Skip to content

feat(tools/osv): query OSV.dev for vulnerability cross-references during security triage #311

Description

@potiuk

Add tools/osv/ as a read-only bridge to OSV.dev (Google's open-source vulnerability database). Complements the existing tools/cve-org/ and tools/vulnogram/ by providing OSV's per-ecosystem (PyPI, npm, Maven, Go, RubyGems, crates.io, Packagist, …) vulnerability records.

Suggested capabilities:

  • query --package <name> --ecosystem <pypi|npm|maven|...> — list known vulns for a package
  • query --commit <sha> --repo <url> — does a commit fix or introduce a known vuln?
  • vuln <OSV-ID> — full record (references, affected ranges, fix commits, aliases including CVE/GHSA)
  • aliases <id> — cross-walk CVE ↔ GHSA ↔ OSV (the alias graph is the most valuable single piece of OSV)

Why: During security-issue-triage, before allocating a CVE, it's high-value to check whether OSV already has a record — to detect duplicates, to find the matching GHSA, and to find which downstream consumers are already warned. OSV is the best machine-readable vulnerability cross-reference available, and integrates cleanly with the existing CVE workflow.

Concrete consumers:

  • security-issue-triage — early dedupe against the known-vuln set
  • security-issue-deduplicate — alias resolution before merging trackers
  • security-cve-allocate — sanity check that no existing OSV/GHSA already covers the report

Reference:

Metadata

Metadata

Assignees

No one assigned

    Labels

    capability:platformFramework / agent substrate skills (install, verify, doctor, override, status, setup bootstrap)enhancementNew feature or requestfamily:toolstools/*good first issueGood for newcomers

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions