diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py
index 175a1edf3f..c8bbfea37e 100644
--- a/cve_bin_tool/data_sources/osv_source.py
+++ b/cve_bin_tool/data_sources/osv_source.py
@@ -292,15 +292,18 @@ def format_data(self, all_cve_entries):
 
             severity_data.append(cve)
 
-            for package in cve_item["affected"]:
-                product = package["package"]["name"]
+            for package_data in cve_item.get("affected", []):
+                package = package_data.get("package", {})
+                if not package:
+                    continue
+
+                product = package.get("name")
                 vendor = (
                     "unknown"  # OSV Schema does not provide vendor names for packages
                 )
-                if (
-                    "github.com/" in product
-                ):  # if package name is of format github.com/xxxx/yyyy  xxxx can be vendor name and yyyy is package name
-                    vendor = product.split("/")[-2]  # trying to guess vendor name
+
+                if product.startswith("github.com/"):
+                    vendor = product.split("/")[-2]
                     product = product.split("/")[-1]
 
                 affected = {
@@ -315,12 +318,12 @@ def format_data(self, all_cve_entries):
                 }
 
                 events = None
-                for ranges in package.get("ranges", []):
+                for ranges in package_data.get("ranges", []):
                     if ranges["type"] == "SEMVER":
                         events = ranges["events"]
 
-                if events is None and "versions" in package:
-                    versions = package["versions"]
+                if events is None and "versions" in package_data:
+                    versions = package_data["versions"]
 
                     if versions == []:
                         continue