS Vulnerability Records Shrink to 608,463 Canonical Ones — The Overlap Reality Check

Crunching 869,771 vulnerability records from 15 open sources yields just 608,463 canonical entries. But the real eye-opener? Only 9.1% get real human review.

theAIcatchup Apr 10, 2026 4 min read

Overlapping circles representing 15 OSS vulnerability databases with 869k records merging into 608k canonicals

⚡ Key Takeaways

869k records from 15 DBs merge to 608k IDs, 57% via aliases. 𝕏
GitHub-reviewed vulns: just 9.1% of OSS universe; rest are NVD mirrors. 𝕏
Calls for Vuln Canonical ID standard to unify scanning. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#GHSA #OSS vulnerabilities #OSS vulnerability databases #OSV #OSV.dev #dependency scanning #entity resolution #vulnerability databases

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

npm audit isn't catching malware. This Rust scanner fills the gap.

Entity Resolution at Scale: Unifying Chaos in Product Reviews for Smarter Shopping

Why 'Free' Entity Resolution Will Bankrupt Your Sanity: Dedupe vs. GoldenMatch on Real Messy Data

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Stay in the loop