AI Agents List Logo
Submit

osv-mcp

An MCP server for OSV

by StacklokLabs
5 stars
2 forks
Available MCP Tools 0 tools

Model Context Protocol tools provided by this server

No tools information available for this server.

Check the GitHub repository or documentation for more details.

README

An MCP (Model Context Protocol) server that provides access to the OSV (Open Source Vulnerabilities) database.

Overview

This project implements an SSE-based MCP server that allows LLM-powered applications to query the OSV database for vulnerability information. The server provides tools for:

  1. Querying vulnerabilities for a specific package version or commit
  2. Batch querying vulnerabilities for multiple packages or commits
  3. Getting detailed information about a specific vulnerability by ID

Installation

Prerequisites

  • Go 1.21 or later
  • Task (optional, for running tasks)
  • ko (optional, for building container images)

Building from source

git clone https://github.com/StacklokLabs/osv-mcp.git
cd osv-mcp

task build

Usage

The easiest way to run the OSV MCP server is using ToolHive, which provides secure, containerized deployment of MCP servers:


thv config auto-discovery true

thv run osv

thv list

thv registry info osv

The server will be available to your MCP-compatible clients and can query the OSV database for vulnerability information.

Running from Source

Server Configuration

The server can be configured using environment variables:

  • MCP_PORT: The port number to run the server on (default: 8080)
    • Must be a valid integer between 0 and 65535
    • If invalid or not set, the server will use port 8080

Example:

MCP_PORT=3000 ./osv-mcp

./build/osv-mcp-server

MCP Tools

The server provides the following MCP tools:

query_vulnerability

Query for vulnerabilities affecting a specific package version or commit.

Input Schema:

{
  "type": "object",
  "properties": {
    "commit": {
      "type": "string",
      "description": "The commit hash to query for. If specified, version should not be set."
    },
    "version": {
      "type": "string",
      "description": "The version string to query for. If specified, commit should not be set."
    },
    "package_name": {
      "type": "string",
      "description": "The name of the package."
    },
    "ecosystem": {
      "type": "string",
      "description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
    },
    "purl": {
      "type": "string",
      "description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
    }
  }
}

query_vulnerabilities_batch

Query for vulnerabilities affecting multiple packages or commits at once.

Input Schema:

{
  "type": "object",
  "properties": {
    "queries": {
      "type": "array",
      "description": "Array of query objects",
      "items": {
        "type": "object",
        "properties": {
          "commit": {
            "type": "string",
            "description": "The commit hash to query for. If specified, version should not be set."
          },
          "version": {
            "type": "string",
            "description": "The version string to query for. If specified, commit should not be set."
          },
          "package_name": {
            "type": "string",
            "description": "The name of the package."
          },
          "ecosystem": {
            "type": "string",
            "description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
          },
          "purl": {
            "type": "string",
            "description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
          }
        }
      }
    }
  },
  "required": ["queries"]
}

get_vulnerability

Get details for a specific vulnerability by ID.

Input Schema:

{
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "The OSV vulnerability ID"
    }
  },
  "required": ["id"]
}

Examples

Querying vulnerabilities for a package

{
  "package_name": "lodash",
  "ecosystem": "npm",
  "version": "4.17.15"
}

Querying vulnerabilities for a commit

{
  "commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"
}

Batch querying vulnerabilities

{
  "queries": [
    {
      "package_name": "lodash",
      "ecosystem": "npm",
      "version": "4.17.15"
    },
    {
      "package_name": "jinja2",
      "ecosystem": "PyPI",
      "version": "2.4.1"
    }
  ]
}

Getting vulnerability details

{
  "id": "GHSA-vqj2-4v8m-8vrq"
}

Development

Running tests

task test

Linting

task lint

Formatting code

task fmt

Contributing

We welcome contributions to this MCP server! If you'd like to contribute, please review the CONTRIBUTING guide for details on how to get started.

If you run into a bug or have a feature request, please open an issue in the repository or join us in the #mcp-servers channel on our community Discord server.

License

This project is licensed under the Apache v2 License - see the LICENSE file for details.

Details
Category Security
Scope cloud
Language Go
License Apache License 2.0
OS Support
linux macos windows
Links & Resources
GitHub Repository
View source and contribute