jfrog_get_package_version_vulnerabilities
Identify vulnerabilities in specific versions of open source packages across multiple ecosystems. Input package type, name, and version to retrieve detailed security insights.
Instructions
Useful for when you need the list of known vulnerabilities affecting a specific version of an open source package.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| name | Yes | The name of the package, as it appears in the package repository. | |
| pageCount | No | Number of pages to return. | |
| pageSize | No | Number of vulnerabilities to return per page. | |
| type | Yes | The type of package. | |
| version | No | The version of the package, as it appears in the package repository. Default value is 'latest'. | latest |
Implementation Reference
- tools/catalog.ts:194-259 (handler)The core handler function that performs a GraphQL query to the JFrog Catalog API to retrieve vulnerabilities for a specific package version, processes and validates the response, and returns the list of vulnerabilities.export async function getPackageVersionVulnerabilities(options: JFrogCatalogPackageVersionVulnerabilitiesSchema) { const query = `query GetCatalogPackageVersionVulnerabilities( $type: String!, $name: String!, $version: String!, $first: Int!, $orderBy: VulnerabilityOrder! ) { packageVersion(type: $type, name: $name, version: $version) { vulnerabilities( first: $first, orderBy: $orderBy ) { edges { node { name description severity } } } } }`; const variables = { type: options.type, name: options.name, version: options.version, first: options.pageSize, orderBy: { field: "SEVERITY_VALUE", direction: "DESC" } }; function processResponse(response: unknown) { const validatedResponse = z.object({ data: z.object({ packageVersion: z.object({ vulnerabilities: z.object({ edges: z.array(z.object({ node: JFrogCatalogVulnerabilityResponseSchema })) }) }).nullable() }) }).parse(response); if (!validatedResponse.data.packageVersion) { return []; } return validatedResponse.data.packageVersion.vulnerabilities.edges.map(edge => edge.node); } const processedData = await jfrogRequest( "xray/catalog/graphql", { method: "POST", body: JSON.stringify({ query, variables }) }, processResponse ); return JFrogCatalogVulnerabilityResponseSchema.array().parse(processedData); }
- schemas/catalog.ts:78-81 (schema)Zod schema defining the input parameters for the tool: package type, name, version, pageSize, and pageCount.export const JFrogCatalogPackageVersionVulnerabilitiesSchema = JFrogCatalogPackageVersionSchema.extend({ pageSize: z.number().default(10).describe("Number of vulnerabilities to return per page."), pageCount: z.number().default(1).describe("Number of pages to return.") });
- tools/catalog.ts:375-384 (registration)The tool registration object that defines the tool's name, description, input schema, and a thin handler wrapper delegating to the main handler function.const getCatalogPackageVersionVulnerabilitiesTool = { name: "jfrog_get_package_version_vulnerabilities", description: "Useful for when you need the list of known vulnerabilities affecting a specific version of an open source package.", inputSchema: zodToJsonSchema(JFrogCatalogPackageVersionVulnerabilitiesSchema), //outputSchema: zodToJsonSchema(JFrogCatalogVulnerabilityResponseSchema), handler: async (args: any) => { const parsedArgs = JFrogCatalogPackageVersionVulnerabilitiesSchema.parse(args); return await getPackageVersionVulnerabilities(parsedArgs); } };