API: query vulnerabilities by cve id

[huanceng]

The current api /v1/vulns/{id} returns a vulnerability object for a given OSV ID. If a cve id is given, the api will return Bug not found.

For example, GHSA-h592-38cm-4ggp and its corresponding cve id CVE-2017-15095.

Do you plan to develop such an API?

[oliverchang]

This does sound useful thanks, tracking as a FR.

[rdeepc]

Hi @oliverchang,

I am interested in working on this.

[andrewpollock]

More abstractly, it sounds like you're wishing for the /v1/vulns{id} endpoint to support lookups by alias as well as the primary ID?

[huanceng]

Hi @andrewpollock , /v1/vulns/{id} or a new endpoint are both acceptable.

[andrewpollock]

Some interim thoughts to improve this user experience:

$ GET -s https://api.osv.dev/v1/vulns/CVE-2025-0001
404 Not Found
{"code":5,"message":"Bug not found."}

• include a link to https://osv.dev/faq in the message text
• add a new FAQ entry about bugs not found/404s from the /v1/vulns/{id} API endpoint
• add to https://google.github.io/osv.dev/post-v1-query/ about querying by first class vulnerabilities versus aliases

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

[andrewpollock]

Related: #760

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.