feat: OSV-Scanner MCP server#2256
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2256 +/- ##
==========================================
- Coverage 68.64% 67.94% -0.70%
==========================================
Files 169 171 +2
Lines 12646 12785 +139
==========================================
+ Hits 8681 8687 +6
- Misses 3294 3425 +131
- Partials 671 673 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/gemini |
| github.com/google/osv-scalibr v0.3.4 | ||
| github.com/ianlancetaylor/demangle v0.0.0-20250628045327-2d64ad6b7ec5 | ||
| github.com/jedib0t/go-pretty/v6 v6.6.8 | ||
| github.com/mark3labs/mcp-go v0.41.1 |
There was a problem hiding this comment.
Scorecard is looking into a MCP server as well, is there a reason you went with this library? We had been looking at the official SDK ( partly maintained by the Go team)?
https://github.com/modelcontextprotocol/go-sdk
I haven't personally looked at alternatives, so I'm just trying to avoid redoing any analysis that may have already been done.
There was a problem hiding this comment.
I haven't looked too much into the different mcp libraries, I mostly picked go-mcp as it was the most popular by stars, and was not aware that there is an official one.
But what I found during implementation is that it really doesn't matter too much the mcp library being used, the actual part interfacing with the mcp library is quite minimal, so it should be very easy to switch between different libraries. I might switch to use go-sdk as it looks like an evolution of the go-mcp library that's more officially supported.
a969978 to
fdfbc31
Compare
66144b4 to
a54f15a
Compare
# Conflicts: # go.sum
Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces an experimental MCP (Model-Context Protocol) server to osv-scanner, allowing AI models to interact with the scanner's capabilities. The implementation adds a new mcp command, which can run as a server over stdio or an SSE HTTP server.
My review has identified a critical race condition in the handling of the vulnerability cache, which could lead to panics under concurrent use. I've also found a high-severity security issue where the HTTP server is started without timeouts, making it vulnerable to resource exhaustion attacks. Additionally, there are a couple of medium-severity suggestions for improving context propagation and code clarity.
Once these critical and high-severity issues are addressed, this will be a great addition to the project.
Basic MVP of an osv-scanner MCP server fulfilling workflow 1. Directly vulnerability scanning of a project with prioritisation.