You're viewing a demo portfolio

Join the waitlist
PRSM

dependency_vulnerability_scan

Active

Tool of @gapup/mcp-knowledge

declared in 0.2.0

SCA (Software Composition Analysis) — scans a project dependency manifest and returns known vulnerabilities for each dependency. Supports: package.json (npm), requirements.txt (Python), go.mod (Go), Cargo.toml (Rust), composer.json (PHP), Gemfile.lock (Ruby), CycloneDX SBOM JSON. PRIMARY source: OSV.dev (keyless, free, covers npm/PyPI/Go/crates.io/Packagist/RubyGems + GHSA advisories federated). CVSS enrichment: NVD NIST (when OSV lacks score). Exploitation flag: CISA KEV (known-exploited-vulnerabilities catalog). Returns per-vuln CVE/GHSA IDs, severity, CVSS score, fixed version, and actionable upgrade recommendations. Relevant for EU NIS2 supply chain risk obligations, DORA, SOC 2 vendor assessments. Cache TTL 6h. Parallel OSV queries (concurrency=10). SLA <=30s p95.

Parameters schema

{
  "type": "object",
  "required": [
    "mode",
    "manifest_content"
  ],
  "properties": {
    "mode": {
      "enum": [
        "package_json",
        "requirements_txt",
        "go_mod",
        "cargo_toml",
        "composer_json",
        "gem_lock",
        "sbom_cyclonedx"
      ],
      "type": "string",
      "description": "Manifest type: \"package_json\"=npm, \"requirements_txt\"=pip, \"go_mod\"=Go modules, \"cargo_toml\"=Rust, \"composer_json\"=PHP, \"gem_lock\"=Ruby, \"sbom_cyclonedx\"=CycloneDX SBOM JSON."
    },
    "async": {
      "type": "boolean",
      "description": "If true, returns a job_id immediately (<200ms) instead of waiting for the result. Poll the result with job_result(job_id). Use for slow tools to avoid client timeouts."
    },
    "severity_min": {
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ],
      "type": "string",
      "description": "Minimum severity to include in results (default: \"medium\")."
    },
    "manifest_content": {
      "type": "string",
      "description": "Raw text content of the manifest file to scan (e.g. full contents of package.json, requirements.txt, etc.)."
    },
    "include_transitive": {
      "type": "boolean",
      "description": "Include transitive/indirect dependencies in results (default: true)."
    }
  }
}

What this tool wraps· 0 endpoints

min confidence0.700.50

No endpoints wrapped at confidence ≥ 0.70.

Parent server

@gapup/mcp-knowledge

https://github.com/getgapup/gapup-mcp

2/7 registries
View full server →
dependency_vulnerability_scan — @gapup/mcp-knowledge — PRSM MCP