A
securityA
licenseA
qualitySuggests the latest stable package versions when writing code.
Last updated -
9
311
108
Go
MIT License
This OSV MCP server allows querying the OSV database for software vulnerabilities with the following capabilities:
- Query for all CVE IDs associated with a specific package, optionally filtered by version and ecosystem (default: PyPI for Python packages)
- Retrieve all affected versions of a package for a given CVE
- Find all versions that fix a given CVE
- Get a list of supported ecosystems and their corresponding programming languages or operating systems
Enables querying for package vulnerabilities in the PyPI ecosystem, fetching CVEs associated with packages and identifying affected and fixed versions
MCP Server For OSV
A lightweight MCP (Model Context Protocol) server for OSV Database API.
Example:
Tools Provided
Overview
| name | description |
|---|---|
| query_package_cve | List all the CVE IDs for a specific package. Specific version can be passed as well for more narrow scope CVE IDs. |
| query_for_cve_affected | Query the OSV database for a CVE and return all affected versions of the package. |
| query_for_cve_fix_versions | Query the OSV database for a CVE and return all versions that fix the vulnerability. |
| get_ecosystems | Query the MCP for current supported ecosystems. |
Detailed Description
- query_package_cve
- Query the OSV database for a package and return the CVE IDs.
- Input parameters:
package(string, required): The package name to queryversion(string, optional): The version of the package to query. If not specified, queries all versionsecosystem(string, optional): The ecosystem of the package. Defaults to "PyPI" for Python packages
- Returns a list of CVE IDs with their details
- query_for_cve_affected
- Query the OSV database for a CVE and return all affected versions.
- Input parameters:
cve(string, required): The CVE ID to query (e.g., "CVE-2018-1000805")
- Returns a list of affected version strings
- query_for_cve_fix_versions
- Query the OSV database for a CVE and return all versions that fix the vulnerability.
- Input parameters:
cve(string, required): The CVE ID to query (e.g., "CVE-2018-1000805")
- Returns a list of fixed version strings
- get_ecosystems
- Query for all current supported ecosystems by the MCP servers.
- Return a dict with the key being the ecosystem name and the value the programming language / OS.
Prerequisites
- Python 3.11 or higher: This project requires Python 3.11 or newer.
- Install uv: A fast Python package installer and resolver.Or use Homebrew:
Tested on
- Cursor
- Claude
Installation
- Via Smithery:
- Locally:
- Clone the repo:
https://github.com/EdenYavin/OSV-MCP.git - Configure your MCP Host (Cusrsor / Claude Desktop etc.):
- Clone the repo:
Leave a review on VibeApp if you enjoyed it :)!
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
The server can be utilized for secure development by listing all packages' CVEs, their affected versions and their fix versions.
Related Resources
Related MCP Servers
- -securityAlicense-qualityA comprehensive system that helps organizations track, manage, and respond to security vulnerabilities effectively through features like vulnerability tracking, user management, support tickets, API key management, and SSL certificate management.Last updated -PythonMIT License
- -securityAlicense-qualityA server that retrieves CVE details from the NVD API and fetches EPSS scores to provide comprehensive vulnerability information, including descriptions, CWEs, CVSS scores, and exploitation likelihood percentiles.Last updated -11PythonMIT License
- AsecurityAlicenseAqualityA Model Context Protocol server providing security vulnerability intelligence tools including CVE lookup, EPSS scoring, CVSS calculation, exploit detection, and Python package vulnerability checking.Last updated -84PythonMIT License