{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"awesome-osv","slug":"osv","name":"OSV","type":"mcp","url":"https://github.com/StacklokLabs/osv-mcp","page_url":"https://unfragile.ai/osv","categories":["mcp-servers"],"tags":[],"pricing":{"model":"open_source","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"awesome-osv__cap_0","uri":"capability://search.retrieval.vulnerability.lookup.by.package.version","name":"vulnerability-lookup-by-package-version","description":"Query the OSV database to retrieve vulnerability information for a specific package and version combination. The MCP server translates package identifiers (name, version, ecosystem) into OSV API calls, returning structured vulnerability records with severity, affected versions, and remediation guidance. Supports multiple package ecosystems (npm, PyPI, Maven, etc.) through OSV's unified schema.","intents":["Check if a specific dependency version in my project has known vulnerabilities","Verify security status of a package before adding it to my codebase","Get detailed CVE information and patch recommendations for a vulnerable dependency"],"best_for":["developers building dependency scanning tools","security engineers auditing supply chain risks","CI/CD pipeline maintainers integrating vulnerability checks"],"limitations":["OSV database coverage varies by ecosystem — some package managers have more complete vulnerability data than others","Query latency depends on OSV API response time (typically 200-500ms per request)","No built-in caching — repeated queries for the same package hit the API each time"],"requires":["Network connectivity to osv.dev API","MCP client capable of calling tool functions","Valid package name and version in a supported ecosystem"],"input_types":["text (package name)","text (version string)","text (ecosystem identifier: npm, pypi, maven, etc.)"],"output_types":["structured JSON (vulnerability records with ID, severity, affected versions)","text (summary of vulnerabilities found)"],"categories":["search-retrieval","security-vulnerability-scanning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-osv__cap_1","uri":"capability://search.retrieval.vulnerability.lookup.by.commit.hash","name":"vulnerability-lookup-by-commit-hash","description":"Query vulnerabilities by Git commit SHA, enabling vulnerability detection at the source code level rather than package level. The MCP server translates commit hashes into OSV API queries, returning vulnerabilities that affect that specific commit in the repository's history. Useful for detecting vulnerabilities in dependencies pinned to specific commits or for analyzing historical code snapshots.","intents":["Determine if a Git commit I'm using as a dependency contains known vulnerabilities","Audit the security status of a specific code snapshot pinned in my lock file","Identify when a vulnerability was introduced in a repository's commit history"],"best_for":["developers using Git-based dependency pinning (e.g., npm with git URLs)","security researchers analyzing vulnerability timelines","teams auditing historical code versions for retroactive vulnerability discovery"],"limitations":["Commit-based queries only work for repositories indexed in OSV — not all open-source projects are covered","Requires exact commit SHA — abbreviated hashes or branch names are not supported","No transitive dependency analysis — only checks the specific commit, not its dependencies"],"requires":["Network connectivity to osv.dev API","Valid Git commit SHA (40-character hex string)","Repository must be indexed in the OSV database"],"input_types":["text (Git commit SHA)","text (optional: repository URL for context)"],"output_types":["structured JSON (vulnerability records with commit-level impact data)","text (vulnerability summary for the commit)"],"categories":["search-retrieval","security-vulnerability-scanning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-osv__cap_2","uri":"capability://data.processing.analysis.batch.vulnerability.query.multiple.packages","name":"batch-vulnerability-query-multiple-packages","description":"Submit multiple package-version pairs in a single request and receive vulnerability data for all of them in one response. The MCP server batches requests to the OSV API, reducing round-trip latency and enabling efficient scanning of entire dependency manifests (package.json, requirements.txt, pom.xml, etc.). Implements request coalescing to minimize API calls while handling partial failures gracefully.","intents":["Scan all dependencies in my project's lock file in a single operation","Generate a vulnerability report for an entire dependency tree without sequential API calls","Integrate vulnerability scanning into CI/CD pipelines with minimal latency overhead"],"best_for":["CI/CD pipeline builders integrating security checks into build processes","dependency management tool developers building vulnerability scanners","teams managing large monorepos with hundreds of dependencies"],"limitations":["Batch size limits may apply depending on OSV API rate limiting — typically 100-1000 packages per batch","Partial failures in batch queries may require retry logic for individual packages","Response aggregation adds ~50-100ms overhead per batch beyond raw API latency"],"requires":["Network connectivity to osv.dev API","MCP client supporting batch tool invocations","Array of package objects with name, version, and ecosystem fields"],"input_types":["structured JSON (array of {name, version, ecosystem} objects)"],"output_types":["structured JSON (array of vulnerability records, one per package)","text (aggregated vulnerability summary with counts by severity)"],"categories":["data-processing-analysis","automation-workflow"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-osv__cap_3","uri":"capability://search.retrieval.vulnerability.detail.retrieval.by.id","name":"vulnerability-detail-retrieval-by-id","description":"Fetch comprehensive vulnerability details by OSV ID (e.g., GHSA-xxxx-xxxx-xxxx, CVE-YYYY-NNNNN). The MCP server queries the OSV database for the full vulnerability record, including affected versions, severity scores (CVSS), remediation steps, references, and related advisories. Returns structured data suitable for generating security reports or populating vulnerability dashboards.","intents":["Get full details about a specific vulnerability I found in my dependency scan","Generate a detailed security report with CVE/GHSA information and remediation guidance","Look up vulnerability metadata to understand impact and available patches"],"best_for":["security teams generating vulnerability reports for stakeholders","developers investigating specific CVEs or GitHub Security Advisories","vulnerability dashboard builders displaying detailed advisory information"],"limitations":["Requires exact OSV ID — fuzzy matching or partial IDs are not supported","Some vulnerabilities may have incomplete remediation guidance if patches are not yet available","Related vulnerability links may be sparse for newly disclosed vulnerabilities"],"requires":["Network connectivity to osv.dev API","Valid OSV ID (GHSA, CVE, or other supported format)"],"input_types":["text (OSV vulnerability ID)"],"output_types":["structured JSON (complete vulnerability record with metadata, affected versions, severity, references)","text (formatted vulnerability summary)"],"categories":["search-retrieval","memory-knowledge"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-osv__cap_4","uri":"capability://tool.use.integration.mcp.tool.schema.based.function.calling","name":"mcp-tool-schema-based-function-calling","description":"Implements OSV vulnerability queries as MCP tools with JSON schema definitions, enabling LLM agents and MCP clients to discover and invoke vulnerability lookups through a standardized tool-calling interface. The MCP server exposes tools for package queries, commit queries, batch queries, and detail lookups, each with defined input schemas and response formats that LLMs can understand and invoke autonomously.","intents":["Enable an AI agent to autonomously scan dependencies and report vulnerabilities without human intervention","Allow LLM-based code review tools to check for vulnerabilities in suggested dependencies","Build agentic workflows that automatically remediate vulnerable dependencies by querying OSV and proposing fixes"],"best_for":["AI agent developers building autonomous security scanning systems","LLM application builders integrating vulnerability checks into code generation workflows","teams building AI-assisted dependency management tools"],"limitations":["LLM tool calling accuracy depends on model capability — weaker models may misinterpret schema or provide invalid inputs","No built-in validation of LLM-generated queries — malformed requests may fail silently","Tool discovery and invocation latency adds ~100-200ms per tool call beyond API latency"],"requires":["MCP-compatible client (Claude, custom LLM agent, etc.)","LLM with function-calling capability","Network connectivity to osv.dev API"],"input_types":["JSON schema (tool definitions with input parameters)"],"output_types":["structured JSON (tool responses with vulnerability data)","text (LLM-generated interpretation of results)"],"categories":["tool-use-integration","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-osv__cap_5","uri":"capability://data.processing.analysis.ecosystem.agnostic.vulnerability.aggregation","name":"ecosystem-agnostic-vulnerability-aggregation","description":"Abstracts away ecosystem-specific vulnerability data formats and APIs by translating queries across npm, PyPI, Maven, Rust crates, Go modules, and other supported ecosystems into a unified OSV schema. The MCP server handles ecosystem detection, version normalization, and response mapping, returning consistent vulnerability records regardless of the underlying package manager or ecosystem.","intents":["Query vulnerabilities for dependencies across multiple programming languages in a single tool interface","Build polyglot vulnerability scanning tools that work across npm, PyPI, Maven, and other ecosystems","Normalize vulnerability data from heterogeneous ecosystems into a consistent format for reporting"],"best_for":["polyglot development teams managing dependencies across multiple languages","vulnerability scanning tool builders supporting multiple ecosystems","enterprise security teams standardizing vulnerability reporting across diverse tech stacks"],"limitations":["Ecosystem coverage varies — some ecosystems have more complete vulnerability data than others","Version normalization may fail for non-standard version strings (e.g., pre-release versions with custom formats)","Some ecosystem-specific vulnerability metadata may be lost in translation to the unified schema"],"requires":["Network connectivity to osv.dev API","Valid package name and version in a supported ecosystem (npm, pypi, maven, gem, cargo, go, etc.)"],"input_types":["text (package name)","text (version string)","text (ecosystem identifier)"],"output_types":["structured JSON (unified vulnerability records with ecosystem-normalized data)"],"categories":["data-processing-analysis","search-retrieval"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":28,"verified":false,"data_access_risk":"high","permissions":["Network connectivity to osv.dev API","MCP client capable of calling tool functions","Valid package name and version in a supported ecosystem","Valid Git commit SHA (40-character hex string)","Repository must be indexed in the OSV database","MCP client supporting batch tool invocations","Array of package objects with name, version, and ecosystem fields","Valid OSV ID (GHSA, CVE, or other supported format)","MCP-compatible client (Claude, custom LLM agent, etc.)","LLM with function-calling capability"],"failure_modes":["OSV database coverage varies by ecosystem — some package managers have more complete vulnerability data than others","Query latency depends on OSV API response time (typically 200-500ms per request)","No built-in caching — repeated queries for the same package hit the API each time","Commit-based queries only work for repositories indexed in OSV — not all open-source projects are covered","Requires exact commit SHA — abbreviated hashes or branch names are not supported","No transitive dependency analysis — only checks the specific commit, not its dependencies","Batch size limits may apply depending on OSV API rate limiting — typically 100-1000 packages per batch","Partial failures in batch queries may require retry logic for individual packages","Response aggregation adds ~50-100ms overhead per batch beyond raw API latency","Requires exact OSV ID — fuzzy matching or partial IDs are not supported","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.05,"quality":0.37,"ecosystem":0.39999999999999997,"match_graph":0.25,"freshness":0.52,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.15,"match_graph":0.23,"freshness":0.12}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-06-17T09:51:03.579Z","last_scraped_at":"2026-05-03T14:00:15.503Z","last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=osv","compare_url":"https://unfragile.ai/compare?artifact=osv"}},"signature":"c9YFy6cXCeQOJt7M0Bjeo2nZMihQnPsE2LXF4TSSp+mtitgXMB2kSz8DqyzvJqCOtYXFOn9m1uB0n7yKGnnlCA==","signedAt":"2026-06-22T10:30:27.448Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/osv","artifact":"https://unfragile.ai/osv","verify":"https://unfragile.ai/api/v1/verify?slug=osv","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}