An MCP server for OSV
- • Basic MCP protocol features implemented (12/40)
- • Limited GitHub community activity (6/20)
- • Optimal dependency management (20/20)
- • Full deployment maturity (10/10)
- • Documentation (8/8)
- • Archestra MCP Trust score badge is missing
{
"mcpServers": {
"osv": {
"command": "thv",
"args": [
"run",
"osv"
],
"env": {}
},
"osv-mcp-server": {
"command": "./build/osv-mcp-server",
"args": [],
"env": {}
},
"osv-mcp-server-configured": {
"command": "./build/osv-mcp-server",
"args": [],
"env": {
"MCP_PORT": "3000"
}
}
}
}OSV MCP Server
An MCP (Model Context Protocol) server that provides access to the
OSV (Open Source Vulnerabilities) database.
Overview
This project implements an SSE-based MCP server that allows LLM-powered
applications to query the OSV database for vulnerability information. The server
provides tools for:
- Querying vulnerabilities for a specific package version or commit
- Batch querying vulnerabilities for multiple packages or commits
- Getting detailed information about a specific vulnerability by ID
Installation
Prerequisites
Building from source
# Clone the repository
git clone https://github.com/StacklokLabs/osv-mcp.git
cd osv-mcp
# Build the server
task build
Usage
Running with ToolHive (Recommended)
The easiest way to run the OSV MCP server is using
ToolHive, which provides secure,
containerized deployment of MCP servers:
# Install ToolHive (if not already installed)
# See: https://docs.stacklok.com/toolhive/guides-cli/install
# Register a supported client so ToolHive can auto-configure your environment
thv client setup
# Run the OSV MCP server (packaged as 'osv' in ToolHive)
thv run osv
# List running servers
thv list
# Get detailed information about the server
thv registry info osv
The server will be available to your MCP-compatible clients and can query the
OSV database for vulnerability information.
Running from Source
Server Configuration
The server can be configured using environment variables:
-
MCP_PORT: The port number to run the server on (default: 8080)- Must be a valid integer between 0 and 65535
- If invalid or not set, the server will use port 8080
-
MCP_TRANSPORT: The transport mode for the server (default:sse)- Supported values:
sse,streamable-http - If invalid or not set, the server will use SSE transport mode
- Supported values:
Example:
# Run on port 3000
MCP_PORT=3000 ./build/osv-mcp-server
# Run on default port 8080
./build/osv-mcp-server
MCP Tools
The server provides the following MCP tools:
query_vulnerability
Query for vulnerabilities affecting a specific package version or commit.
Input Schema:
{
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
query_vulnerabilities_batch
Query for vulnerabilities affecting multiple packages or commits at once.
Input Schema:
{
"type": "object",
"properties": {
"queries": {
"type": "array",
"description": "Array of query objects",
"items": {
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
}
},
"required": ["queries"]
}
get_vulnerability
Get details for a specific vulnerability by ID.
Input Schema:
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The OSV vulnerability ID"
}
},
"required": ["id"]
}
Examples
Querying vulnerabilities for a package
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
}
Querying vulnerabilities for a commit
{
"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"
}
Batch querying vulnerabilities
{
"queries": [
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
},
{
"package_name": "jinja2",
"ecosystem": "PyPI",
"version": "2.4.1"
}
]
}
Getting vulnerability details
{
"id": "GHSA-vqj2-4v8m-8vrq"
}
Development
Running tests
task test
Linting
task lint
Formatting code
task fmt
Contributing
We welcome contributions to this MCP server! If you'd like to contribute, please
review the CONTRIBUTING guide for details on how to get
started.
If you run into a bug or have a feature request, please
open an issue in the
repository or join us in the #mcp-servers channel on our
community Discord server.
License
This project is licensed under the Apache v2 License - see the LICENSE file for
details.
[](https://archestra.ai/mcp-catalog/stackloklabs__osv-mcp)OSV MCP Server
An MCP (Model Context Protocol) server that provides access to the
OSV (Open Source Vulnerabilities) database.
Overview
This project implements an SSE-based MCP server that allows LLM-powered
applications to query the OSV database for vulnerability information. The server
provides tools for:
- Querying vulnerabilities for a specific package version or commit
- Batch querying vulnerabilities for multiple packages or commits
- Getting detailed information about a specific vulnerability by ID
Installation
Prerequisites
Building from source
# Clone the repository
git clone https://github.com/StacklokLabs/osv-mcp.git
cd osv-mcp
# Build the server
task build
Usage
Running with ToolHive (Recommended)
The easiest way to run the OSV MCP server is using
ToolHive, which provides secure,
containerized deployment of MCP servers:
# Install ToolHive (if not already installed)
# See: https://docs.stacklok.com/toolhive/guides-cli/install
# Register a supported client so ToolHive can auto-configure your environment
thv client setup
# Run the OSV MCP server (packaged as 'osv' in ToolHive)
thv run osv
# List running servers
thv list
# Get detailed information about the server
thv registry info osv
The server will be available to your MCP-compatible clients and can query the
OSV database for vulnerability information.
Running from Source
Server Configuration
The server can be configured using environment variables:
-
MCP_PORT: The port number to run the server on (default: 8080)- Must be a valid integer between 0 and 65535
- If invalid or not set, the server will use port 8080
-
MCP_TRANSPORT: The transport mode for the server (default:sse)- Supported values:
sse,streamable-http - If invalid or not set, the server will use SSE transport mode
- Supported values:
Example:
# Run on port 3000
MCP_PORT=3000 ./build/osv-mcp-server
# Run on default port 8080
./build/osv-mcp-server
MCP Tools
The server provides the following MCP tools:
query_vulnerability
Query for vulnerabilities affecting a specific package version or commit.
Input Schema:
{
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
query_vulnerabilities_batch
Query for vulnerabilities affecting multiple packages or commits at once.
Input Schema:
{
"type": "object",
"properties": {
"queries": {
"type": "array",
"description": "Array of query objects",
"items": {
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
}
},
"required": ["queries"]
}
get_vulnerability
Get details for a specific vulnerability by ID.
Input Schema:
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The OSV vulnerability ID"
}
},
"required": ["id"]
}
Examples
Querying vulnerabilities for a package
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
}
Querying vulnerabilities for a commit
{
"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"
}
Batch querying vulnerabilities
{
"queries": [
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
},
{
"package_name": "jinja2",
"ecosystem": "PyPI",
"version": "2.4.1"
}
]
}
Getting vulnerability details
{
"id": "GHSA-vqj2-4v8m-8vrq"
}
Development
Running tests
task test
Linting
task lint
Formatting code
task fmt
Contributing
We welcome contributions to this MCP server! If you'd like to contribute, please
review the CONTRIBUTING guide for details on how to get
started.
If you run into a bug or have a feature request, please
open an issue in the
repository or join us in the #mcp-servers channel on our
community Discord server.
License
This project is licensed under the Apache v2 License - see the LICENSE file for
details.