Skip to content

OSV analyzer reports historical CVEs even when fixed version installed #233

Description

@jagoff

Description

The OSV analyzer reports CVEs for packages (mlx, fastmcp) even when the installed version has zero CVEs.

Steps

  1. skillspector scan <project> --no-llm
  2. See CRITICAL: SC4 for mlx/fastmcp

Expected

Check exact version from lockfile - only report if that version has CVEs.

Evidence

  • memo has mlx==0.31.2 (verified 0 CVEs via OSV API query with version specifier)
  • memo has fastmcp==3.3.1
  • Still shows CRITICAL for both

Fix

In osv_client.py, query OSV with version specifier:
{"package": {"name": "mlx", "ecosystem": "PyPI"}, "version": "0.31.2"}

Instead of querying without version which returns ALL historical vulns.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions