New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

ossindex-lib

Package Overview
Dependencies
Maintainers
2
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

ossindex-lib

A library for querying the OSS Index free catalogue of open source components to help developers identify vulnerabilities, understand risk, and keep their software safe.

1.1.1
PyPI
Maintainers
2

Python Library for quering OSS Index

GitHub Workflow Status Python Version Support PyPI Version Documentation GitHub license GitHub issues GitHub forks GitHub stars

This OSSIndex module for Python provides a common interface to querying the OSS Index.

This module is not designed for standalone use. If you're looking for a tool that can detect your application's dependencies and assess them for vulnerabilities against the OSS Index, perhaps you should check out Jake.

You can of course use this library in your own applications.

Installation

Install from pypi.org as you would any other Python module:

pip install ossindex-lib

Usage

First create an instance of OssIndex, optionally enabling local caching

o = OssIndex()

Then supply a List of PackageURL objects that you want to ask OSS Index about. If you don't want to care about generating this list yourself, perhaps look to a tool like Jake (which uses this library) and will do all the hard work for you!

As a quick test, you could run:

o = OssIndex()
results: List[OssIndexComponent] = o.get_component_report(packages=[
    PackageURL.from_string(purl='pkg:pypi/pip@19.2.0')
])
for r in results:
    print("{}: {} known vulnerabilities".format(r.get_coordinates(), len(r.get_vulnerabilities())))
    v: Vulnerability
    for v in r.get_vulnerabilities():
        print('    - {}'.format(str(v)))

... which would output something like ...

pkg:pypi/pip@19.2.0: 1 known vulnerabilities
    - <Vulnerability id=e4c955a3-2004-472e-920b-783fea46c3cd, name=OSSINDEX-783f-ea46-c3cd, cvss_score=3.6>

Logging

This library send log events to a standard Python logger named ossindex. You can configure the logger to output as required through the standard Python logging configuration.

Todos

  • Support authentication against OSS Index

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Changelog

See our CHANGELOG.

The Fine Print

Remember:

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to ossindex-lib
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all - have fun!

Keywords

SCA
OWASP

FAQs

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole

Security News

NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole

NVD now marks all pre-2018 CVEs as "Deferred," signaling it will no longer enrich older vulnerabilities, further eroding trust in its data.

By Sarah Gooding  -  Apr 04, 2025