OSV Vulnerabilities

Query OSV.dev vulnerability data through explicit HTTP actions.

Install

caplets install spiritledsoftware/caplets osv

Inspect before installing

Can change external servicesThis Caplet may perform mutating operations against an external service.

CAPLET.md

Frontmatter

Field	Value
`name`	OSV Vulnerabilities
`description`	Query OSV.dev vulnerability data through explicit HTTP actions.
`tags`	security, vulnerabilities, http, code
`catalog.icon`	https://osv.dev/favicon.ico
`httpApi.baseUrl`	https://api.osv.dev
`httpApi.auth.type`	none
`httpApi.actions.query_package_version.description`	Read-only OSV query for vulnerabilities affecting one package ecosystem/name/version tuple.
`httpApi.actions.query_package_version.method`	POST
`httpApi.actions.query_package_version.path`	/v1/query
`httpApi.actions.query_package_version.inputSchema.type`	object
`httpApi.actions.query_package_version.inputSchema.properties.name.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.name.description`	Package name, such as lodash, requests, or openssl.
`httpApi.actions.query_package_version.inputSchema.properties.ecosystem.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.ecosystem.description`	OSV ecosystem, such as npm, PyPI, Maven, Go, crates.io, Packagist, RubyGems, NuGet, Debian, or Alpine.
`httpApi.actions.query_package_version.inputSchema.properties.version.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.version.description`	Package version to query.
`httpApi.actions.query_package_version.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_package_version.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_package_version.inputSchema.required`	name, ecosystem, version
`httpApi.actions.query_package_version.jsonBody.package.name`	$input.name
`httpApi.actions.query_package_version.jsonBody.package.ecosystem`	$input.ecosystem
`httpApi.actions.query_package_version.jsonBody.version`	$input.version
`httpApi.actions.query_package_version.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_purl.description`	Read-only OSV query for vulnerabilities affecting one package URL (purl).
`httpApi.actions.query_purl.method`	POST
`httpApi.actions.query_purl.path`	/v1/query
`httpApi.actions.query_purl.inputSchema.type`	object
`httpApi.actions.query_purl.inputSchema.properties.purl.type`	string
`httpApi.actions.query_purl.inputSchema.properties.purl.description`	Package URL, such as pkg:npm/lodash@4.17.20 or pkg:pypi/requests@2.19.0.
`httpApi.actions.query_purl.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_purl.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_purl.inputSchema.required`	purl
`httpApi.actions.query_purl.jsonBody.package.purl`	$input.purl
`httpApi.actions.query_purl.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_commit.description`	Read-only OSV query for vulnerabilities associated with one source commit hash.
`httpApi.actions.query_commit.method`	POST
`httpApi.actions.query_commit.path`	/v1/query
`httpApi.actions.query_commit.inputSchema.type`	object
`httpApi.actions.query_commit.inputSchema.properties.commit.type`	string
`httpApi.actions.query_commit.inputSchema.properties.commit.description`	Source commit hash to query.
`httpApi.actions.query_commit.inputSchema.properties.page_token.type`	string
`httpApi.actions.query_commit.inputSchema.properties.page_token.description`	Optional pagination token returned by OSV.
`httpApi.actions.query_commit.inputSchema.required`	commit
`httpApi.actions.query_commit.jsonBody.commit`	$input.commit
`httpApi.actions.query_commit.jsonBody.page_token`	$input.page_token
`httpApi.actions.query_batch.description`	Read-only OSV batch query for multiple package, purl, commit, or version requests.
`httpApi.actions.query_batch.method`	POST
`httpApi.actions.query_batch.path`	/v1/querybatch
`httpApi.actions.query_batch.inputSchema.type`	object
`httpApi.actions.query_batch.inputSchema.properties.queries.type`	array
`httpApi.actions.query_batch.inputSchema.properties.queries.description`	OSV query objects accepted by /v1/querybatch.
`httpApi.actions.query_batch.inputSchema.properties.queries.items.type`	object
`httpApi.actions.query_batch.inputSchema.properties.queries.items.additionalProperties`	true
`httpApi.actions.query_batch.inputSchema.required`	queries
`httpApi.actions.query_batch.jsonBody.queries`	$input.queries
`httpApi.actions.get_vulnerability.description`	Read-only OSV lookup for one vulnerability record by OSV, CVE, or GHSA identifier.
`httpApi.actions.get_vulnerability.method`	GET
`httpApi.actions.get_vulnerability.path`	/v1/vulns/{id}
`httpApi.actions.get_vulnerability.inputSchema.type`	object
`httpApi.actions.get_vulnerability.inputSchema.properties.id.type`	string
`httpApi.actions.get_vulnerability.inputSchema.properties.id.description`	Vulnerability identifier, such as OSV-2020-744, CVE-2021-44228, or GHSA-jfh8-c2jp-5v3q.
`httpApi.actions.get_vulnerability.inputSchema.required`	id

OSV Vulnerabilities

Use this Caplet when the agent needs known vulnerability data for package versions, package URLs, source commits, or vulnerability identifiers.

First Workflow

Prefer exact ecosystem, package name, and version when checking a dependency.
Use purls when dependency tooling already produced normalized package URLs.
Batch related dependency checks instead of issuing many single-package calls.
Fetch the vulnerability record when an OSV, CVE, or GHSA ID needs explanation or remediation context.

Operate Carefully

OSV results are read-only and public, but absence of a result is not proof that a dependency is safe.
Match ecosystem names exactly, such as npm, PyPI, Maven, Go, crates.io, Packagist, RubyGems, NuGet, Debian, Alpine, or OSS-Fuzz.
Use package registry Caplets for release metadata and local project tooling for the actual installed version.