# SBOM Vulnerability Scanner — Lockfile CVE Scan (OSV/KEV) (`malonestar/sbom-vulnerability-rollup`) Actor

SBOM vulnerability scanner: paste an npm, pip or go lockfile and get a prioritized CVE report with upgrade targets. Batch-queries OSV.dev, flags CISA KEV known-exploited vulns, adds NVD CVSS, and computes the minimum fix version per package plus a severity rollup. Keyless.

- **URL**: https://apify.com/malonestar/sbom-vulnerability-rollup.md
- **Developed by:** [Kyle Maloney](https://apify.com/malonestar) (community)
- **Categories:** Developer tools, AI, Agents
- **Stats:** 2 total users, 0 monthly users, 75.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

from $20.00 / 1,000 results

This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## SBOM Vulnerability Scanner — Lockfile CVE Scan & Upgrade Targets (OSV/NVD/KEV)

Paste a dependency **lockfile** and get a prioritized **CVE / vulnerability
report with upgrade targets**. This **SBOM vulnerability scanner** batch-queries
**OSV.dev**, flags **CISA KEV** known-exploited vulns, adds **NVD CVSS** scores,
and computes the **minimum fix version** per package plus a severity rollup.
Existing OSV actors echo raw records — this one does the transform that's the value.

### Who it's for
- **DevSecOps & AppSec** engineers scanning dependencies in CI.
- **Security & compliance** teams producing SBOM vulnerability reports.
- **Platform / SRE** teams prioritizing which upgrades actually matter.
- **AI coding agents** needing a "scan this lockfile for CVEs" tool.

### What it does
1. **Parses a manifest** into `{package, version, ecosystem}` — `package-lock.json`
   / `package.json` (npm), `requirements.txt` (PyPI), or `go.mod` (Go), or a
   direct `dependencies` array.
2. **Batch-queries OSV.dev** for known vulnerabilities and full details.
3. **Enriches** each finding with the **CISA KEV** known-exploited flag and,
   optionally, **NVD CVSS**.
4. **Computes upgrade targets** — the minimum fix version per package — plus a
   severity rollup (critical/high/medium/low, KEV-exploited, fixable counts).

### Example input
```json
{
  "manifestContent": "<paste your package-lock.json here>",
  "manifestFormat": "auto",
  "includeNvd": false,
  "maxPackages": 2000
}
````

### Output

One `summary` row (severity rollup) then one `vulnerability` row per vulnerable
package: `package`, `ecosystem`, `installed_version`, `dependency_type`,
`vulnerability_id`, `aliases` (CVEs), `severity`, `cvss_score`, `kev_exploited`,
`fixed_version` (upgrade target), `fix_available`, `references`, `osv_url`.

### Use as an MCP tool

Exposed to AI coding agents via `mcp.apify.com` as a "scan lockfile for
vulnerabilities" tool — paste a lockfile, get a prioritized fix list back.

### FAQ

**Which ecosystems?** npm, PyPI (pip), and Go. **What data sources?** OSV.dev +
CISA KEV + optional NVD CVSS — all keyless. **What's the upgrade target?** The
minimum fixed version that's an upgrade from what you have. **Does a clean
manifest cost much?** No — it emits only the summary row.

### Data sources (all keyless, no anti-bot)

**OSV.dev** (`/v1/querybatch` + `/v1/vulns/{id}`), **CISA KEV** catalog, and
**NVD** CVSS (optional, fail-soft).

### Pricing (Pay Per Result)

Billed per dataset record returned (one summary row + one row per vulnerable
package). A clean manifest emits only the summary row.

# Actor input Schema

## `manifestContent` (type: `string`):

Paste the full text of a dependency manifest to scan: an npm package-lock.json (or package.json), a Python requirements.txt, or a Go go.mod. The actor parses it into {package, version, ecosystem} tuples and queries OSV.dev. Leave blank if you supply the 'Dependencies' array instead.

## `manifestFormat` (type: `string`):

Format of the pasted manifest. 'auto' detects it from the content (JSON -> npm, name==version lines -> pip, module/require -> go). Set explicitly to override detection.

## `dependencies` (type: `array`):

Optional explicit list of dependencies to scan, bypassing manifest parsing. Each item is {"name","version","ecosystem"}. Ecosystems: npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet, Packagist. IMPORTANT: Maven names must be the full "groupId:artifactId" coordinate (e.g. "org.apache.logging.log4j:log4j-core", not "log4j-core"); Go uses the full module path. Takes precedence over 'Manifest content' when non-empty.

## `includeNvd` (type: `boolean`):

When enabled, best-effort enrich each CVE with an NVD CVSS base score and severity. NVD is keyless but rate-limited, so this is fail-soft: failures are skipped and OSV/GitHub severity is used instead. Leave off for faster, lighter runs.

## `maxPackages` (type: `integer`):

Maximum number of dependency tuples to query against OSV. Larger manifests are truncated to this cap to bound run time and cost.

## Actor input object example

```json
{
  "manifestFormat": "auto",
  "dependencies": [
    {
      "name": "lodash",
      "version": "4.17.15",
      "ecosystem": "npm"
    },
    {
      "name": "org.apache.logging.log4j:log4j-core",
      "version": "2.14.1",
      "ecosystem": "Maven"
    }
  ],
  "includeNvd": false,
  "maxPackages": 2000
}
```

# Actor output Schema

## `results` (type: `string`):

Per-package vulnerability findings with upgrade targets, KEV flags, and a severity rollup.

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "dependencies": [
        {
            "name": "lodash",
            "version": "4.17.15",
            "ecosystem": "npm"
        },
        {
            "name": "org.apache.logging.log4j:log4j-core",
            "version": "2.14.1",
            "ecosystem": "Maven"
        }
    ]
};

// Run the Actor and wait for it to finish
const run = await client.actor("malonestar/sbom-vulnerability-rollup").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = { "dependencies": [
        {
            "name": "lodash",
            "version": "4.17.15",
            "ecosystem": "npm",
        },
        {
            "name": "org.apache.logging.log4j:log4j-core",
            "version": "2.14.1",
            "ecosystem": "Maven",
        },
    ] }

# Run the Actor and wait for it to finish
run = client.actor("malonestar/sbom-vulnerability-rollup").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "dependencies": [
    {
      "name": "lodash",
      "version": "4.17.15",
      "ecosystem": "npm"
    },
    {
      "name": "org.apache.logging.log4j:log4j-core",
      "version": "2.14.1",
      "ecosystem": "Maven"
    }
  ]
}' |
apify call malonestar/sbom-vulnerability-rollup --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=malonestar/sbom-vulnerability-rollup",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "SBOM Vulnerability Scanner — Lockfile CVE Scan (OSV/KEV)",
        "description": "SBOM vulnerability scanner: paste an npm, pip or go lockfile and get a prioritized CVE report with upgrade targets. Batch-queries OSV.dev, flags CISA KEV known-exploited vulns, adds NVD CVSS, and computes the minimum fix version per package plus a severity rollup. Keyless.",
        "version": "1.0",
        "x-build-id": "kIaqnbOBfvruuvagX"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/malonestar~sbom-vulnerability-rollup/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-malonestar-sbom-vulnerability-rollup",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/malonestar~sbom-vulnerability-rollup/runs": {
            "post": {
                "operationId": "runs-sync-malonestar-sbom-vulnerability-rollup",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/malonestar~sbom-vulnerability-rollup/run-sync": {
            "post": {
                "operationId": "run-sync-malonestar-sbom-vulnerability-rollup",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "properties": {
                    "manifestContent": {
                        "title": "Manifest content",
                        "type": "string",
                        "description": "Paste the full text of a dependency manifest to scan: an npm package-lock.json (or package.json), a Python requirements.txt, or a Go go.mod. The actor parses it into {package, version, ecosystem} tuples and queries OSV.dev. Leave blank if you supply the 'Dependencies' array instead."
                    },
                    "manifestFormat": {
                        "title": "Manifest format",
                        "enum": [
                            "auto",
                            "npm",
                            "pip",
                            "go"
                        ],
                        "type": "string",
                        "description": "Format of the pasted manifest. 'auto' detects it from the content (JSON -> npm, name==version lines -> pip, module/require -> go). Set explicitly to override detection.",
                        "default": "auto"
                    },
                    "dependencies": {
                        "title": "Dependencies (direct input)",
                        "type": "array",
                        "description": "Optional explicit list of dependencies to scan, bypassing manifest parsing. Each item is {\"name\",\"version\",\"ecosystem\"}. Ecosystems: npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet, Packagist. IMPORTANT: Maven names must be the full \"groupId:artifactId\" coordinate (e.g. \"org.apache.logging.log4j:log4j-core\", not \"log4j-core\"); Go uses the full module path. Takes precedence over 'Manifest content' when non-empty."
                    },
                    "includeNvd": {
                        "title": "Include NVD CVSS enrichment",
                        "type": "boolean",
                        "description": "When enabled, best-effort enrich each CVE with an NVD CVSS base score and severity. NVD is keyless but rate-limited, so this is fail-soft: failures are skipped and OSV/GitHub severity is used instead. Leave off for faster, lighter runs.",
                        "default": false
                    },
                    "maxPackages": {
                        "title": "Max packages",
                        "minimum": 1,
                        "maximum": 20000,
                        "type": "integer",
                        "description": "Maximum number of dependency tuples to query against OSV. Larger manifests are truncated to this cap to bound run time and cost.",
                        "default": 2000
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
