google · jess-lowe · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026
diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go
@@ -11,12 +11,12 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
-	"strings"
-
 	"slices"
+	"strings"
 
 	"cloud.google.com/go/storage"
 	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/upload"
 	"github.com/google/osv/vulnfeeds/utility/logger"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
@@ -138,8 +138,8 @@ func listBucketObjects(bucketName string, prefix string) ([]string, error) {
 // The function returns a map of CVE IDs to their corresponding Vulnerability objects.
 // Files that are not ".json" files, directories, or files ending in ".metrics.json" are skipped.
 // The function will log warnings for files that fail to open or decode, and will terminate if it fails to walk the directory.
-func loadOSV(osvPath string) map[cves.CVEID]*osvschema.Vulnerability {
-	allVulns := make(map[cves.CVEID]*osvschema.Vulnerability)
+func loadOSV(osvPath string) map[models.CVEID]*osvschema.Vulnerability {
+	allVulns := make(map[models.CVEID]*osvschema.Vulnerability)
 	logger.Info("Loading OSV records", slog.String("path", osvPath))
 	err := filepath.WalkDir(osvPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -161,7 +161,7 @@ func loadOSV(osvPath string) map[cves.CVEID]*osvschema.Vulnerability {
 			logger.Error("Failed to decode, skipping", slog.String("file", path), slog.Any("err", decodeErr))
 			return nil
 		}
-		allVulns[cves.CVEID(vuln.GetId())] = &vuln
+		allVulns[models.CVEID(vuln.GetId())] = &vuln
 
 		return nil
 	})
@@ -174,8 +174,8 @@ func loadOSV(osvPath string) map[cves.CVEID]*osvschema.Vulnerability {
 }
 
 // combineIntoOSV creates OSV entry by combining loaded CVEs from NVD and PackageInfo information from security advisories.
-func combineIntoOSV(cve5osv map[cves.CVEID]*osvschema.Vulnerability, nvdosv map[cves.CVEID]*osvschema.Vulnerability, mandatoryCVEIDs []string) map[cves.CVEID]*osvschema.Vulnerability {
-	osvRecords := make(map[cves.CVEID]*osvschema.Vulnerability)
+func combineIntoOSV(cve5osv map[models.CVEID]*osvschema.Vulnerability, nvdosv map[models.CVEID]*osvschema.Vulnerability, mandatoryCVEIDs []string) map[models.CVEID]*osvschema.Vulnerability {
+	osvRecords := make(map[models.CVEID]*osvschema.Vulnerability)
 
 	// Iterate through CVEs from security advisories (cve5) as the base
 	for cveID, cve5 := range cve5osv {

diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go
@@ -8,7 +8,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/models"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
 	"google.golang.org/protobuf/testing/protocmp"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -35,7 +35,7 @@ func TestCombineIntoOSV(t *testing.T) {
 
 	cve5osv := loadOSV(cve5Path)
 	nvdosv := loadOSV(nvdPath)
-	nvdosvCopy := make(map[cves.CVEID]*osvschema.Vulnerability)
+	nvdosvCopy := make(map[models.CVEID]*osvschema.Vulnerability)
 	for k, v := range nvdosv {
 		nvdosvCopy[k] = v
 	}

diff --git a/vulnfeeds/cmd/converters/alpine/main.go b/vulnfeeds/cmd/converters/alpine/main.go
@@ -15,7 +15,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/google/osv/vulnfeeds/cves"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/upload"
 	"github.com/google/osv/vulnfeeds/utility/logger"
@@ -138,7 +137,7 @@ func getAlpineSecDBData() map[string][]VersionAndPkg {
 }
 
 // generateAlpineOSV generates the generic PackageInfo package from the information given by alpine advisory
-func generateAlpineOSV(allAlpineSecDb map[string][]VersionAndPkg, allCVEs map[cves.CVEID]cves.Vulnerability) (osvVulnerabilities []*vulns.Vulnerability) {
+func generateAlpineOSV(allAlpineSecDb map[string][]VersionAndPkg, allCVEs map[models.CVEID]models.Vulnerability) (osvVulnerabilities []*vulns.Vulnerability) {
 	cveIDs := make([]string, 0, len(allAlpineSecDb))
 	for cveID := range allAlpineSecDb {
 		cveIDs = append(cveIDs, cveID)
@@ -157,7 +156,7 @@ func generateAlpineOSV(allAlpineSecDb map[string][]VersionAndPkg, allCVEs map[cv
 
 			return verPkgs[i].Ver < verPkgs[j].Ver
 		})
-		cve, ok := allCVEs[cves.CVEID(cveID)]
+		cve, ok := allCVEs[models.CVEID(cveID)]
 		var published time.Time
 		var details string
 		if ok {

diff --git a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go
@@ -14,8 +14,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/cvelist2osv"
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/utility/logger"
 )
 
@@ -34,7 +35,7 @@ func main() {
 	flag.Parse()
 	logger.InitGlobalLogger()
 
-	logger.Info("Commencing Linux CVE to OSV conversion run")
+	logger.Info("Commencing CVE to OSV conversion run")
 	if err := os.MkdirAll(*localOutputDir, 0755); err != nil {
 		logger.Fatal("Failed to create local output directory", slog.Any("err", err))
 	}
@@ -103,7 +104,7 @@ func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string
 			continue
 		}
 
-		var cve cves.CVE5
+		var cve models.CVE5
 		if err := json.Unmarshal(data, &cve); err != nil {
 			logger.Info("Failed to unmarshal JSON", slog.String("path", path), slog.Any("err", err))
 			continue
@@ -115,8 +116,8 @@ func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string
 		cveID := cve.Metadata.CVEID
 		logger.Info("Processing "+string(cveID), slog.String("cve", string(cveID)))
 
-		osvFile, errCVE := cvelist2osv.CreateOSVFile(cveID, outDir)
-		metricsFile, errMetrics := cvelist2osv.CreateMetricsFile(cveID, outDir)
+		osvFile, errCVE := conversion.CreateOSVFile(cveID, outDir)
+		metricsFile, errMetrics := conversion.CreateMetricsFile(cveID, outDir)
 		if errCVE != nil || errMetrics != nil {
 			logger.Fatal("File failed to be created for CVE", slog.String("cve", string(cveID)))
 		}

diff --git a/vulnfeeds/cmd/converters/cve/cve5/single-converter/main.go b/vulnfeeds/cmd/converters/cve/cve5/single-converter/main.go
@@ -7,8 +7,9 @@ import (
 	"log/slog"
 	"os"
 
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/cvelist2osv"
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/utility/logger"
 )
 
@@ -28,7 +29,7 @@ func main() {
 		logger.Fatal("Failed to open file", slog.Any("err", err))
 	}
 
-	var cve cves.CVE5
+	var cve models.CVE5
 	if err = json.Unmarshal(data, &cve); err != nil {
 		logger.Fatal("Failed to parse CVEList CVE JSON", slog.Any("err", err))
 	}
@@ -44,8 +45,8 @@ func main() {
 	}
 	// create the files
 
-	osvFile, errCVE := cvelist2osv.CreateOSVFile(cveID, outDir)
-	metricsFile, errMetrics := cvelist2osv.CreateMetricsFile(cveID, outDir)
+	osvFile, errCVE := conversion.CreateOSVFile(cveID, outDir)
+	metricsFile, errMetrics := conversion.CreateMetricsFile(cveID, outDir)
 	if errCVE != nil || errMetrics != nil {
 		logger.Fatal("File failed to be created for CVE", slog.String("cve", string(cveID)))
 	}