# OSV Open Source Vulnerabilities Scraper (`parseforge/osv-vulnerabilities-scraper`) Actor Query the OSV.dev open-source vulnerabilities database. Search by package (PyPI/npm/Go/Maven/RubyGems/crates.io/NuGet/Packagist), commit hash, or fetch a specific vulnerability by ID. Returns affected ranges, CVE aliases, severity, and references. - **URL**: https://apify.com/parseforge/osv-vulnerabilities-scraper.md - **Developed by:** [ParseForge](https://apify.com/parseforge) (community) - **Categories:** Developer tools, Business, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $22.87 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ![ParseForge Banner](https://github.com/ParseForge/apify-assets/blob/main/banners/banner-default.jpg?raw=true) ## ๐Ÿ“ฆ OSV Vulnerabilities Scraper > ๐Ÿš€ **Export open source vulnerability data in seconds.** Pull advisories from the **OSV.dev** catalogue covering **30+ ecosystems** including PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and major Linux distributions. No sign-up, no token, no manual pagination. > ๐Ÿ•’ **Last updated:** 2026-05-15 ยท **๐Ÿ“Š 16 fields** per record ยท **๐Ÿ“ฆ 200,000+ advisories** ยท **๐ŸŒ 30+ ecosystems** ยท **๐Ÿ”— Cross-database aliases** The **OSV Vulnerabilities Scraper** pulls open source vulnerability records from the OSV.dev community catalogue and returns **16 normalised fields per record**, including affected package ranges, severity scores, cross-database aliases (GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx), patched version events, references, and credits. The underlying catalogue is the de facto open source vulnerability database, aggregating data from GitHub, PyPA, RustSec, Go vulnerability database, OSS-Fuzz, and dozens of distro security teams. The catalogue covers **30+ package ecosystems** from language registries (PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage) to operating system distributions (Debian, Ubuntu, Alpine, Rocky, AlmaLinux, SUSE, openSUSE, Wolfi, Chainguard) plus Bioconductor and CRAN for R. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Filters apply at the source, so you skip pagination, deduplication, and ecosystem-specific quirks entirely. | ๐ŸŽฏ Target Audience | ๐Ÿ’ก Primary Use Cases | |---|---| | DevSecOps teams, SBOM tool builders, open source maintainers, package registry operators, supply-chain security vendors, container security teams | Dependency scanning, SBOM enrichment, package risk reports, ecosystem trend analysis, cross-database aliasing, container vulnerability triage | --- ### ๐Ÿ“‹ What the OSV Vulnerabilities Scraper does Three workflows in a single Actor: - ๐Ÿ“ฆ **Package query.** Look up every advisory affecting a package, optionally pinned to a version (e.g. `requests` on PyPI, `lodash` on npm, `log4j-core` on Maven). - ๐Ÿ” **Commit query.** Search by Git commit SHA to surface vulnerabilities introduced in a specific revision. - ๐Ÿ†” **Vulnerability ID lookup.** Fetch a single record or a batch of records by their identifier (GHSA-xxxx, CVE-xxxx, PYSEC-xxxx, RUSTSEC-xxxx, GO-xxxx, OSV-xxxx). Each record includes the OSV ID, summary and full details, all known cross-database aliases, affected package list with version ranges and PURLs, severity entries with CVSS vectors, references, and credits. > ๐Ÿ’ก **Why it matters:** SBOMs are only useful when paired with a fresh vulnerability feed. Building your own ingestion means handling 30+ ecosystem schemas, alias deduplication, version-range parsing, and the OSV pagination model. This Actor skips all of that and gives you a clean, downloadable dataset. --- ### ๐ŸŽฌ Full Demo _๐Ÿšง Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded vulnerability dataset._ --- ### โš™๏ธ Input
InputTypeDefaultBehavior
modeenum"query"query searches by package or commit, byId fetches by vulnerability ID.
packageNamestring""Package to look up (e.g. requests, lodash).
ecosystemenum""One of 30 ecosystems. Empty for cross-ecosystem search.
packageVersionstring""Pin to a version. Without a package, returns vulnerabilities affecting that version across packages.
commitstring""Git commit SHA to search by.
vulnerabilityIdstring""Single vulnerability ID for mode=byId.
vulnerabilityIdsstring[][]Batch list of IDs (recommended max ~100 per run).
maxItemsinteger10Records to return. Free plan caps at 10, paid plan at 1,000,000.
**Example: every advisory affecting npm `lodash`.** ```json { "mode": "query", "packageName": "lodash", "ecosystem": "npm", "maxItems": 100 } ```` **Example: batch lookup of the Log4Shell aliases.** ```json { "mode": "byId", "vulnerabilityIds": ["GHSA-jfh8-c2jp-5v3q", "CVE-2021-44228", "GHSA-7rjr-3q55-vv33"] } ``` > โš ๏ธ **Good to Know:** OSV records use cross-database aliases, so the same vulnerability can appear under several IDs (e.g. `GHSA-jfh8-c2jp-5v3q` aliases `CVE-2021-44228`). When you batch-fetch related IDs, expect duplicate records pointing to the same root advisory. *** ### ๐Ÿ“Š Output Each record contains **16 fields**. Download the dataset as CSV, Excel, JSON, or XML. #### ๐Ÿงพ Schema | Field | Type | Example | |---|---|---| | ๐Ÿ†” `id` | string | `"GHSA-jfh8-c2jp-5v3q"` | | ๐Ÿ”— `url` | string | `"https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q"` | | ๐Ÿ“ `summary` | string | null | `"Remote code injection in Log4j"` | | ๐Ÿ“„ `details` | string | null | `"Apache Log4j2 versions 2.0-beta9 through 2.15.0..."` | | ๐Ÿ”— `aliases` | string\[] | `["CVE-2021-44228"]` | | ๐Ÿ”— `related` | string\[] | `["CVE-2021-45046"]` | | ๐Ÿ•’ `modified` | ISO 8601 | null | `"2025-01-14T08:36:01Z"` | | ๐Ÿ“… `published` | ISO 8601 | null | `"2021-12-10T00:00:35Z"` | | ๐Ÿšซ `withdrawn` | ISO 8601 | null | `null` | | ๐Ÿงฑ `schema_version` | string | null | `"1.4.0"` | | ๐Ÿ“ฆ `affected` | object\[] | `[{ "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "ranges": [...] }]` | | ๐Ÿชช `purls` | string\[] | `["pkg:maven/org.apache.logging.log4j/log4j-core"]` | | ๐Ÿ“š `references` | object\[] | `[{ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }]` | | ๐ŸŽฏ `severity` | object\[] | `[{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }]` | | ๐ŸŽฏ `maxSeverityScore` | number | null | `null` | | ๐Ÿ™Œ `credits` | object\[] | null | `[{ "name": "Chen Zhaojun" }]` | | ๐Ÿ•’ `scrapedAt` | ISO 8601 | `"2026-05-15T00:00:00.000Z"` | #### ๐Ÿ“ฆ Sample record
๐Ÿ”ฅ Log4Shell on Maven (GHSA-jfh8-c2jp-5v3q) ```json { "id": "GHSA-jfh8-c2jp-5v3q", "url": "https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q", "summary": "Remote code injection in Log4j", "details": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.", "aliases": ["CVE-2021-44228"], "related": [], "modified": "2025-01-14T08:36:01Z", "published": "2021-12-10T00:00:35Z", "schema_version": "1.4.0", "affected": [{ "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core" }, "ranges": [{ "type": "ECOSYSTEM", "events": [ { "introduced": "2.0-beta9" }, { "fixed": "2.3.2" } ] }] }], "purls": ["pkg:maven/org.apache.logging.log4j/log4j-core"], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "type": "WEB", "url": "https://logging.apache.org/log4j/2.x/security.html" } ], "severity": [{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }], "maxSeverityScore": null, "scrapedAt": "2026-05-15T00:00:00.000Z" } ```
*** ### โœจ Why choose this Actor | | Capability | |---|---| | ๐Ÿ“ฆ | **30+ ecosystems.** PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, plus Linux distros and R registries. | | ๐Ÿ”— | **Cross-database aliases.** GHSA, CVE, PYSEC, RUSTSEC, GO, OSV-xxxx all surfaced in one record. | | ๐Ÿชช | **PURL identifiers.** Each affected package is tagged with a Package URL ready to join with SBOM tools. | | ๐Ÿ“ | **Structured version ranges.** ECOSYSTEM, SEMVER, and GIT range types with introduced / fixed events. | | ๐ŸŽฏ | **Severity vectors.** CVSS v2 / v3 / v4 strings preserved verbatim from the source. | | ๐Ÿ” | **Always fresh.** Every run hits the live OSV catalogue, so the dataset reflects current entries. | | ๐Ÿšซ | **No sign-up.** Works with public open source security data. No login or token needed. | > ๐Ÿ“Š OSV is the de facto open source vulnerability database. Owning a clean local copy is a multiplier for SBOM tooling, dependency scanners, and supply-chain risk dashboards. *** ### ๐Ÿ“ˆ How it compares to alternatives | Approach | Cost | Coverage | Refresh | Ecosystems | Setup | |---|---|---|---|---|---| | **โญ OSV Vulnerabilities Scraper** *(this Actor)* | $5 free credit, then pay-per-use | **200,000+ records** | **Live per run** | 30+ | โšก 2 min | | Commercial SCA platforms | $20,000+/year | Curated subset | Streaming | 5-15 | โณ Days | | Single-ecosystem feeds | Free | Subset | Variable | 1 | ๐Ÿ› ๏ธ Hours | | Self-built ingestion | Engineering time | Full | Custom | Custom | ๐Ÿข Weeks | Pick this Actor when you want broad ecosystem coverage with cross-database aliases and no parser maintenance. *** ### ๐Ÿš€ How to use 1. ๐Ÿ“ **Sign up.** [Create a free account with $5 credit](https://console.apify.com/sign-up?fpr=vmoqkp) (takes 2 minutes). 2. ๐ŸŒ **Open the Actor.** Go to the OSV Vulnerabilities Scraper page on the Apify Store. 3. ๐ŸŽฏ **Set input.** Pick a mode, enter a package + ecosystem, a commit SHA, or a vulnerability ID, then set `maxItems`. 4. ๐Ÿš€ **Run it.** Click **Start** and let the Actor collect your data. 5. ๐Ÿ“ฅ **Download.** Grab your results in the **Dataset** tab as CSV, Excel, JSON, or XML. > โฑ๏ธ Total time from signup to downloaded dataset: **3-5 minutes.** No coding required. *** ### ๐Ÿ’ผ Business use cases
#### ๐Ÿ› ๏ธ DevSecOps & SBOM - Daily SBOM enrichment with vulnerability metadata - CI gate that fails builds when dependencies have known fixes - PURL-based joins between asset inventory and OSV records - Alert when patched versions land for tracked dependencies #### ๐Ÿ“ฆ Package Registry Operators - Surface advisories on package detail pages - Notify maintainers when their package gets a new advisory - Build ecosystem-wide vulnerability trend dashboards - Cross-link aliases across CVE / GHSA / OSV identifiers
#### ๐Ÿณ Container & Image Security - Scan distro layers (Debian, Ubuntu, Alpine, Wolfi) against OSV - Build image-risk reports filtered by base OS - Track Wolfi and Chainguard advisories for hardened images - Continuous monitoring of running container fleets #### ๐Ÿ” Supply-Chain Risk Analysis - Vendor due-diligence reports based on dependency graphs - Open-source risk scoring for procurement teams - M\&A technical due diligence on target codebases - Insurance underwriting models for cyber risk
*** ### ๐Ÿ”Œ Automating OSV Vulnerabilities Scraper Control the scraper programmatically for scheduled runs and pipeline integrations: - ๐ŸŸข **Node.js.** Install the `apify-client` NPM package. - ๐Ÿ **Python.** Use the `apify-client` PyPI package. - ๐Ÿ“š See the [Apify documentation](https://docs.apify.com/) for full details. The [Apify Schedules feature](https://docs.apify.com/platform/schedules) lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream SBOM tooling and dependency scanners in sync automatically. *** ### ๐ŸŒŸ Beyond business use cases Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.
#### ๐ŸŽ“ Research and academia - Open source ecosystem vulnerability studies - Cross-ecosystem co-occurrence and aliasing research - Coursework on supply-chain security and SBOM tooling - Reproducible studies with cited, versioned dataset pulls #### ๐ŸŽจ Personal and creative - Hobbyist dependency dashboards for your own projects - Newsletter research on the latest open source advisories - Portfolio projects that show off security data engineering - Personal alerting bots for libraries you maintain
#### ๐Ÿค Non-profit and civic - Open-source maintainers monitoring their package risk - Civic-tech projects mapping vulnerability exposure - Educational outreach for open-source security literacy - Community advocacy around responsible disclosure #### ๐Ÿงช Experimentation - Train ML models on advisory text and severity - Prototype agent pipelines that summarise advisories - Test SBOM diff tooling against historical waves - Build dashboards on top of live ecosystem feeds
*** ### ๐Ÿค– Ask an AI assistant about this scraper Open a ready-to-send prompt about this ParseForge actor in the AI of your choice: - ๐Ÿ’ฌ [**ChatGPT**](https://chat.openai.com/?q=How%20do%20I%20use%20the%20OSV%20Vulnerabilities%20Scraper%20by%20ParseForge%20on%20Apify%3F%20Show%20me%20input%20examples%2C%20output%20fields%2C%20common%20use%20cases%2C%20and%20how%20to%20integrate%20it%20into%20a%20workflow.) - ๐Ÿง  [**Claude**](https://claude.ai/new?q=How%20do%20I%20use%20the%20OSV%20Vulnerabilities%20Scraper%20by%20ParseForge%20on%20Apify%3F%20Show%20me%20input%20examples%2C%20output%20fields%2C%20common%20use%20cases%2C%20and%20how%20to%20integrate%20it%20into%20a%20workflow.) - ๐Ÿ” [**Perplexity**](https://perplexity.ai/search?q=How%20do%20I%20use%20the%20OSV%20Vulnerabilities%20Scraper%20by%20ParseForge%20on%20Apify%3F%20Show%20me%20input%20examples%2C%20output%20fields%2C%20common%20use%20cases%2C%20and%20how%20to%20integrate%20it%20into%20a%20workflow.) - ๐Ÿ…’ [**Copilot**](https://copilot.microsoft.com/?q=How%20do%20I%20use%20the%20OSV%20Vulnerabilities%20Scraper%20by%20ParseForge%20on%20Apify%3F%20Show%20me%20input%20examples%2C%20output%20fields%2C%20common%20use%20cases%2C%20and%20how%20to%20integrate%20it%20into%20a%20workflow.) *** ### โ“ Frequently Asked Questions #### ๐Ÿงฉ How does it work? Configure your filters in the input form, click Start, and the Actor pulls matching records from the official OSV catalogue, normalises the schema, and emits one clean record per advisory. #### ๐Ÿ“ How accurate is the data? Records are mirror-copies of the OSV catalogue at run time. Affected ranges, severity entries, references, and credits are taken verbatim from the source. #### ๐Ÿ” How often is the dataset refreshed? OSV updates continuously as upstream feeds (GitHub, PyPA, RustSec, Go vulnerability database, distro security teams) publish new entries. Every run reflects the catalogue as of run time. #### ๐ŸŒ Which ecosystems are supported? PyPI, npm, Go, Maven, RubyGems, crates.io, NuGet, Packagist, Hex, Pub, Hackage, GitHub Actions, Linux kernel, plus Debian, Ubuntu, Alpine, Rocky Linux, AlmaLinux, SUSE, openSUSE, Android, ConanCenter, Bitnami, Photon OS, Mageia, Wolfi, Chainguard, Bioconductor and CRAN. Leave the field empty for cross-ecosystem search. #### ๐Ÿ”— Why are the same vulnerabilities listed under multiple IDs? OSV uses cross-database aliasing. The same root advisory may surface as a GHSA on GitHub, a CVE in NVD, a PYSEC in PyPA, and an OSV-xxxx in the OSV namespace. The `aliases` field links them together. #### ๐Ÿชช What is a PURL? PURL (Package URL) is the standard for naming a package across ecosystems, e.g. `pkg:npm/lodash` or `pkg:maven/org.apache.logging.log4j/log4j-core`. PURLs are the canonical join key against most SBOM formats. #### ๐ŸŽฏ Why is `maxSeverityScore` sometimes null? The Actor parses numeric severity scores when the source supplies them as raw numbers. CVSS vector strings (e.g. `CVSS:3.1/AV:N/...`) are preserved in the `severity` array but their base score is not re-derived. Use the vector string with a CVSS calculator if you need the exact number. #### โฐ Can I schedule regular runs? Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is a daily schedule that pulls every advisory across the npm and PyPI ecosystems and pushes them into a SBOM tool. #### โš–๏ธ Is this data legal to use? OSV is published under permissive open licensing. You should review the upstream source license for your specific application but raw vulnerability metadata is generally public. #### ๐Ÿ’ณ Do I need a paid Apify plan to use this Actor? No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets. #### ๐Ÿ†˜ What if I need help? Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below. *** ### ๐Ÿ”Œ Integrate with any app OSV Vulnerabilities Scraper connects to any cloud service via [Apify integrations](https://apify.com/integrations): - [**Make**](https://docs.apify.com/platform/integrations/make) - Automate multi-step workflows - [**Zapier**](https://docs.apify.com/platform/integrations/zapier) - Connect with 5,000+ apps - [**Slack**](https://docs.apify.com/platform/integrations/slack) - Get advisory alerts in your security channels - [**Airbyte**](https://docs.apify.com/platform/integrations/airbyte) - Pipe OSV data into your warehouse - [**GitHub**](https://docs.apify.com/platform/integrations/github) - Trigger runs from commits and releases - [**Google Drive**](https://docs.apify.com/platform/integrations/drive) - Export datasets straight to Sheets You can also use webhooks to trigger downstream actions when a run finishes. Push fresh advisory data into your SBOM tooling, or alert your team in Slack when a new advisory hits a tracked package. *** ### ๐Ÿ”— Recommended Actors - [**๐Ÿ›ก๏ธ NIST NVD CVE Scraper**](https://apify.com/parseforge/nist-nvd-cve-scraper) - Official NVD catalogue with CVSS v4/v3/v2 scores - [**๐Ÿšจ CISA KEV Scraper**](https://apify.com/parseforge/cisa-kev-scraper) - Known Exploited Vulnerabilities catalogue with due dates - [**๐Ÿ“ˆ EPSS Exploit Prediction Scraper**](https://apify.com/parseforge/epss-exploit-prediction-scraper) - 30-day exploitation probability scores - [**๐Ÿ™ GitHub Security Advisories Scraper**](https://apify.com/parseforge/github-security-advisories-scraper) - GHSA + CVE advisories with patched versions - [**๐Ÿ”ฌ CIRCL CVE Scraper**](https://apify.com/parseforge/circl-cve-scraper) - CIRCL Luxembourg CVE catalogue with CWE and CAPEC > ๐Ÿ’ก **Pro Tip:** browse the complete [ParseForge collection](https://apify.com/parseforge) for more security and reference-data scrapers. *** **๐Ÿ†˜ Need Help?** [**Open our contact form**](https://tally.so/r/BzdKgA) to request a new scraper, propose a custom data project, or report an issue. *** > **โš ๏ธ Disclaimer:** this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by OSV.dev, Google, or any of the upstream feed maintainers. All trademarks mentioned are the property of their respective owners. Only publicly available open source vulnerability data is collected. # Actor input Schema ## `mode` (type: `string`): How to query the OSV catalogue. 'query' searches by package, version, or commit. 'byId' fetches a single vulnerability by its ID (e.g. GHSA-xxxx, CVE-xxxx, PYSEC-xxxx). ## `packageName` (type: `string`): Package name to search (e.g. 'requests', 'lodash', 'log4j-core'). Used with mode=query. ## `ecosystem` (type: `string`): Package ecosystem. Leave empty to search across all ecosystems. ## `packageVersion` (type: `string`): Pin to a specific package version. If supplied WITHOUT packageName, the OSV catalogue returns vulnerabilities affecting that version across all packages (cross-package version search). ## `commit` (type: `string`): Search by Git commit SHA. Mutually exclusive with package query. ## `vulnerabilityId` (type: `string`): Single vulnerability ID to fetch (e.g. GHSA-652x-xj99-gmcc, CVE-2021-44228, PYSEC-2022-39). Used with mode=byId. ## `vulnerabilityIds` (type: `array`): Array of vulnerability IDs to fetch in a single mode=byId run (e.g. \["GHSA-652x-xj99-gmcc", "CVE-2021-44228"]). Takes precedence over vulnerabilityId. Recommended max ~100 per call. ## `maxItems` (type: `integer`): Free users: Limited to 10 items (preview). Paid users: Optional, max 1,000,000 ## Actor input object example ```json { "mode": "query", "packageName": "requests", "ecosystem": "PyPI", "packageVersion": "", "commit": "", "vulnerabilityId": "", "vulnerabilityIds": [], "maxItems": 10 } ``` # Actor output Schema ## `overview` (type: `string`): Overview of scraped data ## `fullData` (type: `string`): Complete dataset # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "mode": "query", "packageName": "requests", "ecosystem": "PyPI", "packageVersion": "", "commit": "", "vulnerabilityId": "", "maxItems": 10 }; // Run the Actor and wait for it to finish const run = await client.actor("parseforge/osv-vulnerabilities-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "mode": "query", "packageName": "requests", "ecosystem": "PyPI", "packageVersion": "", "commit": "", "vulnerabilityId": "", "maxItems": 10, } # Run the Actor and wait for it to finish run = client.actor("parseforge/osv-vulnerabilities-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "mode": "query", "packageName": "requests", "ecosystem": "PyPI", "packageVersion": "", "commit": "", "vulnerabilityId": "", "maxItems": 10 }' | apify call parseforge/osv-vulnerabilities-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=parseforge/osv-vulnerabilities-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "OSV Open Source Vulnerabilities Scraper", "description": "Query the OSV.dev open-source vulnerabilities database. Search by package (PyPI/npm/Go/Maven/RubyGems/crates.io/NuGet/Packagist), commit hash, or fetch a specific vulnerability by ID. Returns affected ranges, CVE aliases, severity, and references.", "version": "0.0", "x-build-id": "mBy9AaHVayseZ8E5e" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/parseforge~osv-vulnerabilities-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-parseforge-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/parseforge~osv-vulnerabilities-scraper/runs": { "post": { "operationId": "runs-sync-parseforge-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/parseforge~osv-vulnerabilities-scraper/run-sync": { "post": { "operationId": "run-sync-parseforge-osv-vulnerabilities-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "mode": { "title": "Mode", "enum": [ "query", "byId" ], "type": "string", "description": "How to query the OSV catalogue. 'query' searches by package, version, or commit. 'byId' fetches a single vulnerability by its ID (e.g. GHSA-xxxx, CVE-xxxx, PYSEC-xxxx).", "default": "query" }, "packageName": { "title": "Package Name", "type": "string", "description": "Package name to search (e.g. 'requests', 'lodash', 'log4j-core'). Used with mode=query.", "default": "" }, "ecosystem": { "title": "Ecosystem", "enum": [ "", "PyPI", "npm", "Go", "Maven", "RubyGems", "crates.io", "NuGet", "Packagist", "OSS-Fuzz", "Hex", "Pub", "Hackage", "GitHub Actions", "Linux", "Debian", "Ubuntu", "Alpine", "Rocky Linux", "AlmaLinux", "SUSE", "openSUSE", "Android", "ConanCenter", "Bitnami", "Photon OS", "Mageia", "Wolfi", "Chainguard", "Bioconductor", "CRAN" ], "type": "string", "description": "Package ecosystem. Leave empty to search across all ecosystems.", "default": "" }, "packageVersion": { "title": "Package Version", "type": "string", "description": "Pin to a specific package version. If supplied WITHOUT packageName, the OSV catalogue returns vulnerabilities affecting that version across all packages (cross-package version search).", "default": "" }, "commit": { "title": "Commit Hash", "type": "string", "description": "Search by Git commit SHA. Mutually exclusive with package query.", "default": "" }, "vulnerabilityId": { "title": "Vulnerability ID", "type": "string", "description": "Single vulnerability ID to fetch (e.g. GHSA-652x-xj99-gmcc, CVE-2021-44228, PYSEC-2022-39). Used with mode=byId.", "default": "" }, "vulnerabilityIds": { "title": "Vulnerability IDs (batch lookup)", "type": "array", "description": "Array of vulnerability IDs to fetch in a single mode=byId run (e.g. [\"GHSA-652x-xj99-gmcc\", \"CVE-2021-44228\"]). Takes precedence over vulnerabilityId. Recommended max ~100 per call.", "default": [], "items": { "type": "string" } }, "maxItems": { "title": "Max Items", "minimum": 1, "maximum": 1000000, "type": "integer", "description": "Free users: Limited to 10 items (preview). Paid users: Optional, max 1,000,000" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```