naftiko: 1.0.0-alpha2 info: label: OSV (Open Source Vulnerabilities) API description: 'OSV (Open Source Vulnerabilities) API. 5 operations. Lead operation: Query vulnerabilities for a package or commit. Self-contained Naftiko capability covering one Openssf business surface.' tags: - Openssf - OSV (Open Source Vulnerabilities) API created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: OPENSSF_API_KEY: OPENSSF_API_KEY capability: consumes: - type: http namespace: osv baseUri: https://api.osv.dev description: OSV (Open Source Vulnerabilities) API business capability. Self-contained, no shared references. resources: - name: v1-query path: /v1/query operations: - name: queryvulnerabilities method: POST description: Query vulnerabilities for a package or commit outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: v1-querybatch path: /v1/querybatch operations: - name: queryvulnerabilitiesbatch method: POST description: Batched vulnerability query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: v1-vulns-id path: /v1/vulns/{id} operations: - name: getvulnerability method: GET description: Get vulnerability by OSV ID outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string required: true - name: v1experimental-determineversion path: /v1experimental/determineversion operations: - name: determineversion method: POST description: Determine probable versions of a C/C++ project (experimental) outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: v1experimental-importfindings path: /v1experimental/importfindings operations: - name: importfindings method: GET description: Import-time quality check findings (experimental) outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: source in: query type: string required: true exposes: - type: rest namespace: osv-rest port: 8080 description: REST adapter for OSV (Open Source Vulnerabilities) API. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/v1/query name: v1-query description: REST surface for v1-query. operations: - method: POST name: queryvulnerabilities description: Query vulnerabilities for a package or commit call: osv.queryvulnerabilities with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/v1/querybatch name: v1-querybatch description: REST surface for v1-querybatch. operations: - method: POST name: queryvulnerabilitiesbatch description: Batched vulnerability query call: osv.queryvulnerabilitiesbatch with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/v1/vulns/{id} name: v1-vulns-id description: REST surface for v1-vulns-id. operations: - method: GET name: getvulnerability description: Get vulnerability by OSV ID call: osv.getvulnerability with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/v1experimental/determineversion name: v1experimental-determineversion description: REST surface for v1experimental-determineversion. operations: - method: POST name: determineversion description: Determine probable versions of a C/C++ project (experimental) call: osv.determineversion with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/v1experimental/importfindings name: v1experimental-importfindings description: REST surface for v1experimental-importfindings. operations: - method: GET name: importfindings description: Import-time quality check findings (experimental) call: osv.importfindings with: source: rest.source outputParameters: - type: object mapping: $. - type: mcp namespace: osv-mcp port: 9090 transport: http description: MCP adapter for OSV (Open Source Vulnerabilities) API. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: query-vulnerabilities-package-commit description: Query vulnerabilities for a package or commit hints: readOnly: true destructive: false idempotent: false call: osv.queryvulnerabilities with: body: tools.body outputParameters: - type: object mapping: $. - name: batched-vulnerability-query description: Batched vulnerability query hints: readOnly: true destructive: false idempotent: false call: osv.queryvulnerabilitiesbatch with: body: tools.body outputParameters: - type: object mapping: $. - name: get-vulnerability-osv-id description: Get vulnerability by OSV ID hints: readOnly: true destructive: false idempotent: true call: osv.getvulnerability with: id: tools.id outputParameters: - type: object mapping: $. - name: determine-probable-versions-c-c description: Determine probable versions of a C/C++ project (experimental) hints: readOnly: false destructive: false idempotent: false call: osv.determineversion with: body: tools.body outputParameters: - type: object mapping: $. - name: import-time-quality-check-findings description: Import-time quality check findings (experimental) hints: readOnly: true destructive: false idempotent: true call: osv.importfindings with: source: tools.source outputParameters: - type: object mapping: $.