how to use just this ./vulnfeeds/cmd/combine-to-osv/

Skip to first unread message

Alex Alexandrov

Sep 27, 2022, 6:40:03 AM9/27/22
to osv-discuss
I need just to get a vulnerabilities database in OSV format, but it requires access to google services
Setup initial directories
Begin syncing with cloud parts
Caught non-retryable exception while listing gs://cve-osv-conversion/parts/: AccessDeniedException: 403 <mail> does not have storage.objects.list access to the Google Cloud Storage bucket.
CommandException: Caught non-retryable exception - aborting rsync

My own project has storage and the project owner of cause have access, but is it asking for access to a different project?
I'm not really familiar with google services, how can I just run this script?)

Andrew Pollock

Sep 27, 2022, 6:56:18 PM9/27/22
to Alex Alexandrov, osv-discuss
Hi Alex,

That script in its current form has a GCS bucket hard-coded in it that you won't have read or write access to.

I'll make it more supportive of supplying a BYO GCS bucket so your use case is more readily available. In the short term, you can replace the references to gs://cve-osv-conversion on lines 21 and 31 with your own GCS bucket and this should unblock you.

Let me know how that goes for you.



You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit


Andrew Pollock

Security Engineer, Google Open Source Security Team | +61419788191 |

Google LLC

This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.

Andrew Pollock

Sep 27, 2022, 7:38:19 PM9/27/22
to Alex Alexandrov, osv-discuss


Sep 27, 2022, 9:02:51 PM9/27/22
to osv-discuss
Hello Alex,

Can you provide us some more information about your goal? The script is quite specific/narrow in it's use case. It's main goal is to upload and download from google cloud buckets to feed into

- If you are looking for all the already converted OSV formatted vulnerabilities, then they are available here: gs://osv-vulnerabilities.
- If you are looking to convert all NVD CVE entries into the OSV format, we currently don't have that functionality at the moment, but it is something we are in the process of adding similar functionality to OSV (see for an early draft)
- And if you already have affected package and vulnerability information extracted, and all you want is to combine it with CVE information into the OSV format, then combine-to-osv is what you are looking for. If that is the case, you can try running `go run ./cmd/combine-to-osv` directly with the necessary parameters. combine-to-osv is currently mostly for internal use to populate, so it lacks proper documentation. I have created an issue to track this here:

Do let us know if none of the above is what you are trying to do, and if we can help. 

Reply all
Reply to author
0 new messages