# OSV.dev Vulnerabilities Scraper (`crawlerbros/osv-vulnerabilities-scraper`) Actor Scrape OSV.dev, Google's open vulnerability database covering NPM, PyPI, Go, Maven, NuGet, Cargo, RubyGems, GitHub Actions, OS distros, and more. Look up vulnerabilities by package, fetch a specific OSV/GHSA/CVE record, or batch-query an entire dependency tree. - **URL**: https://apify.com/crawlerbros/osv-vulnerabilities-scraper.md - **Developed by:** [Crawler Bros](https://apify.com/crawlerbros) (community) - **Categories:** Developer tools, Automation, Other - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 13 bookmarks - **User rating**: 5.00 out of 5 stars ## Pricing from $3.00 / 1,000 results This Actor is paid per event and usage. You are charged both the fixed price for specific events and for Apify platform usage. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## OSV.dev Vulnerabilities Scraper Scrape Google's OSV.dev — the open vulnerability database covering NPM, PyPI, Go, Maven, NuGet, Cargo, RubyGems, GitHub Actions, OS distros, and 20+ other ecosystems. Look up vulnerabilities by package, fetch a specific OSV/GHSA/CVE record. HTTP-only via the public `api.osv.dev/v1` API. No auth, no proxy. ### What this actor does - **Two modes:** `queryPackages` (search by package list) and `byVulnIds` (lookup by ID) - **Universal IDs:** OSV (`OSV-...`), GHSA (`GHSA-...`), CVE (`CVE-...`), PYSEC, RUSTSEC, etc. - **Filters:** min CVSS severity (LOW / MEDIUM / HIGH / CRITICAL), published-after date, ecosystem - **Severity normalization:** parses CVSS scores from multiple OSV variants, classifies into LOW/MEDIUM/HIGH/CRITICAL buckets ### Output per vulnerability - `id`, `aliases[]`, `related[]` - `summary`, `details` - `publishedAt`, `modifiedAt`, `withdrawnAt` - `severityScore` (0–10 CVSS), `severityBucket` (`LOW`/`MEDIUM`/`HIGH`/`CRITICAL`) - `affected[]` — `[{name, ecosystem, purl, ranges, versions}, ...]` - `ecosystems[]` — flat list across all affected packages - `references[]` — advisory / fix / web URLs (capped at 25) - `osvUrl` — canonical link - `recordType: "vulnerability"`, `scrapedAt` ### Input | Field | Type | Default | Description | |---|---|---|---| | `mode` | string | `queryPackages` | `queryPackages` / `byVulnIds` | | `packages` | array | – | `ecosystem:name[@version]` strings (e.g. `PyPI:requests`, `npm:lodash@4.17.20`) | | `vulnIds` | array | – | OSV / GHSA / CVE / PYSEC IDs | | `minSeverity` | string | `any` | `any` / `LOW` / `MEDIUM` / `HIGH` / `CRITICAL` | | `publishedAfter` | string | – | YYYY-MM-DD | | `ecosystemAnyOf` | array | `[]` | Filter to specific ecosystems | | `maxItems` | int | `50` | Hard cap (1–5000) | #### Example: audit a Python project's deps ```json { "mode": "queryPackages", "packages": [ "PyPI:requests", "PyPI:django", "PyPI:flask", "PyPI:numpy" ], "minSeverity": "HIGH" } ```` #### Example: NPM packages with version ```json { "mode": "queryPackages", "packages": [ "npm:lodash@4.17.15", "npm:axios@0.21.0", "npm:express@4.16.0" ] } ``` #### Example: lookup a specific advisory ```json { "mode": "byVulnIds", "vulnIds": ["GHSA-652x-xj99-gmcc", "CVE-2024-12345"] } ``` #### Example: recent critical vulns across Python ecosystem ```json { "mode": "queryPackages", "packages": [ "PyPI:requests", "PyPI:urllib3", "PyPI:django", "PyPI:flask", "PyPI:fastapi", "PyPI:pillow", "PyPI:cryptography", "PyPI:numpy" ], "minSeverity": "CRITICAL", "publishedAfter": "2024-01-01" } ``` ### Use cases - **Security audits** — bulk-check a dependency tree for known CVEs - **CI/CD gates** — block builds when `severityBucket >= HIGH` is detected - **Vendor assessment** — audit third-party libraries before adoption - **Patch planning** — surface fix versions per advisory - **Compliance** — maintain an SBOM-grade vulnerability register - **Research** — bulk-export vulnerabilities by ecosystem / time period ### Supported ecosystems OSV covers: `npm`, `PyPI`, `Go`, `Maven`, `NuGet`, `RubyGems`, `crates.io` (Rust), `Packagist` (PHP/Composer), `Pub` (Dart/Flutter), `Hex` (Elixir), `SwiftURL`, `GitHub Actions`, plus OS-level (`Debian`, `Ubuntu`, `Alpine`, `RockyLinux`, `Photon`, `OSS-Fuzz`, `Linux`, `Android`). ### FAQ **What's OSV?** Google's open Vulnerability database. Aggregates GitHub Security Advisories, RustSec, PYSEC, OSV-Schema-conformant feeds from upstream sources. See [osv.dev](https://osv.dev). **Is the API really free?** Yes. No auth, no signup. Reasonable rate limit (~25 QPS for most use cases). **What's the difference between OSV and CVE?** CVE is the international identifier (MITRE). OSV is the database that lifts CVEs + ecosystem-specific advisories (GHSA, RustSec, PYSEC) into a unified machine-readable schema. Each OSV entry usually has CVE / GHSA aliases. **Why are some severity scores missing?** Older advisories (especially auto-imported from MITRE) sometimes lack CVSS scores. The actor falls back to `database_specific.cvss.score` and then to GHSA's `severity` string when available. **What's a `purl`?** Package URL — a compact spec for naming a package across ecosystems (e.g. `pkg:pypi/requests@2.31.0`). Useful when feeding our output to other security tools. **How does the `affected` filter work?** We extract the `introduced` and `fixed` versions from each range. For deeper version-range checking against a specific version of your dep, supply `ecosystem:name@version` in `packages` and OSV's API will only return advisories that affect that version. **How fresh is the data?** Daily — OSV re-aggregates from upstream feeds nightly. Critical advisories typically appear within 24h of their primary publication. **Should I run this regularly?** Yes — schedule a daily run on your dependency list, gate builds on the dataset content. Pairs naturally with our NPM Registry and PyPI scrapers for SBOM-style auditing. # Actor input Schema ## `mode` (type: `string`): What to fetch. ## `packages` (type: `array`): List of `ecosystem:packageName` strings (e.g. `PyPI:requests`, `npm:lodash`, `Go:github.com/gin-gonic/gin`). Optional version: `npm:lodash@4.17.20`. ## `vulnIds` (type: `array`): OSV / GHSA / CVE IDs (e.g. `GHSA-652x-xj99-gmcc`, `CVE-2024-12345`). ## `minSeverity` (type: `string`): Only emit vulnerabilities with at least this CVSS severity. Numeric thresholds: LOW=0.1, MEDIUM=4.0, HIGH=7.0, CRITICAL=9.0. ## `publishedAfter` (type: `string`): Drop vulnerabilities published before this date. ## `ecosystemAnyOf` (type: `array`): Restrict to specific ecosystems (e.g. `npm`, `PyPI`, `Go`, `Maven`, `NuGet`, `crates.io`, `RubyGems`). ## `maxItems` (type: `integer`): Hard cap on emitted records. ## Actor input object example ```json { "mode": "queryPackages", "packages": [ "PyPI:requests", "npm:lodash" ], "vulnIds": [], "minSeverity": "any", "ecosystemAnyOf": [], "maxItems": 50 } ``` # Actor output Schema ## `vulnerabilities` (type: `string`): Dataset containing all scraped vulnerabilities. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "mode": "queryPackages", "packages": [ "PyPI:requests", "npm:lodash" ], "vulnIds": [], "minSeverity": "any", "ecosystemAnyOf": [], "maxItems": 50 }; // Run the Actor and wait for it to finish const run = await client.actor("crawlerbros/osv-vulnerabilities-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "mode": "queryPackages", "packages": [ "PyPI:requests", "npm:lodash", ], "vulnIds": [], "minSeverity": "any", "ecosystemAnyOf": [], "maxItems": 50, } # Run the Actor and wait for it to finish run = client.actor("crawlerbros/osv-vulnerabilities-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "mode": "queryPackages", "packages": [ "PyPI:requests", "npm:lodash" ], "vulnIds": [], "minSeverity": "any", "ecosystemAnyOf": [], "maxItems": 50 }' | apify call crawlerbros/osv-vulnerabilities-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=crawlerbros/osv-vulnerabilities-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "OSV.dev Vulnerabilities Scraper", "description": "Scrape OSV.dev, Google's open vulnerability database covering NPM, PyPI, Go, Maven, NuGet, Cargo, RubyGems, GitHub Actions, OS distros, and more. Look up vulnerabilities by package, fetch a specific OSV/GHSA/CVE record, or batch-query an entire dependency tree.", "version": "1.0", "x-build-id": "dCYYUu5TkntIwBLFo" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/crawlerbros~osv-vulnerabilities-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-crawlerbros-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/crawlerbros~osv-vulnerabilities-scraper/runs": { "post": { "operationId": "runs-sync-crawlerbros-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/crawlerbros~osv-vulnerabilities-scraper/run-sync": { "post": { "operationId": "run-sync-crawlerbros-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "mode" ], "properties": { "mode": { "title": "Mode", "enum": [ "queryPackages", "queryBatch", "byVulnIds" ], "type": "string", "description": "What to fetch.", "default": "queryPackages" }, "packages": { "title": "Packages", "type": "array", "description": "List of `ecosystem:packageName` strings (e.g. `PyPI:requests`, `npm:lodash`, `Go:github.com/gin-gonic/gin`). Optional version: `npm:lodash@4.17.20`.", "default": [], "items": { "type": "string" } }, "vulnIds": { "title": "Vulnerability IDs (mode=byVulnIds)", "type": "array", "description": "OSV / GHSA / CVE IDs (e.g. `GHSA-652x-xj99-gmcc`, `CVE-2024-12345`).", "default": [], "items": { "type": "string" } }, "minSeverity": { "title": "Min CVSS severity", "enum": [ "any", "LOW", "MEDIUM", "HIGH", "CRITICAL" ], "type": "string", "description": "Only emit vulnerabilities with at least this CVSS severity. Numeric thresholds: LOW=0.1, MEDIUM=4.0, HIGH=7.0, CRITICAL=9.0.", "default": "any" }, "publishedAfter": { "title": "Published after (YYYY-MM-DD)", "type": "string", "description": "Drop vulnerabilities published before this date." }, "ecosystemAnyOf": { "title": "Ecosystem filter", "type": "array", "description": "Restrict to specific ecosystems (e.g. `npm`, `PyPI`, `Go`, `Maven`, `NuGet`, `crates.io`, `RubyGems`).", "default": [], "items": { "type": "string" } }, "maxItems": { "title": "Max items", "minimum": 1, "maximum": 5000, "type": "integer", "description": "Hard cap on emitted records.", "default": 50 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```