jfrog_get_vulnerability_info
Fetch detailed vulnerability information by CVE ID, including affected packages and versions, using the JFrog MCP Server API for comprehensive security analysis.
Instructions
Useful for when you need to get a specific vulnerability information, including its affected packages and versions.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| cve_id | Yes | The CVE ID or vulnerability identifier to look up. | |
| pageCount | No | Number of pages to return. | |
| pageSize | No | Number of vulnerabilities to return per page. |
Implementation Reference
- tools/catalog.ts:261-346 (handler)The getVulnerabilityInfo function implements the core tool logic: constructs GraphQL query for vulnerability info, sends request via jfrogRequest helper, validates and processes response into structured output including affected packages.export async function getVulnerabilityInfo(options: JFrogCatalogVulnerabilityQuerySchema) { const query = `query GetCatalogVulnerabilityInfo( $cveId: String!, $pageSize: Int! ) { vulnerability(name: $cveId, ecosystem: "generic") { name description severity vulnerablePackages(first: $pageSize) { edges { node { packageVersion { version package { type name } } } } } } }`; const variables = { cveId: options.cve_id, pageSize: options.pageSize }; function processResponse(response: unknown) { const validatedResponse = z.object({ data: z.object({ vulnerability: z.object({ name: z.string(), description: z.string(), severity: z.enum(["Critical", "High", "Medium", "Low", "Unknown"]), vulnerablePackages: z.object({ edges: z.array(z.object({ node: z.object({ packageVersion: z.object({ version: z.string(), package: z.object({ type: z.string(), name: z.string() }) }) }) })) }) }).nullable() }) }).parse(response); if (!validatedResponse.data.vulnerability) { return null; } const vulnerability = validatedResponse.data.vulnerability; return { name: vulnerability.name, description: vulnerability.description, severity: vulnerability.severity, vulnerablePackages: vulnerability.vulnerablePackages.edges.map(edge => ({ type: edge.node.packageVersion.package.type, name: edge.node.packageVersion.package.name, version: edge.node.packageVersion.version })) }; } const processedData = await jfrogRequest( "xray/catalog/graphql", { method: "POST", body: JSON.stringify({ query, variables }) }, processResponse ); if (!processedData) { throw new Error(`Vulnerability information not found for CVE ID: ${options.cve_id}`); } return processedData; }
- schemas/catalog.ts:90-94 (schema)Zod input schema for the tool: defines cve_id (required string), pageSize and pageCount (numbers with defaults).export const JFrogCatalogVulnerabilityQuerySchema = z.object({ cve_id: z.string().describe("The CVE ID or vulnerability identifier to look up."), pageSize: JFrogCatalogPackageVersionVulnerabilitiesSchema.shape.pageSize, pageCount: JFrogCatalogPackageVersionVulnerabilitiesSchema.shape.pageCount });
- tools/catalog.ts:386-395 (registration)Local tool registration: defines the tool object with name, description, inputSchema reference, and thin handler wrapper that validates args and delegates to getVulnerabilityInfo.const getCatalogVulnerabilityInfoTool = { name: "jfrog_get_vulnerability_info", description: "Useful for when you need to get a specific vulnerability information, including its affected packages and versions.", inputSchema: zodToJsonSchema(JFrogCatalogVulnerabilityQuerySchema), //outputSchema: zodToJsonSchema(JFrogCatalogVulnerabilityResponseSchema), handler: async (args: any) => { const parsedArgs = JFrogCatalogVulnerabilityQuerySchema.parse(args); return await getVulnerabilityInfo(parsedArgs); } };
- tools/catalog.ts:397-402 (registration)CatalogTools array groups catalog-related tools including jfrog_get_vulnerability_info for export and inclusion in main tools list.export const CatalogTools = [ getCatalogPackageEntityTool, getCatalogPackageVersionsTool, getCatalogPackageVersionVulnerabilitiesTool, getCatalogVulnerabilityInfoTool ];
- tools/index.ts:13-23 (registration)Main tools registry: spreads all category tools arrays including CatalogTools, exposing jfrog_get_vulnerability_info globally via executeTool function.export const tools =[ ...RepositoryTools, ...BuildsTools, ...RuntimeTools, ...AccessTools, ...AQLTools, ...CatalogTools, ...CurationTools, ...PermissionsTools, ...ArtifactSecurityTools, ];