gazagnaire.org/ocaml-osv at main

Query the OSV (Open Source Vulnerabilities) database for known vulnerabilities by Package URL, ecosystem, or commit hash. OSV aggregates data from NVD, GitHub Advisories, RustSec, PyPI, and dozens of other sources into a unified schema (OSV Schema v1.6).

Installation#

Install with opam:

$ opam install osv

If opam cannot find the package, it may not yet be released in the public opam-repository. Add the overlay repository, then install it:

$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install osv

Quick Start#

let run () =
  Eio_main.run @@ fun env ->
  Eio.Switch.run @@ fun sw ->
  match
    Osv.query_purl ~sw ~net:env#net ~clock:env#clock
      "pkg:npm/lodash@4.17.20"
  with
  | Ok vulns ->
      List.iter
        (fun v ->
          Fmt.pr "%s [%s]: %s@." v.Osv.id
            (Osv.severity_to_string v.severity)
            v.summary)
        vulns
  | Error msg -> Fmt.epr "Query failed: %s@." msg

Query Methods#

query_purl -- query by Package URL (e.g. pkg:npm/lodash@4.17.20)
query_package -- query by ecosystem, name, and version
query_commit -- query by git commit hash
query_batch -- query multiple Package URLs in one API call

Filtering#

let summarise (vulns : Osv.vulnerability list) =
  (* Keep only high and critical vulnerabilities. *)
  let critical = Osv.filter_severity ~min:High vulns in
  (* Check if a fix is available. *)
  let fixable = List.filter Osv.has_fix vulns in
  (* Extract CVE identifiers. *)
  let cves = List.concat_map Osv.cve_ids vulns in
  (List.length critical, List.length fixable, cves)

License#

ISC

Configure Feed