OSV Vulnerabilities

Query OSV.dev vulnerability data through explicit HTTP actions.

caplets install spiritledsoftware/caplets osv

Inspect before installing

Can change external servicesThis Caplet may perform mutating operations against an external service.

CAPLET.md

Frontmatter

Field	Value
`name`	OSV Vulnerabilities
`description`	Query OSV.dev vulnerability data through explicit HTTP actions.
`tags`	security, vulnerabilities, http, code
`httpApi.baseUrl`	https://api.osv.dev
`httpApi.auth.type`	none
`httpApi.actions.query_package_version.description`	Read-only OSV query for vulnerabilities affecting one package ecosystem/name/version tuple.
`httpApi.actions.query_package_version.method`	POST
`httpApi.actions.query_package_version.path`	/v1/query
`httpApi.actions.query_package_version.inputSchema.type`	object
`httpApi.actions.query_package_version.inputSchema.properties.name.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.name.description`	Package name, such as lodash, requests, or openssl.
`httpApi.actions.query_package_version.inputSchema.properties.ecosystem.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.ecosystem.description`	OSV ecosystem, such as npm, PyPI, Maven, Go, crates.io, Packagist, RubyGems, NuGet, Debian, or Alpine.
`httpApi.actions.query_package_version.inputSchema.properties.version.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.version.description`	Package version to query.
`httpApi.actions.query_package_version.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_package_version.inputSchema.required`	name, ecosystem, version
`httpApi.actions.query_package_version.jsonBody.package.name`	$input.name
`httpApi.actions.query_package_version.jsonBody.package.ecosystem`	$input.ecosystem
`httpApi.actions.query_package_version.jsonBody.version`	$input.version
`httpApi.actions.query_package_version.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_purl.description`	Read-only OSV query for vulnerabilities affecting one package URL (purl).
`httpApi.actions.query_purl.method`	POST
`httpApi.actions.query_purl.path`	/v1/query
`httpApi.actions.query_purl.inputSchema.type`	object
`httpApi.actions.query_purl.inputSchema.properties.purl.type`	string
`httpApi.actions.query_purl.inputSchema.properties.purl.description`	Package URL, such as pkg:npm/lodash@4.17.20 or pkg:pypi/requests@2.19.0.
`httpApi.actions.query_purl.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_purl.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_purl.inputSchema.required`	purl
`httpApi.actions.query_purl.jsonBody.package.purl`	$input.purl
`httpApi.actions.query_purl.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_commit.description`	Read-only OSV query for vulnerabilities associated with one source commit hash.
`httpApi.actions.query_commit.method`	POST
`httpApi.actions.query_commit.path`	/v1/query
`httpApi.actions.query_commit.inputSchema.type`	object
`httpApi.actions.query_commit.inputSchema.properties.commit.type`	string
`httpApi.actions.query_commit.inputSchema.properties.commit.description`	Source commit hash to query.
`httpApi.actions.query_commit.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_commit.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_commit.inputSchema.required`	commit
`httpApi.actions.query_commit.jsonBody.commit`	$input.commit
`httpApi.actions.query_commit.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_batch.description`	Read-only OSV batch query for multiple package, purl, commit, or version requests.
`httpApi.actions.query_batch.method`	POST
`httpApi.actions.query_batch.path`	/v1/querybatch
`httpApi.actions.query_batch.inputSchema.type`	object
`httpApi.actions.query_batch.inputSchema.properties.queries.type`	array
`httpApi.actions.query_batch.inputSchema.properties.queries.description`	OSV query objects accepted by /v1/querybatch.
`httpApi.actions.query_batch.inputSchema.properties.queries.items.type`	object
`httpApi.actions.query_batch.inputSchema.properties.queries.items.additionalProperties`	true
`httpApi.actions.query_batch.inputSchema.required`	queries
`httpApi.actions.query_batch.jsonBody.queries`	$input.queries
`httpApi.actions.get_vulnerability.description`	Read-only OSV lookup for one vulnerability record by OSV, CVE, or GHSA identifier.
`httpApi.actions.get_vulnerability.method`	GET
`httpApi.actions.get_vulnerability.path`	/v1/vulns/{id}
`httpApi.actions.get_vulnerability.inputSchema.type`	object
`httpApi.actions.get_vulnerability.inputSchema.properties.id.type`	string
`httpApi.actions.get_vulnerability.inputSchema.properties.id.description`	Vulnerability identifier, such as OSV-2020-744, CVE-2021-44228, or GHSA-jfh8-c2jp-5v3q.
`httpApi.actions.get_vulnerability.inputSchema.required`	id

OSV Vulnerabilities

Use this Caplet to query OSV.dev for known vulnerabilities affecting package versions, package URLs, source commits, or known vulnerability IDs.

Usage Notes

All actions are read-only HTTP requests against the public OSV API.
Use query_package_version when you know the package ecosystem, name, and exact version.
Use query_purl when tooling already produced a package URL such as pkg:npm/lodash@4.17.20.
Use query_commit for source-level checks against a commit hash.
Use query_batch to check multiple packages or commits in one request.
Use get_vulnerability when you already have an OSV, CVE, or GHSA identifier.

Ecosystems

Common OSV ecosystems include npm, PyPI, Maven, Go, crates.io, Packagist, RubyGems, NuGet, Debian, Alpine, and OSS-Fuzz.

Examples

Query npm package version: name: lodash, ecosystem: npm, version: 4.17.20.
Query Python package version: name: requests, ecosystem: PyPI, version: 2.19.0.
Query a purl: purl: pkg:npm/lodash@4.17.20.
Fetch a vulnerability: id: CVE-2021-44228.