How does FOSSA source its vulnerability data

Data Collection

• FOSSA scrapes CVE data from multiple sources including NVD and GitHub Security Advisories
• All collected vulnerabilities are stored in our database for processing
  Internal Review

Internal Review

• Each vulnerability undergoes manual review by our security researcher (Carol)
• Review process determines if vulnerabilities are valid, rejected, or need further investigation
• Review status is tracked: completed, in review, or rejected

Vulnerability Matching

• After review completion, the system creates "vulnerability calculations"
• These map specific package versions to CVEs with affected version ranges
• Data is structured as: dependency locator → CVE → version range
  Customer Impact
• Your project dependencies are matched against reviewed vulnerabilities
• Only reviewed and validated vulnerabilities appear in your FOSSA dashboard

What You See

The vulnerabilities in your FOSSA dashboard have been:

1. Collected from security sources
2. Reviewed by our security researcher
3. Mapped to your specific dependencies
4. Filtered for relevance to your project

This process aims to reduce false positives while ensuring you're aware of legitimate security issues affecting your dependencies.