
The open remediation layer for AI tools, so they fix vulnerabilities safely instead of running blind upgrades
Why • Problem • Solution • AI Integration • CLI • Architecture • Contributing
Your scanner found 47 vulnerabilities. Now what?
You start researching. The first CVE says "upgrade to 4.17.21." But 4.19.0 is available. Is that better? Safer? Does it introduce new issues? The GitHub release notes mention "breaking changes in 4.18" but not which ones. The NVD page links to a PR that was reverted. Someone on Reddit says the patch caused memory leaks. The maintainer closed the issue without commenting.
That was one CVE. You have 46 more.
The questions pile up:
Enterprise teams pay for tools that answer these questions. Everyone else has browser tabs and Friday nights.
Scanners find vulnerabilities. They don't fix them.
Now AI is doing vulnerability remediation too. Faster than any human, but with the same blind spots.
When you point an AI agent at a CVE, it does the obvious thing: upgrade to latest and move on. That's dangerous.
AI moves faster than humans but makes the same mistakes. Without guardrails, every remediation is a guess executed at machine speed.
OVRSE is the guardrail.
OVRSE is the layer between "you have a CVE" and "someone runs a command." It provides bounded remediation decisions so AI agents and humans can fix vulnerabilities within clear constraints.
OVRSE does not replace scanners. It consumes findings from your existing scanner and ecosystem tools, then combines them with OVRSE advisories to decide what matters now and how to fix it safely.
Scanner findings tell you what exists. Advisories tell you what's urgent. OVRSE turns both into safe execution.
flowchart LR
subgraph INPUT [" "]
S["🔍 Scanner findings"]
A["📋 OVRSE advisories"]
end
subgraph OVRSE ["OVRSE Decision Layer"]
D{"Analyze & Prioritize"}
C["Generate fix commands"]
end
subgraph OUTPUT [" "]
E["⚡ Execute"]
R["📊 Report outcome"]
end
S --> D
A --> D
D --> C
C --> E
E --> R
R -.->|"feedback loop"| D
style OVRSE fill:#4a90a4,stroke:#2d5a6b,stroke-width:2px,color:#fff
style D fill:#3d7a8c,stroke:#2d5a6b,color:#fff
style C fill:#3d7a8c,stroke:#2d5a6b,color:#fff
style S fill:#6b8e23,stroke:#4a6b1a,color:#fff
style A fill:#6b8e23,stroke:#4a6b1a,color:#fff
style E fill:#cd853f,stroke:#8b5a2b,color:#fff
style R fill:#cd853f,stroke:#8b5a2b,color:#fff
| Boundary | What It Does |
|---|---|
| Version selection | Recommends the least risky version that actually fixes the CVE, not just "latest" |
| Stability signals | Aggregates community reports, maintainer activity, and regression data before recommending |
| Risk thresholds | Weighs CISA KEV (actively exploited), EPSS (exploit probability), and CVSS to prioritize what matters |
| Breaking change warnings | Flags known breakage between current and target versions before any upgrade runs |
| Ecosystem-aware commands | Generates the exact fix command for your package manager (npm, pip, go) |
| Verification steps | Provides preflight checks and post-fix validation so upgrades don't ship blind |
OVRSE is built for AI workflows. The primary interface is the MCP (Model Context Protocol) server, which gives assistants bounded access to remediation intelligence.
Instead of this:
AI: "There's a vulnerability in lodash. Upgrading to latest."
npm install lodash@latest← unverified, potentially breaking
You get this:
AI + OVRSE: "lodash 4.17.15 has 2 CVEs. Safest fix is 4.17.21. It is a minimal patch with no known breaking changes. 4.19.0 exists but has reported regressions."
npm install lodash@4.17.21← bounded, informed, safe
Connect directly to the hosted server. No installation required.
{
"mcpServers": {
"ovrse": {
"url": "https://mcp.emphere.dev/mcp/"
}
}
}
Then ask your AI assistant:
Run the MCP server on your machine instead of using the hosted endpoint.
1. Install ovrse:
go install github.com/emphereio/ovrse/cmd/ovrse@latest
2. Add to Claude Code config (~/.claude.json):
{
"mcpServers": {
"ovrse": {
"command": "ovrse",
"args": ["mcp"]
}
}
}
| Tool | What It Does |
|---|---|
scan_project |
Scan a directory for vulnerabilities across all ecosystems |
check_if_affected |
Check if a specific package version is vulnerable |
analyze_cve |
Full analysis: fix commands, breaking changes, stability |
get_cve_verdict |
Quick risk assessment for prioritization |
batch_triage |
Triage multiple CVEs, sorted by risk |
get_fix |
Get the exact bounded upgrade command for a package |
list_ecosystems |
List available ecosystem plugins (npm, pip, go, etc.) |
report_remediation_outcome |
Report fix success/failure for community feedback loop |
For manual workflows, CI/CD pipelines, and teams not yet using AI assistants, you get the same intelligence and boundaries.
# With Go (recommended)
go install github.com/emphereio/ovrse/cmd/ovrse@latest
# Or build from source
git clone https://github.com/emphereio/ovrse.git
cd ovrse && make build
./bin/ovrse --version
# Auto-detects npm, pip, go from lock files
ovrse scan ./my-project
# JSON output for CI/CD pipelines
ovrse scan --json ./my-project
[npm] Scanned 2 packages
[?] lodash@4.17.15 - GHSA-29mw-wpgm-hmr9
[?] lodash@4.17.15 - GHSA-35jh-r3h4-6jhm
[?] axios@0.21.0 - GHSA-4w2v-q235-vp99
Total: 2 packages, 3 vulnerabilities
ovrse plan --cve CVE-2025-1234 \
--os-family debian --distribution debian \
--release 12 --arch amd64 \
--package nginx --version 1.22.0 \
--explain
See CLI Reference for full documentation.
flowchart TB
subgraph Sources["Data Sources"]
OSV[("OSV Database")]
NVD[("NVD / CVE")]
KEV[("CISA KEV")]
EPSS[("EPSS Scores")]
end
subgraph OVRSE["OVRSE"]
direction TB
ADV["Advisories
<small>Pre-computed priority lists</small>"]
CLI["CLI
<small>ovrse scan / plan</small>"]
MCP["MCP Server
<small>AI assistant integration</small>"]
subgraph Core["Core Engine"]
PLUGINS["Ecosystem Plugins
<small>npm, pip, go</small>"]
INTEL["Intel Client
<small>analyze, triage, check</small>"]
end
subgraph KB["Knowledge Layer"]
TPL["OVRS Templates"]
MAP["CVE Mappings"]
REL["Package Releases"]
end
end
subgraph Output["Bounded Remediation"]
PLAN["Remediation Plan
<small>Steps, preflight, validation</small>"]
FIX["Safe Fix Commands
<small>Version-constrained upgrades</small>"]
RISK["Risk Signals
<small>Breaking changes, stability</small>"]
end
Sources --> Core
Core --> KB
ADV --> MCP
CLI --> Core
MCP --> Core
KB --> PLAN
KB --> FIX
Core --> RISK
| Entry Point | Best For |
|---|---|
| MCP Server | AI agents that need bounded remediation decisions |
| CLI | Humans, CI/CD pipelines, scripting |
| Advisories | Pre-computed CVE lists for monitoring dashboards |
OVRSE is powered by the Open Vulnerability Remediation Specification (OVRS), a structured format for describing how to fix vulnerabilities, not just that they exist.
OVRS is what makes remediation knowledge portable. It's the reason an AI agent and a human running the CLI get the same bounded, high-quality guidance.
See spec/README.md for the full specification.
| Ecosystem | Package Managers | Lock Files |
|---|---|---|
| npm | npm, yarn, pnpm | package-lock.json |
| Python | pip, poetry, pipenv | requirements.txt |
| Go | go modules | go.sum |
Coming soon: Maven, Cargo, RubyGems, NuGet
The plugin architecture makes adding ecosystems straightforward. See pkg/ecosystem/ for examples.
Pre-computed, risk-prioritized CVE lists updated every 4 hours.
curl -s https://raw.githubusercontent.com/emphereio/ovrse/main/advisories/npm.json | jq '.cves[:3]'
Gating criteria: a CVE is included if it meets any of: - Listed in CISA KEV (actively exploited) - EPSS percentile ≥ 50% - CVSS score ≥ 9.0
Available ecosystems: npm • pypi • go • maven • cargo • gem • global
See advisories/README.md for schemas and usage.
scan, mcp, validate, plan, plan-host commandsSee ROADMAP.md for details.
| Document | Description |
|---|---|
| CLI Reference | Complete command documentation |
| Project Overview | Architecture, data flow, concepts |
| OVRS Specification | Template and KB format |
| Advisories | Pre-computed CVE lists |
| Roadmap | Development plans |
We welcome contributions!
$ claude mcp add ovrse \
-- python -m otcore.mcp_server <graph>