Skip to content

Add NVD vulnerability checking with per-package caching#7

Merged
christian-andersson merged 5 commits intomainfrom
feature/nvd-vulnerability-checking
Apr 13, 2026
Merged

Add NVD vulnerability checking with per-package caching#7
christian-andersson merged 5 commits intomainfrom
feature/nvd-vulnerability-checking

Conversation

@christian-andersson
Copy link
Copy Markdown
Member

@christian-andersson christian-andersson commented Apr 11, 2026

Summary

  • Add NVD (National Vulnerability Database) API v2.0 as a second vulnerability source alongside OSV
  • Query both databases in parallel; deduplicate results by CVE ID with NVD providing authoritative CVSS v3.1 scores and CWE classifications
  • Switch to per-package caching (instead of per-version) so checking multiple versions of the same package reuses a single API call per source
  • Add source, cvss, and cweIds fields to vulnerability output
  • Support NVD_API_KEY environment variable for higher rate limits (50 vs 5 requests/30s)
  • Add 31 unit tests covering OSV version range matching, NVD CPE package/version matching, and edge cases

Test plan

  • deno task check — type checks pass
  • deno task lint — no lint errors
  • deno task test — all 147 tests pass (116 existing + 31 new)
  • Manual: run check_vulnerabilities for a known vulnerable package (e.g. lodash 4.17.20) and verify results include source and cvss fields
  • Manual: run check_vulnerabilities twice for the same package with different versions and verify the second call is faster (cached)

🤖 Generated with Claude Code

@christian-andersson
Add NVD vulnerability database alongside OSV with per-package caching
cb04c83 
Query NVD API v2.0 in parallel with OSV for broader vulnerability
coverage. Results are deduplicated by CVE ID, with NVD providing
authoritative CVSS v3.1 scores and CWE classifications.

Both sources now cache raw responses per-package (not per-version),
so checking multiple versions of the same package reuses API calls.
OSV version filtering uses client-side range matching against the
affected events data.
@christian-andersson
Update tool descriptions and docs for NVD integration
0083a3e
@christian-andersson
Add tests for OSV version matching and NVD CPE matching
029ffdf
@christian-andersson
Apply deno fmt formatting
aef9fac
@christian-andersson
Add CLAUDE.md with pre-push checklist and project guidance
7370357
@christian-andersson christian-andersson merged commit 95d6255 into main Apr 13, 2026
1 check passed
@christian-andersson christian-andersson deleted the feature/nvd-vulnerability-checking branch April 13, 2026 04:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christian-andersson