How FOSSA Sources Vulnerability Data

FOSSA aggregates vulnerability data from a number of sources and runs it through a combined human and automated review pipeline before surfacing issues in your projects.

2 min readUpdated Jul 9, 2026

Overview

FOSSA builds its vulnerability dataset by aggregating data from a number of sources, running it through a review pipeline, and matching the reviewed results against the dependencies in your projects. This means the vulnerabilities you see in FOSSA have been collected, validated, and mapped specifically to the packages you use.

Data collection

FOSSA collects vulnerability data from a number of sources rather than relying on any single feed. Primary examples include the National Vulnerability Database (NVD) and GitHub Security Advisories, and additional sources such as OSS Index and RustSec contribute coverage for specific ecosystems. Drawing from many sources (16 and counting) improves coverage and reduces the chance that a vulnerability is missed because it is absent from one particular feed.

All collected vulnerabilities are stored in FOSSA's database for processing.

Review

Collected vulnerabilities pass through a review pipeline that combines both human and automated review. This pipeline determines whether each vulnerability is valid, should be rejected, or needs further investigation, and tracks each entry's review status (for example: completed, in review, or rejected). Combining automated processing with human judgment helps reduce false positives while keeping coverage broad.

Vulnerability matching

After review, FOSSA produces "vulnerability calculations" that map specific package versions to CVEs along with the affected version ranges. Conceptually, the data is structured as:

dependency locator → CVE → affected version range

Your project's dependencies are then matched against these reviewed vulnerabilities.

What you see

The vulnerabilities surfaced in your FOSSA dashboard have been:

  • Collected from a number of security sources
  • Reviewed through FOSSA's combined human and automated pipeline
  • Mapped to your specific dependencies
  • Filtered for relevance to your project

The goal of this process is to reduce false positives while ensuring you remain aware of legitimate security issues affecting your dependencies.

© 2026 FOSSA, Inc.support@fossa.com