[chronial]

How would you use this with a C/C++ codebase, where you build your dependencies yourself and don't get them from a package manager? All vulnerability databases seem to refer to package repos. Is there anything that works with only library name + version?

[halbecaf]

OSV lead here.

This isn't available yet, but we're working on exactly this in two ways:

1. Extending our API to detect vendored C/C++ code by building an file hash index 2. Building a high quality C/C++ vulnerability database.

You can follow the two linked issues here: https://github.com/google/osv-scanner/issues/82 for updates!

[ashishbijlani]

We've an open-source project that does this: https://github.com/osssanitizer/maloss I'm working on creating a CLI/web interface for this. Happy to chat (email in profile).