Kodus OSV

Open source vulnerability lookup via osv_query/osv_query_batch tools.

GitHub

OSV MCP Server (Bun)

Remote Model Context Protocol (MCP) HTTP server that wraps the OSV v1 API for on-demand open-source vulnerability lookups (example feed: https://osv.dev/list?q=%40NESTJS%2FCORE&ecosystem=npm). Exported as MCP tools so agents can query OSV directly.

Features

  • Streamable HTTP MCP endpoint at /mcp.
  • Tools: osv_query (single target) and osv_query_batch (multiple).
  • Configurable base URL (OSV_API_URL, defaults to https://api.osv.dev/v1).
  • Clear schemas and validation to guide LLMs (commit XOR version, purl rules, pagination).

Quick start

Requirements: Bun.

bun install
PORT=3000 HOST=0.0.0.0 OSV_API_URL=https://api.osv.dev/v1 bun run index.ts

MCP endpoint: http://<host>:<port>/mcp.

Env vars:

  • PORT / HOST: HTTP bind (default 3000 / 0.0.0.0).
  • OSV_API_URL: override OSV base URL.

MCP client setup

  • Claude Code CLI: claude mcp add --transport http mcp-osv http://localhost:3000/mcp
  • VS Code: code --add-mcp "{\"name\":\"mcp-osv\",\"type\":\"http\",\"url\":\"http://localhost:3000/mcp\"}"
  • MCP Inspector: npx @modelcontextprotocol/inspector -> connect to http://localhost:3000/mcp Replace localhost with your host/port if remote.

Tools and parameters

osv_query

{
  "commit": "sha OR",
  "version": "version string OR",
  "package": {
    "name": "required with ecosystem if not using purl",
    "ecosystem": "required with name if not using purl",
    "purl": "pkg:pypi/jinja2 // purl OR name+ecosystem; if version is present, omit @version here"
  },
  "pageToken": "optional pagination token from previous OSV response"
}

Rules:

  • Use commit XOR version (one or the other, never both).
  • If version is present, package is required.
  • package must be either purl or (name + ecosystem).
  • If version exists and package.purl is used, omit @version in the purl.

osv_query_batch

{
  "queries": [
    {
      "commit": "sha OR",
      "version": "version string OR",
      "package": {
        "name": "pkg name",
        "ecosystem": "ecosystem",
        "purl": "pkg:ecosys/name"
      },
      "pageToken": "optional"
    }
  ]
}

Rules: each item follows the same rules as osv_query.

Example calls

  • PyPI version: {"package":{"purl":"pkg:pypi/jinja2"},"version":"3.1.4"}
  • npm with name+ecosystem: {"package":{"name":"@nestjs/core","ecosystem":"npm"},"version":"10.2.10"}
  • Commit lookup: {"commit":"<sha>","package":{"ecosystem":"Go","name":"github.com/foo/bar"}}

Debugging

  • Server log: OSV MCP server listening on http://<host>:<port>/mcp
  • Curl init: curl -H "content-type: application/json" -H "accept: application/json, text/event-stream" -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","clientInfo":{"name":"curl","version":"0.0.0"},"capabilities":{}}}' http://localhost:3000/mcp
  • List tools: same endpoint with {"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}

License

MIT License. See LICENSE.

Máy chủ liên quan

NotebookLM Web Importer

Nhập trang web và video YouTube vào NotebookLM chỉ với một cú nhấp. Được tin dùng bởi hơn 200.000 người dùng.

Cài đặt tiện ích Chrome