osv

scan-purl

Lookup vulnerability information for one or more package URLs (pURL) using Open Source Vulnerability (OSV) service.

The function accepts the following inputs:

  1. A single package URL string

  2. A list package URL strings

  3. An object or a list of objects created by the uri::purl function.

You can combine this function with other patterns to check if a given package has any known vulnerabilities:

pattern not-vulnerable = osv::scan-purl(openvex::from-osv(openvex::not-affected))

This converts the package URL input into an OpenVEX document, on which the not-affected pattern is used to verify that this package is not affected by any vulnerability.