query_package_cve
Check for CVEs in a package version using the OSV database. Identify vulnerabilities before installing or updating packages in ecosystems like PyPI. Ensures secure package management.
Instructions
Query the OSV database for a package and return the CVE ID.
You can use this tool to get the CVE ID for a package.
ALWAYS use it before installing packages to check if the package is vulnerable. For example in requirements.txt, pyproject.toml, uv.lock, etc.
You can also use it to check if the package is vulnerable before updating the package.
Args:
package: The package name to query
version: The version of the package to query, can be None if you want to query all versions
ecosystem: The ecosystem of the package to query, can be None if you want to query all ecosystems.
* For supported ecosystems, see the get_ecosystems tool.
Returns:
A list of CVE IDs
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ecosystem | No | PyPI | |
| package | Yes | ||
| version | No |
Implementation Reference
- src/server.py:117-136 (handler)MCP tool handler for 'query_package_cve'. Registers the tool and provides the execution logic by delegating to OSVServer.query_package_cve.@mcp.tool() def query_package_cve(package: str, version: str = None, ecosystem: str = "PyPI"): """ Query the OSV database for a package and return the CVE ID. You can use this tool to get the CVE ID for a package. ALWAYS use it before installing packages to check if the package is vulnerable. For example in requirements.txt, pyproject.toml, uv.lock, etc. You can also use it to check if the package is vulnerable before updating the package. Args: package: The package name to query version: The version of the package to query, can be None if you want to query all versions ecosystem: The ecosystem of the package to query, can be None if you want to query all ecosystems. * For supported ecosystems, see the get_ecosystems tool. Returns: A list of CVE IDs """ osv = OSVServer() return osv.query_package_cve(package, ecosystem, version)
- src/server.py:72-82 (handler)Core handler logic in the OSVServer class for querying package CVEs, parsing the OSV response, and extracting CVE details using regex.def query_package_cve(self, package: str, ecosystem: str = "PyPI", version: str = None): """ Query the OSV database for a package and return the CWE ID. """ data = self._query_package(package, ecosystem, version) cves = [] for vuln in data['vulns']: cve_id = re.search(r'CVE-(\d+)-(\d+)', str(vuln)) if cve_id: cves.append({cve_id.group(0): {"details": vuln['details'], "severity": vuln['severity']}}) return cves
- src/server.py:11-20 (helper)Helper function that constructs and sends the POST request to the OSV API for package vulnerability query.def _query_package(self, package: str, ecosystem: str, version: str = None): """ Query the OSV database for a package. """ data = {"package": {"name": package, "ecosystem": ecosystem}} if version: data['version'] = version response = requests.post(self.package_url, json=data) return response.json()
- src/server.py:117-117 (registration)Registration of the query_package_cve tool using the FastMCP decorator.@mcp.tool()
- src/server.py:118-134 (schema)Type hints and docstring defining the input schema (parameters) and output format for the tool.def query_package_cve(package: str, version: str = None, ecosystem: str = "PyPI"): """ Query the OSV database for a package and return the CVE ID. You can use this tool to get the CVE ID for a package. ALWAYS use it before installing packages to check if the package is vulnerable. For example in requirements.txt, pyproject.toml, uv.lock, etc. You can also use it to check if the package is vulnerable before updating the package. Args: package: The package name to query version: The version of the package to query, can be None if you want to query all versions ecosystem: The ecosystem of the package to query, can be None if you want to query all ecosystems. * For supported ecosystems, see the get_ecosystems tool. Returns: A list of CVE IDs """