OpenSSF · Capability

OSV (Open Source Vulnerabilities) API

OSV (Open Source Vulnerabilities) API. 5 operations. Lead operation: Query vulnerabilities for a package or commit. Self-contained Naftiko capability covering one Openssf business surface.

Run with Naftiko OpenssfOSV (Open Source Vulnerabilities) API

What You Can Do

POST

Queryvulnerabilities — Query vulnerabilities for a package or commit

/v1/v1/query

POST

Queryvulnerabilitiesbatch — Batched vulnerability query

/v1/v1/querybatch

GET

Getvulnerability — Get vulnerability by OSV ID

/v1/v1/vulns/{id}

POST

Determineversion — Determine probable versions of a C/C++ project (experimental)

/v1/v1experimental/determineversion

GET

Importfindings — Import-time quality check findings (experimental)

/v1/v1experimental/importfindings

MCP Tools

query-vulnerabilities-package-commit

Query vulnerabilities for a package or commit

read-only

batched-vulnerability-query

Batched vulnerability query

read-only

get-vulnerability-osv-id

Get vulnerability by OSV ID

read-only idempotent

determine-probable-versions-c-c

Determine probable versions of a C/C++ project (experimental)

import-time-quality-check-findings

Import-time quality check findings (experimental)

read-only idempotent

Capability Spec

naftiko: 1.0.0-alpha2
info:
  label: OSV (Open Source Vulnerabilities) API
  description: 'OSV (Open Source Vulnerabilities) API. 5 operations. Lead operation: Query vulnerabilities for a package or
    commit. Self-contained Naftiko capability covering one Openssf business surface.'
  tags:
  - Openssf
  - OSV (Open Source Vulnerabilities) API
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OPENSSF_API_KEY: OPENSSF_API_KEY
capability:
  consumes:
  - type: http
    namespace: osv
    baseUri: https://api.osv.dev
    description: OSV (Open Source Vulnerabilities) API business capability. Self-contained, no shared references.
    resources:
    - name: v1-query
      path: /v1/query
      operations:
      - name: queryvulnerabilities
        method: POST
        description: Query vulnerabilities for a package or commit
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: v1-querybatch
      path: /v1/querybatch
      operations:
      - name: queryvulnerabilitiesbatch
        method: POST
        description: Batched vulnerability query
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: v1-vulns-id
      path: /v1/vulns/{id}
      operations:
      - name: getvulnerability
        method: GET
        description: Get vulnerability by OSV ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
    - name: v1experimental-determineversion
      path: /v1experimental/determineversion
      operations:
      - name: determineversion
        method: POST
        description: Determine probable versions of a C/C++ project (experimental)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: v1experimental-importfindings
      path: /v1experimental/importfindings
      operations:
      - name: importfindings
        method: GET
        description: Import-time quality check findings (experimental)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: source
          in: query
          type: string
          required: true
  exposes:
  - type: rest
    namespace: osv-rest
    port: 8080
    description: REST adapter for OSV (Open Source Vulnerabilities) API. One Spectral-compliant resource per consumed operation,
      prefixed with /v1.
    resources:
    - path: /v1/v1/query
      name: v1-query
      description: REST surface for v1-query.
      operations:
      - method: POST
        name: queryvulnerabilities
        description: Query vulnerabilities for a package or commit
        call: osv.queryvulnerabilities
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/v1/querybatch
      name: v1-querybatch
      description: REST surface for v1-querybatch.
      operations:
      - method: POST
        name: queryvulnerabilitiesbatch
        description: Batched vulnerability query
        call: osv.queryvulnerabilitiesbatch
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/v1/vulns/{id}
      name: v1-vulns-id
      description: REST surface for v1-vulns-id.
      operations:
      - method: GET
        name: getvulnerability
        description: Get vulnerability by OSV ID
        call: osv.getvulnerability
        with:
          id: rest.id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/v1experimental/determineversion
      name: v1experimental-determineversion
      description: REST surface for v1experimental-determineversion.
      operations:
      - method: POST
        name: determineversion
        description: Determine probable versions of a C/C++ project (experimental)
        call: osv.determineversion
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/v1experimental/importfindings
      name: v1experimental-importfindings
      description: REST surface for v1experimental-importfindings.
      operations:
      - method: GET
        name: importfindings
        description: Import-time quality check findings (experimental)
        call: osv.importfindings
        with:
          source: rest.source
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: osv-mcp
    port: 9090
    transport: http
    description: MCP adapter for OSV (Open Source Vulnerabilities) API. One tool per consumed operation, routed inline through
      this capability's consumes block.
    tools:
    - name: query-vulnerabilities-package-commit
      description: Query vulnerabilities for a package or commit
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: osv.queryvulnerabilities
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: batched-vulnerability-query
      description: Batched vulnerability query
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: osv.queryvulnerabilitiesbatch
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-vulnerability-osv-id
      description: Get vulnerability by OSV ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: osv.getvulnerability
      with:
        id: tools.id
      outputParameters:
      - type: object
        mapping: $.
    - name: determine-probable-versions-c-c
      description: Determine probable versions of a C/C++ project (experimental)
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: osv.determineversion
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: import-time-quality-check-findings
      description: Import-time quality check findings (experimental)
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: osv.importfindings
      with:
        source: tools.source
      outputParameters:
      - type: object
        mapping: $.