query_package_cve
Check packages for security vulnerabilities by querying the OSV database to identify CVE IDs before installation or updates.
Instructions
Query the OSV database for a package and return the CVE ID.
You can use this tool to get the CVE ID for a package.
ALWAYS use it before installing packages to check if the package is vulnerable. For example in requirements.txt, pyproject.toml, uv.lock, etc.
You can also use it to check if the package is vulnerable before updating the package.
Args:
package: The package name to query
version: The version of the package to query, can be None if you want to query all versions
ecosystem: The ecosystem of the package to query, can be None if you want to query all ecosystems.
* For supported ecosystems, see the get_ecosystems tool.
Returns:
A list of CVE IDs
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| package | Yes | ||
| version | No | ||
| ecosystem | No | PyPI |
Implementation Reference
- src/server.py:72-82 (handler)Core handler function in OSVServer class that performs the API query to OSV.dev, parses vulnerabilities, extracts CVE IDs using regex, and returns list of CVEs with details and severity.def query_package_cve(self, package: str, ecosystem: str = "PyPI", version: str = None): """ Query the OSV database for a package and return the CWE ID. """ data = self._query_package(package, ecosystem, version) cves = [] for vuln in data['vulns']: cve_id = re.search(r'CVE-(\d+)-(\d+)', str(vuln)) if cve_id: cves.append({cve_id.group(0): {"details": vuln['details'], "severity": vuln['severity']}}) return cves
- src/server.py:117-136 (registration)MCP tool registration and wrapper handler using @mcp.tool(). Defines input schema via type annotations and docstring. Instantiates OSVServer and delegates to its core query_package_cve method.@mcp.tool() def query_package_cve(package: str, version: str = None, ecosystem: str = "PyPI"): """ Query the OSV database for a package and return the CVE ID. You can use this tool to get the CVE ID for a package. ALWAYS use it before installing packages to check if the package is vulnerable. For example in requirements.txt, pyproject.toml, uv.lock, etc. You can also use it to check if the package is vulnerable before updating the package. Args: package: The package name to query version: The version of the package to query, can be None if you want to query all versions ecosystem: The ecosystem of the package to query, can be None if you want to query all ecosystems. * For supported ecosystems, see the get_ecosystems tool. Returns: A list of CVE IDs """ osv = OSVServer() return osv.query_package_cve(package, ecosystem, version)
- src/server.py:11-20 (helper)Private helper method that constructs the JSON payload and performs the POST request to the OSV API (https://api.osv.dev/v1/query) to fetch vulnerability data for the package.def _query_package(self, package: str, ecosystem: str, version: str = None): """ Query the OSV database for a package. """ data = {"package": {"name": package, "ecosystem": ecosystem}} if version: data['version'] = version response = requests.post(self.package_url, json=data) return response.json()