# Scan npm dependencies for known CVEs (OSV + CISA KEV)

**Use case:** 

Paste a dependency list and get every known vulnerability with severity, CISA KEV flag, and fixed version — an instant SBOM risk report.

## Input

```json
{
  "manifestFormat": "auto",
  "dependencies": [
    {
      "name": "lodash",
      "version": "4.17.15",
      "ecosystem": "npm"
    },
    {
      "name": "org.apache.logging.log4j:log4j-core",
      "version": "2.14.1",
      "ecosystem": "Maven"
    }
  ],
  "includeNvd": false,
  "maxPackages": 2000
}
```

## Output

```json
{
  "package": {
    "label": "Package",
    "format": "string"
  },
  "ecosystem": {
    "label": "Ecosystem",
    "format": "string"
  },
  "installed_version": {
    "label": "Installed version",
    "format": "string"
  },
  "severity": {
    "label": "Severity",
    "format": "string"
  },
  "cvss_score": {
    "label": "CVSS score",
    "format": "number"
  },
  "kev_exploited": {
    "label": "KEV exploited",
    "format": "boolean"
  },
  "fixed_version": {
    "label": "Fixed version (upgrade target)",
    "format": "string"
  },
  "fix_available": {
    "label": "Fix available",
    "format": "boolean"
  },
  "vulnerability_id": {
    "label": "Vulnerability ID",
    "format": "string"
  },
  "osv_url": {
    "label": "OSV URL",
    "format": "string"
  }
}
```

## About this Actor

This example demonstrates how to use [SBOM Vulnerability Scanner — Lockfile CVE Scan (OSV/KEV)](https://apify.com/malonestar/sbom-vulnerability-rollup) with a specific input configuration. Visit the [Actor detail page](https://apify.com/malonestar/sbom-vulnerability-rollup) to learn more, explore other use cases, and run it yourself.