Description
The OSV analyzer reports CVEs for packages (mlx, fastmcp) even when the installed version has zero CVEs.
Steps
skillspector scan <project> --no-llm
- See CRITICAL: SC4 for mlx/fastmcp
Expected
Check exact version from lockfile - only report if that version has CVEs.
Evidence
- memo has mlx==0.31.2 (verified 0 CVEs via OSV API query with version specifier)
- memo has fastmcp==3.3.1
- Still shows CRITICAL for both
Fix
In osv_client.py, query OSV with version specifier:
{"package": {"name": "mlx", "ecosystem": "PyPI"}, "version": "0.31.2"}
Instead of querying without version which returns ALL historical vulns.
Description
The OSV analyzer reports CVEs for packages (mlx, fastmcp) even when the installed version has zero CVEs.
Steps
skillspector scan <project> --no-llmExpected
Check exact version from lockfile - only report if that version has CVEs.
Evidence
Fix
In osv_client.py, query OSV with version specifier:
{"package": {"name": "mlx", "ecosystem": "PyPI"}, "version": "0.31.2"}
Instead of querying without version which returns ALL historical vulns.