OpenSSF · Capability

OSV (Open Source Vulnerabilities) API

OSV is a distributed open source vulnerability database and triage infrastructure project hosted by the Open Source Security Foundation (OpenSSF). The OSV API exposes vulnerability records keyed to specific package versions or commits across multiple ecosystems (npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo, Packagist, Hex, OSS-Fuzz, Linux, Android, GitHub Actions, etc.).

Run with Naftiko OpenssfAPI

What You Can Do

POST
Queryvulnerabilities — Query vulnerabilities for a package or commit
/v1/query
POST
Queryvulnerabilitiesbatch — Batched vulnerability query
/v1/querybatch
GET
Getvulnerability — Get vulnerability by OSV ID
/v1/vulns/{id}
POST
Determineversion — Determine probable versions of a C/C++ project (experimental)
/v1experimental/determineversion
GET
Importfindings — Import-time quality check findings (experimental)
/v1experimental/importfindings

MCP Tools

queryvulnerabilities

Query vulnerabilities for a package or commit

queryvulnerabilitiesbatch

Batched vulnerability query

getvulnerability

Get vulnerability by OSV ID

read-only idempotent
determineversion

Determine probable versions of a C/C++ project (experimental)

importfindings

Import-time quality check findings (experimental)

read-only idempotent

Capability Spec

openssf-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: OSV (Open Source Vulnerabilities) API
  description: OSV is a distributed open source vulnerability database and triage infrastructure project hosted by the Open
    Source Security Foundation (OpenSSF). The OSV API exposes vulnerability records keyed to specific package versions or
    commits across multiple ecosystems (npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo, Packagist, Hex, OSS-Fuzz, Linux, Android,
    GitHub Actions, etc.).
  tags:
  - Openssf
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: openssf
    baseUri: https://api.osv.dev
    description: OSV (Open Source Vulnerabilities) API HTTP API.
    resources:
    - name: v1-query
      path: /v1/query
      operations:
      - name: queryvulnerabilities
        method: POST
        description: Query vulnerabilities for a package or commit
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: v1-querybatch
      path: /v1/querybatch
      operations:
      - name: queryvulnerabilitiesbatch
        method: POST
        description: Batched vulnerability query
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: v1-vulns-id
      path: /v1/vulns/{id}
      operations:
      - name: getvulnerability
        method: GET
        description: Get vulnerability by OSV ID
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: v1experimental-determineversion
      path: /v1experimental/determineversion
      operations:
      - name: determineversion
        method: POST
        description: Determine probable versions of a C/C++ project (experimental)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: v1experimental-importfindings
      path: /v1experimental/importfindings
      operations:
      - name: importfindings
        method: GET
        description: Import-time quality check findings (experimental)
        inputParameters:
        - name: source
          in: query
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: openssf-rest
    description: REST adapter for OSV (Open Source Vulnerabilities) API.
    resources:
    - path: /v1/query
      name: queryvulnerabilities
      operations:
      - method: POST
        name: queryvulnerabilities
        description: Query vulnerabilities for a package or commit
        call: openssf.queryvulnerabilities
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/querybatch
      name: queryvulnerabilitiesbatch
      operations:
      - method: POST
        name: queryvulnerabilitiesbatch
        description: Batched vulnerability query
        call: openssf.queryvulnerabilitiesbatch
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/vulns/{id}
      name: getvulnerability
      operations:
      - method: GET
        name: getvulnerability
        description: Get vulnerability by OSV ID
        call: openssf.getvulnerability
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1experimental/determineversion
      name: determineversion
      operations:
      - method: POST
        name: determineversion
        description: Determine probable versions of a C/C++ project (experimental)
        call: openssf.determineversion
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1experimental/importfindings
      name: importfindings
      operations:
      - method: GET
        name: importfindings
        description: Import-time quality check findings (experimental)
        call: openssf.importfindings
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: openssf-mcp
    transport: http
    description: MCP adapter for OSV (Open Source Vulnerabilities) API for AI agent use.
    tools:
    - name: queryvulnerabilities
      description: Query vulnerabilities for a package or commit
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openssf.queryvulnerabilities
      outputParameters:
      - type: object
        mapping: $.
    - name: queryvulnerabilitiesbatch
      description: Batched vulnerability query
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openssf.queryvulnerabilitiesbatch
      outputParameters:
      - type: object
        mapping: $.
    - name: getvulnerability
      description: Get vulnerability by OSV ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openssf.getvulnerability
      with:
        id: tools.id
      inputParameters:
      - name: id
        type: string
        description: id
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: determineversion
      description: Determine probable versions of a C/C++ project (experimental)
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openssf.determineversion
      outputParameters:
      - type: object
        mapping: $.
    - name: importfindings
      description: Import-time quality check findings (experimental)
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openssf.importfindings
      with:
        source: tools.source
      inputParameters:
      - name: source
        type: string
        description: source
        required: true
      outputParameters:
      - type: object
        mapping: $.