How does FOSSA source its vulnerability data
Data Collection
- FOSSA scrapes CVE data from multiple sources including NVD and GitHub Security Advisories
- All collected vulnerabilities are stored in our database for processing
Internal Review
Internal Review
- Each vulnerability undergoes manual review by our security researcher (Carol)
- Review process determines if vulnerabilities are valid, rejected, or need further investigation
- Review status is tracked: completed, in review, or rejected
Vulnerability Matching
- After review completion, the system creates "vulnerability calculations"
- These map specific package versions to CVEs with affected version ranges
- Data is structured as: dependency locator → CVE → version range
Customer Impact - Your project dependencies are matched against reviewed vulnerabilities
- Only reviewed and validated vulnerabilities appear in your FOSSA dashboard
What You See
The vulnerabilities in your FOSSA dashboard have been:
- Collected from security sources
- Reviewed by our security researcher
- Mapped to your specific dependencies
- Filtered for relevance to your project
This process aims to reduce false positives while ensuring you're aware of legitimate security issues affecting your dependencies.
Updated 1 day ago