
Security News
MCP Community Begins Work on Official MCP Metaregistry
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
A library for querying the OSS Index free catalogue of open source components to help developers identify vulnerabilities, understand risk, and keep their software safe.
This OSSIndex module for Python provides a common interface to querying the OSS Index.
This module is not designed for standalone use. If you're looking for a tool that can detect your application's dependencies and assess them for vulnerabilities against the OSS Index, perhaps you should check out Jake.
You can of course use this library in your own applications.
Install from pypi.org as you would any other Python module:
pip install ossindex-lib
First create an instance of OssIndex
, optionally enabling local caching
o = OssIndex()
Then supply a List
of PackageURL objects that you want to ask
OSS Index about. If you don't want to care about generating this list yourself, perhaps look to a tool like Jake
(which uses this library) and will do all the hard work for you!
As a quick test, you could run:
o = OssIndex()
results: List[OssIndexComponent] = o.get_component_report(packages=[
PackageURL.from_string(purl='pkg:pypi/pip@19.2.0')
])
for r in results:
print("{}: {} known vulnerabilities".format(r.get_coordinates(), len(r.get_vulnerabilities())))
v: Vulnerability
for v in r.get_vulnerabilities():
print(' - {}'.format(str(v)))
... which would output something like ...
pkg:pypi/pip@19.2.0: 1 known vulnerabilities
- <Vulnerability id=e4c955a3-2004-472e-920b-783fea46c3cd, name=OSSINDEX-783f-ea46-c3cd, cvss_score=3.6>
This library send log events to a standard Python logger
named ossindex
. You can configure the logger to output as
required through the standard Python logging configuration.
We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.
See our CHANGELOG.
Remember:
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
ossindex-lib
Phew, that was easier than I thought. Last but not least of all - have fun!
FAQs
A library for querying the OSS Index free catalogue of open source components to help developers identify vulnerabilities, understand risk, and keep their software safe.
We found that ossindex-lib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
Research
Security News
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
Research
Security News
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.