Skip to content

[FEAT] deps-audit command — dependency vulnerability scan via OSV API #158

Description

@Wolfvin

Background

CodeLens has zero dependency vulnerability scanning. A project can be free of code-level bugs but ship with a dependency that has a known CVE — and CodeLens won't catch it. This is a clear gap for any CI security gate.

Strix uses trivy fs for this. A cleaner approach for CodeLens is to query the OSV.dev API directly — pure Python, zero binary dependency, no extra install required.

Goal

New command: codelens deps-audit <path>

codelens deps-audit .
codelens deps-audit . --format json
codelens deps-audit . --severity high,critical
codelens deps-audit . --ecosystem PyPI

How it works

Input parsing (support all three, auto-detect):

  • requirements.txt → PyPI ecosystem
  • package.json (+ package-lock.json / yarn.lock) → npm ecosystem
  • Cargo.toml (+ Cargo.lock) → crates.io ecosystem

OSV API query (batch endpoint, no auth required):

POST https://api.osv.dev/v1/querybatch
{
  "queries": [
    {"package": {"name": "requests", "ecosystem": "PyPI"}, "version": "2.27.0"},
    ...
  ]
}

Output:

  • Per-vulnerability: package name, installed version, CVE ID(s), CVSS score, fixed version, OSV URL
  • Stored in SQLite graph as dependency_vuln nodes linked to the lock file
  • Counts by severity in stats block

Definition of Done

  • deps-audit command registered in scripts/codelens.py dispatch table
  • Auto-detects requirements.txt, package.json, Cargo.toml (and their lock files for pinned versions)
  • Queries OSV batch API (api.osv.dev/v1/querybatch), handles pagination and rate limits
  • Findings stored in SQLite as dependency_vuln node type
  • --severity filter: low, medium, high, critical
  • --ecosystem filter to limit to one package manager
  • Standard --format support: json, compact, markdown
  • Zero external binary dependency — pure Python + urllib or httpx
  • sync_command_count.py --apply run after adding command (count: 71)
  • SKILL.md / SKILL-QUICK.md / README.md updated with new command

Source of Truth

  • OSV API docs: https://google.github.io/osv.dev/api/
  • OSV batch endpoint spec: POST /v1/querybatch — accepts up to 1000 queries per request
  • Existing command pattern to follow: scripts/commands/secrets.py (similar structure: scan → findings → stats → recommendations)
  • SQLite graph schema: scripts/graph_schema.py — add dependency_vuln node type

Example output

{
  "status": "ok",
  "stats": {"total": 3, "critical": 1, "high": 1, "medium": 1},
  "findings": [
    {
      "package": "requests",
      "version": "2.27.0",
      "vuln_id": "GHSA-j8r2-6x86-q33q",
      "severity": "high",
      "fixed_in": "2.31.0",
      "summary": "Unintended leak of Proxy-Authorization header",
      "osv_url": "https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q"
    }
  ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions