dependency_vulnerability_scan
ActiveTool of @gapup/mcp-knowledge
SCA (Software Composition Analysis) — scans a project dependency manifest and returns known vulnerabilities for each dependency. Supports: package.json (npm), requirements.txt (Python), go.mod (Go), Cargo.toml (Rust), composer.json (PHP), Gemfile.lock (Ruby), CycloneDX SBOM JSON. PRIMARY source: OSV.dev (keyless, free, covers npm/PyPI/Go/crates.io/Packagist/RubyGems + GHSA advisories federated). CVSS enrichment: NVD NIST (when OSV lacks score). Exploitation flag: CISA KEV (known-exploited-vulnerabilities catalog). Returns per-vuln CVE/GHSA IDs, severity, CVSS score, fixed version, and actionable upgrade recommendations. Relevant for EU NIS2 supply chain risk obligations, DORA, SOC 2 vendor assessments. Cache TTL 6h. Parallel OSV queries (concurrency=10). SLA <=30s p95.
Parameters schema
{
"type": "object",
"required": [
"mode",
"manifest_content"
],
"properties": {
"mode": {
"enum": [
"package_json",
"requirements_txt",
"go_mod",
"cargo_toml",
"composer_json",
"gem_lock",
"sbom_cyclonedx"
],
"type": "string",
"description": "Manifest type: \"package_json\"=npm, \"requirements_txt\"=pip, \"go_mod\"=Go modules, \"cargo_toml\"=Rust, \"composer_json\"=PHP, \"gem_lock\"=Ruby, \"sbom_cyclonedx\"=CycloneDX SBOM JSON."
},
"async": {
"type": "boolean",
"description": "If true, returns a job_id immediately (<200ms) instead of waiting for the result. Poll the result with job_result(job_id). Use for slow tools to avoid client timeouts."
},
"severity_min": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"type": "string",
"description": "Minimum severity to include in results (default: \"medium\")."
},
"manifest_content": {
"type": "string",
"description": "Raw text content of the manifest file to scan (e.g. full contents of package.json, requirements.txt, etc.)."
},
"include_transitive": {
"type": "boolean",
"description": "Include transitive/indirect dependencies in results (default: true)."
}
}
}No endpoints wrapped at confidence ≥ 0.50.
Parent server
@gapup/mcp-knowledge
https://github.com/getgapup/gapup-mcp
2/7 registries