When you run a Software Composition Analysis (SCA) scan, the accuracy of results depends entirely on the quality of the vulnerability database behind it. The two major public databases — the National Vulnerability Database (NVD) and Open Source Vulnerabilities (OSV) — serve overlapping but distinct purposes. Understanding their differences helps you build a more complete and accurate vulnerability monitoring programme.
NVD: The Authoritative CVE Registry
The National Vulnerability Database, maintained by NIST (National Institute of Standards and Technology), is the world's primary repository of CVE metadata. Every publicly disclosed CVE — assigned by MITRE — is enriched by NVD analysts with:
- CVSS scores (Base Score for both CVSS 3.x and CVSS 2.0)
- CWE classification — the weakness type (e.g., CWE-79 for XSS)
- CPE identifiers — standardised product identifiers linking the CVE to affected products
- References — links to vendor advisories, patches, and proof-of-concept exploits
- Exploitability data — flags from CISA KEV, exploit maturity
NVD is authoritative, comprehensive (250,000+ CVE records), and universally referenced. It is the database that regulators, auditors, and insurance underwriters use when they ask "are you monitoring for known vulnerabilities?"
NVD's Limitations
Since early 2024, NVD has faced a significant backlog crisis. NIST reduced enrichment capacity, resulting in tens of thousands of CVEs published with minimal metadata — no CVSS score, no CPE, no affected version information. As of early 2026, many 2024 CVEs on NVD still lack complete enrichment.
Additional structural limitations:
- CPE matching is imprecise for open source. CPE identifiers were designed for commercial products. Matching open-source packages by CPE produces both false positives and false negatives.
- Version range data is often missing or wrong. NVD's affected version information is not always accurate, particularly for complex version ranges.
- Latency. NVD enrichment can lag weeks behind CVE publication for lower-profile vulnerabilities.
OSV: Built for Open Source at Scale
OSV (Open Source Vulnerabilities), launched by Google in 2021, was specifically designed to address NVD's weaknesses for open-source software. Key design principles:
- PURL-native matching. OSV records include precise package URL identifiers, enabling accurate matching against SBOM component inventories without CPE guessing.
- Exact version ranges. OSV entries specify affected and fixed version ranges with precision:
introduced: 1.2.0, fixed: 1.2.8. - Ecosystem coverage. OSV aggregates data from PyPI, npm, RubyGems, Maven, Go, Rust (RustSec), Linux kernel, Android, Debian, Alpine, and more — via direct partnerships with maintainers.
- Machine-readable schema. The OSV schema is open and standardised, enabling tools to consume OSV data programmatically.
GHSA: GitHub Security Advisories
The GitHub Security Advisory Database (GHSA) is another important source, particularly for packages in GitHub-hosted ecosystems. It is a primary data source for OSV and provides advisories for npm, pip, Maven, Composer, RubyGems, Go, Rust, and Erlang packages.
GHSA assigns its own advisory IDs (GHSA-xxxx-xxxx-xxxx) but maps to CVE aliases where available. GitHub's Dependabot uses GHSA as its primary vulnerability source.
The CISA KEV Catalogue
Neither NVD nor OSV tells you which vulnerabilities are being actively exploited right now. For that, the CISA Known Exploited Vulnerabilities (KEV) catalogue is essential. Updated regularly, KEV lists CVEs with confirmed evidence of active exploitation in the wild. Any vulnerability on the KEV list demands immediate attention regardless of CVSS score.
CISA provides KEV data as a machine-readable JSON feed, enabling integration into SCA pipelines.
Commercial Intelligence Feeds
For organisations requiring the most complete and timely vulnerability intelligence, commercial feeds add value beyond public databases:
- Early disclosure intelligence: Commercial feeds often receive information under embargo before public CVE publication
- Exploit intelligence: Data on exploit kit availability, dark web chatter, proof-of-concept publication timing
- Patch intelligence: Automated tracking of vendor patch releases across commercial products
- Threat actor attribution: Which threat groups are exploiting which CVEs
The Right Approach: Use Both NVD and OSV
For a complete SCA programme, you need both:
- OSV for open-source component matching — accurate PURL-based matching with precise version ranges reduces false positives dramatically
- NVD for CVSS scores and compliance reporting — regulators and auditors expect CVSS scores; OSV derives these from NVD aliases
- CISA KEV for active threat prioritisation — separate from base scoring; KEV status is the most actionable single data point
CRATrust aggregates NVD, OSV, GHSA, and CISA KEV data into a unified vulnerability intelligence layer, so your team never has to manually cross-reference multiple databases.