CVE Detection
How vulnerability matching works:
Deptic queries two databases for every component:
1. OSV.dev (Open Source Vulnerabilities)
Endpoint: POST https://api.osv.dev/v1/query
Deptic sends batched queries — up to 20 concurrent requests with a semaphore. Each query includes the exact package name, ecosystem, and version.
POST https://api.osv.dev/v1/query
{
"package": {
"name": "lodash",
"ecosystem": "npm"
},
"version": "4.17.11"
}2. NVD (National Vulnerability Database)
Used as a secondary source for CVEs not yet indexed in OSV.
Severity levels:
| Level | CVSS Score | Color | Action Required |
|---|---|---|---|
| CRITICAL | 9.0–10.0 | Red | Immediate — block CI/CD |
| HIGH | 7.0–8.9 | Orange | Urgent — fix within 72h |
| MEDIUM | 4.0–6.9 | Amber | Planned — fix in next sprint |
| LOW | 0.1–3.9 | Gray | Informational — monitor |
Fix version resolution:
When a CVE is detected, Deptic does not simply use the fixed_version from OSV (which represents the minimum patched version — which may itself have other CVEs). Instead:
Query OSV for ALL vulnerabilities for this package across all versions: POST /v1/query with no version field
Build a complete set of all affected versions from the response
Fetch all available versions from the package registry (npm/PyPI/Maven Central)
Sort versions descending. First version NOT in the affected set = clean version
Double-verify: call OSV with the specific version — confirm zero vulnerabilities
Cache result in Redis (TTL 6 hours): key format clean-version:{ecosystem}:{package}
Ecosystem mapping for OSV:
| Deptic ecosystem | OSV ecosystem string |
|---|---|
| npm | npm |
| pip | PyPI |
| maven | Maven |
| go | Go |
| rust | crates.io |
| ruby | RubyGems |
| php | Packagist |