vulnerability-lookup-by-package-version, vulnerability-lookup-by-commit-hash, batch-vulnerability-query-multiple-packages, vulnerability-detail-retrieval-by-id, mcp-tool-schema-based-function-calling, ecosystem-agnostic-vulnerability-aggregation

OSV

MCP ServerFree

** - Access the [OSV (Open Source Vulnerabilities) database](https://osv.dev/) for vulnerability information. Query vulnerabilities by package version or commit, batch query multiple packages, and get detailed vulnerability information by ID.

Open Source

/ 100

6 capabilities

Capabilities6 decomposed

vulnerability-lookup-by-package-version

Medium confidence

Query the OSV database to retrieve vulnerability information for a specific package and version combination. The MCP server translates package identifiers (name, version, ecosystem) into OSV API calls, returning structured vulnerability records with severity, affected versions, and remediation guidance. Supports multiple package ecosystems (npm, PyPI, Maven, etc.) through OSV's unified schema.

Solves for

Check if a specific dependency version in my project has known vulnerabilitiesVerify security status of a package before adding it to my codebaseGet detailed CVE information and patch recommendations for a vulnerable dependency

Best for

developers building dependency scanning tools

security engineers auditing supply chain risks

CI/CD pipeline maintainers integrating vulnerability checks

Requires

Network connectivity to osv.dev API

MCP client capable of calling tool functions

Valid package name and version in a supported ecosystem

Limitations

OSV database coverage varies by ecosystem — some package managers have more complete vulnerability data than others

Query latency depends on OSV API response time (typically 200-500ms per request)

No built-in caching — repeated queries for the same package hit the API each time

What makes it unique

Exposes OSV's unified vulnerability schema across heterogeneous package ecosystems through a single MCP interface, abstracting away ecosystem-specific API differences and enabling consistent vulnerability queries regardless of package manager

vs alternatives

Broader ecosystem coverage than Snyk or GitHub Dependabot because it queries the open-source OSV database directly rather than relying on proprietary vulnerability feeds

vulnerability-lookup-by-commit-hash

Medium confidence

Query vulnerabilities by Git commit SHA, enabling vulnerability detection at the source code level rather than package level. The MCP server translates commit hashes into OSV API queries, returning vulnerabilities that affect that specific commit in the repository's history. Useful for detecting vulnerabilities in dependencies pinned to specific commits or for analyzing historical code snapshots.

Solves for

Determine if a Git commit I'm using as a dependency contains known vulnerabilitiesAudit the security status of a specific code snapshot pinned in my lock fileIdentify when a vulnerability was introduced in a repository's commit history

Best for

developers using Git-based dependency pinning (e.g., npm with git URLs)

security researchers analyzing vulnerability timelines

teams auditing historical code versions for retroactive vulnerability discovery

Requires

Network connectivity to osv.dev API

Valid Git commit SHA (40-character hex string)

Repository must be indexed in the OSV database

Limitations

Commit-based queries only work for repositories indexed in OSV — not all open-source projects are covered

Requires exact commit SHA — abbreviated hashes or branch names are not supported

No transitive dependency analysis — only checks the specific commit, not its dependencies

What makes it unique

Enables commit-hash-based vulnerability queries, which is critical for Git-pinned dependencies and source-level security audits — a capability not commonly exposed in package-manager-centric vulnerability tools

vs alternatives

Unique ability to query vulnerabilities at the commit level rather than package version, enabling security analysis of Git-based dependency pinning strategies that bypass traditional package managers

batch-vulnerability-query-multiple-packages

Medium confidence

Submit multiple package-version pairs in a single request and receive vulnerability data for all of them in one response. The MCP server batches requests to the OSV API, reducing round-trip latency and enabling efficient scanning of entire dependency manifests (package.json, requirements.txt, pom.xml, etc.). Implements request coalescing to minimize API calls while handling partial failures gracefully.

Solves for

Scan all dependencies in my project's lock file in a single operationGenerate a vulnerability report for an entire dependency tree without sequential API callsIntegrate vulnerability scanning into CI/CD pipelines with minimal latency overhead

Best for

CI/CD pipeline builders integrating security checks into build processes

dependency management tool developers building vulnerability scanners

teams managing large monorepos with hundreds of dependencies

Requires

Network connectivity to osv.dev API

MCP client supporting batch tool invocations

Array of package objects with name, version, and ecosystem fields

Limitations

Batch size limits may apply depending on OSV API rate limiting — typically 100-1000 packages per batch

Partial failures in batch queries may require retry logic for individual packages

Response aggregation adds ~50-100ms overhead per batch beyond raw API latency

What makes it unique

Implements batch query aggregation at the MCP layer, allowing clients to submit multiple packages in a single tool call and receive coalesced results, reducing network round-trips and API call overhead compared to sequential queries

vs alternatives

More efficient than making individual API calls for each dependency because batch requests reduce network latency and API overhead, making it practical for scanning large dependency trees in CI/CD pipelines

vulnerability-detail-retrieval-by-id

Medium confidence

Fetch comprehensive vulnerability details by OSV ID (e.g., GHSA-xxxx-xxxx-xxxx, CVE-YYYY-NNNNN). The MCP server queries the OSV database for the full vulnerability record, including affected versions, severity scores (CVSS), remediation steps, references, and related advisories. Returns structured data suitable for generating security reports or populating vulnerability dashboards.

Solves for

Get full details about a specific vulnerability I found in my dependency scanGenerate a detailed security report with CVE/GHSA information and remediation guidanceLook up vulnerability metadata to understand impact and available patches

Best for

security teams generating vulnerability reports for stakeholders

developers investigating specific CVEs or GitHub Security Advisories

vulnerability dashboard builders displaying detailed advisory information

Requires

Network connectivity to osv.dev API

Valid OSV ID (GHSA, CVE, or other supported format)

Limitations

Requires exact OSV ID — fuzzy matching or partial IDs are not supported

Some vulnerabilities may have incomplete remediation guidance if patches are not yet available

Related vulnerability links may be sparse for newly disclosed vulnerabilities

What makes it unique

Provides direct access to OSV's comprehensive vulnerability records by ID, including cross-referenced CVE/GHSA data and ecosystem-specific impact information, enabling rich vulnerability context without requiring multiple data sources

vs alternatives

Single source of truth for vulnerability details across multiple ecosystems and advisory formats (CVE, GHSA, etc.), eliminating the need to cross-reference multiple vulnerability databases

mcp-tool-schema-based-function-calling

Medium confidence

Implements OSV vulnerability queries as MCP tools with JSON schema definitions, enabling LLM agents and MCP clients to discover and invoke vulnerability lookups through a standardized tool-calling interface. The MCP server exposes tools for package queries, commit queries, batch queries, and detail lookups, each with defined input schemas and response formats that LLMs can understand and invoke autonomously.

Solves for

Enable an AI agent to autonomously scan dependencies and report vulnerabilities without human interventionAllow LLM-based code review tools to check for vulnerabilities in suggested dependenciesBuild agentic workflows that automatically remediate vulnerable dependencies by querying OSV and proposing fixes

Best for

AI agent developers building autonomous security scanning systems

LLM application builders integrating vulnerability checks into code generation workflows

teams building AI-assisted dependency management tools

Requires

MCP-compatible client (Claude, custom LLM agent, etc.)

LLM with function-calling capability

Network connectivity to osv.dev API

Limitations

LLM tool calling accuracy depends on model capability — weaker models may misinterpret schema or provide invalid inputs

No built-in validation of LLM-generated queries — malformed requests may fail silently

Tool discovery and invocation latency adds ~100-200ms per tool call beyond API latency

What makes it unique

Exposes OSV vulnerability queries as MCP tools with standardized schemas, enabling LLM agents to autonomously discover and invoke vulnerability checks without hardcoded integrations, following the MCP protocol for tool discovery and invocation

vs alternatives

Enables agentic vulnerability scanning where LLMs can autonomously decide when and how to query OSV based on code context, rather than requiring explicit human-triggered scans or hardcoded CI/CD rules

ecosystem-agnostic-vulnerability-aggregation

Medium confidence

Abstracts away ecosystem-specific vulnerability data formats and APIs by translating queries across npm, PyPI, Maven, Rust crates, Go modules, and other supported ecosystems into a unified OSV schema. The MCP server handles ecosystem detection, version normalization, and response mapping, returning consistent vulnerability records regardless of the underlying package manager or ecosystem.

Solves for

Query vulnerabilities for dependencies across multiple programming languages in a single tool interfaceBuild polyglot vulnerability scanning tools that work across npm, PyPI, Maven, and other ecosystemsNormalize vulnerability data from heterogeneous ecosystems into a consistent format for reporting

Best for

polyglot development teams managing dependencies across multiple languages

vulnerability scanning tool builders supporting multiple ecosystems

enterprise security teams standardizing vulnerability reporting across diverse tech stacks

Requires

Network connectivity to osv.dev API

Valid package name and version in a supported ecosystem (npm, pypi, maven, gem, cargo, go, etc.)

Limitations

Ecosystem coverage varies — some ecosystems have more complete vulnerability data than others

Version normalization may fail for non-standard version strings (e.g., pre-release versions with custom formats)

Some ecosystem-specific vulnerability metadata may be lost in translation to the unified schema

What makes it unique

Provides a single, unified interface for querying vulnerabilities across 10+ package ecosystems by leveraging OSV's cross-ecosystem schema, eliminating the need to learn ecosystem-specific vulnerability APIs

vs alternatives

Supports more ecosystems in a single tool than ecosystem-specific scanners (e.g., npm audit only works for npm), making it ideal for polyglot projects and enterprise environments with diverse tech stacks

Capabilities are decomposed by AI analysis. Each maps to specific user intents and improves with match feedback.

Related Artifactssharing capabilities

Artifacts that share capabilities with OSV, ranked by overlap. Discovered automatically through the match graph.

Platform40

Mend.io

AI-powered application security with auto-remediation.

multi-language dependency vulnerability scanning with transitive dependency analysiscontinuous monitoring with real-time vulnerability alertsautomated remediation pull request generation with version conflict resolution

3 shared capabilities

Product27

VulnCheck

Real-time cyber threat intelligence, proactive vulnerability...

api-driven vulnerability data accessvulnerability timeline and disclosure trackingproof-of-concept and exploit code correlation

3 shared capabilities

Product27

Seal Security

Automates open source vulnerability detection and delivers immediate...

automatic-vulnerability-patchingtransitive-dependency-vulnerability-detectionautomated-open-source-vulnerability-scanning

3 shared capabilities

Repository22

bumpgen

AI agent that keeps npm dependencies up-to-date

dependency vulnerability detection and prioritization

1 shared capability

Extension35

BlackBox AI

Revolutionize coding: AI generation, conversational code help, intuitive...

dependency vulnerability scanning and remediation

1 shared capability

Product20

Chroma Package Search

** - Add to coding agents like Claude or Cursor to give them the ability to understand and better use thousands of dependencies.

package security and maintenance status assessment

1 shared capability

Best For

✓developers building dependency scanning tools
✓security engineers auditing supply chain risks
✓CI/CD pipeline maintainers integrating vulnerability checks
✓developers using Git-based dependency pinning (e.g., npm with git URLs)
✓security researchers analyzing vulnerability timelines
✓teams auditing historical code versions for retroactive vulnerability discovery
✓CI/CD pipeline builders integrating security checks into build processes
✓dependency management tool developers building vulnerability scanners

Known Limitations

⚠OSV database coverage varies by ecosystem — some package managers have more complete vulnerability data than others
⚠Query latency depends on OSV API response time (typically 200-500ms per request)
⚠No built-in caching — repeated queries for the same package hit the API each time
⚠Commit-based queries only work for repositories indexed in OSV — not all open-source projects are covered
⚠Requires exact commit SHA — abbreviated hashes or branch names are not supported
⚠No transitive dependency analysis — only checks the specific commit, not its dependencies

Requirements

Network connectivity to osv.dev APIMCP client capable of calling tool functionsValid package name and version in a supported ecosystemValid Git commit SHA (40-character hex string)Repository must be indexed in the OSV databaseMCP client supporting batch tool invocationsArray of package objects with name, version, and ecosystem fieldsValid OSV ID (GHSA, CVE, or other supported format)

Input / Output

Accepts: text (package name), text (version string), text (ecosystem identifier: npm, pypi, maven, etc.), text (Git commit SHA), text (optional: repository URL for context), structured JSON (array of {name, version, ecosystem} objects), text (OSV vulnerability ID), JSON schema (tool definitions with input parameters), text (ecosystem identifier)

Produces: structured JSON (vulnerability records with ID, severity, affected versions), text (summary of vulnerabilities found), structured JSON (vulnerability records with commit-level impact data), text (vulnerability summary for the commit), structured JSON (array of vulnerability records, one per package), text (aggregated vulnerability summary with counts by severity), structured JSON (complete vulnerability record with metadata, affected versions, severity, references), text (formatted vulnerability summary), structured JSON (tool responses with vulnerability data), text (LLM-generated interpretation of results), structured JSON (unified vulnerability records with ecosystem-normalized data)

UnfragileRank

Adoption15%(30% weight)

Quality22%(25% weight)

Ecosystem30%(25% weight)

Match Graph10%(15% weight)

Freshness75%(5% weight)

UnfragileRank is computed from adoption signals, documentation quality, ecosystem connectivity, match graph feedback, and freshness. No artifact can pay for a higher rank.

Type: MCP Server

6 capabilities

Visit OSV→

About

Alternatives to OSV

IntelliCode50Extension

AI-assisted development

Compare →

GitHub Copilot Chat53Extension

AI chat features powered by Copilot

Compare →

GitHub Copilot52Extension

Your AI pair programmer

Compare →

Claude Code for VS Code52Extension

Claude Code for VS Code: Harness the power of Claude Code without leaving your IDE

Compare →

Are you the builder of OSV?

Claim this artifact to get a verified badge, access match analytics, see which intents users search for, and manage your listing.

Claim this artifact →Verification via email

Get the weekly brief

New tools, rising stars, and what's actually worth your time. No spam.

Data Sources

github awesome

Looking for something else?

Search →

Capabilities6 decomposed

vulnerability-lookup-by-package-version

Medium confidence

Solves for

Best for

developers building dependency scanning tools

security engineers auditing supply chain risks

CI/CD pipeline maintainers integrating vulnerability checks

Requires

Network connectivity to osv.dev API

MCP client capable of calling tool functions

Valid package name and version in a supported ecosystem

Limitations

OSV database coverage varies by ecosystem — some package managers have more complete vulnerability data than others

Query latency depends on OSV API response time (typically 200-500ms per request)

No built-in caching — repeated queries for the same package hit the API each time

What makes it unique

vs alternatives

Broader ecosystem coverage than Snyk or GitHub Dependabot because it queries the open-source OSV database directly rather than relying on proprietary vulnerability feeds

vulnerability-lookup-by-commit-hash

Medium confidence

Solves for

Best for

developers using Git-based dependency pinning (e.g., npm with git URLs)

security researchers analyzing vulnerability timelines

teams auditing historical code versions for retroactive vulnerability discovery

Requires

Network connectivity to osv.dev API

Valid Git commit SHA (40-character hex string)

Repository must be indexed in the OSV database

Limitations

Commit-based queries only work for repositories indexed in OSV — not all open-source projects are covered

Requires exact commit SHA — abbreviated hashes or branch names are not supported

No transitive dependency analysis — only checks the specific commit, not its dependencies

What makes it unique

vs alternatives

Unique ability to query vulnerabilities at the commit level rather than package version, enabling security analysis of Git-based dependency pinning strategies that bypass traditional package managers

batch-vulnerability-query-multiple-packages

Medium confidence

Solves for

Best for

CI/CD pipeline builders integrating security checks into build processes

dependency management tool developers building vulnerability scanners

teams managing large monorepos with hundreds of dependencies

Requires

Network connectivity to osv.dev API

MCP client supporting batch tool invocations

Array of package objects with name, version, and ecosystem fields

Limitations

Batch size limits may apply depending on OSV API rate limiting — typically 100-1000 packages per batch

Partial failures in batch queries may require retry logic for individual packages

Response aggregation adds ~50-100ms overhead per batch beyond raw API latency

What makes it unique

vs alternatives

vulnerability-detail-retrieval-by-id

Medium confidence

Solves for

Best for

security teams generating vulnerability reports for stakeholders

developers investigating specific CVEs or GitHub Security Advisories

vulnerability dashboard builders displaying detailed advisory information

Requires

Network connectivity to osv.dev API

Valid OSV ID (GHSA, CVE, or other supported format)

Limitations

Requires exact OSV ID — fuzzy matching or partial IDs are not supported

Some vulnerabilities may have incomplete remediation guidance if patches are not yet available

Related vulnerability links may be sparse for newly disclosed vulnerabilities

What makes it unique

vs alternatives

Single source of truth for vulnerability details across multiple ecosystems and advisory formats (CVE, GHSA, etc.), eliminating the need to cross-reference multiple vulnerability databases

mcp-tool-schema-based-function-calling

Medium confidence

Solves for

Best for

AI agent developers building autonomous security scanning systems

LLM application builders integrating vulnerability checks into code generation workflows

teams building AI-assisted dependency management tools

Requires

MCP-compatible client (Claude, custom LLM agent, etc.)

LLM with function-calling capability

Network connectivity to osv.dev API

Limitations

LLM tool calling accuracy depends on model capability — weaker models may misinterpret schema or provide invalid inputs

No built-in validation of LLM-generated queries — malformed requests may fail silently

Tool discovery and invocation latency adds ~100-200ms per tool call beyond API latency

What makes it unique

vs alternatives

ecosystem-agnostic-vulnerability-aggregation

Medium confidence

Solves for

Best for

polyglot development teams managing dependencies across multiple languages

vulnerability scanning tool builders supporting multiple ecosystems

enterprise security teams standardizing vulnerability reporting across diverse tech stacks

Requires

Network connectivity to osv.dev API

Valid package name and version in a supported ecosystem (npm, pypi, maven, gem, cargo, go, etc.)

Limitations

Ecosystem coverage varies — some ecosystems have more complete vulnerability data than others

Version normalization may fail for non-standard version strings (e.g., pre-release versions with custom formats)

Some ecosystem-specific vulnerability metadata may be lost in translation to the unified schema

What makes it unique

vs alternatives

Capabilities are decomposed by AI analysis. Each maps to specific user intents and improves with match feedback.

Alternatives to OSV

IntelliCode50Extension

AI-assisted development

Compare →

GitHub Copilot Chat53Extension

AI chat features powered by Copilot

Compare →

GitHub Copilot52Extension

Your AI pair programmer

Compare →

Claude Code for VS Code52Extension

Claude Code for VS Code: Harness the power of Claude Code without leaving your IDE

Compare →

OSV

Capabilities6 decomposed

vulnerability-lookup-by-package-version

vulnerability-lookup-by-commit-hash

batch-vulnerability-query-multiple-packages

vulnerability-detail-retrieval-by-id

mcp-tool-schema-based-function-calling

ecosystem-agnostic-vulnerability-aggregation

Related Artifactssharing capabilities

Mend.io

VulnCheck

Seal Security

bumpgen

BlackBox AI

Chroma Package Search

Best For

Known Limitations

Requirements

Input / Output

UnfragileRank

About

Categories

Alternatives to OSV

Are you the builder of OSV?

Get the weekly brief

Data Sources

OSV

Capabilities6 decomposed

vulnerability-lookup-by-package-version

vulnerability-lookup-by-commit-hash

batch-vulnerability-query-multiple-packages

vulnerability-detail-retrieval-by-id

mcp-tool-schema-based-function-calling

ecosystem-agnostic-vulnerability-aggregation

Related Artifactssharing capabilities

Mend.io

VulnCheck

Seal Security

bumpgen

BlackBox AI

Chroma Package Search

Best For

Known Limitations

Requirements

Input / Output

UnfragileRank

About

Categories

Alternatives to OSV

Are you the builder of OSV?

Get the weekly brief

Data Sources