Skip to content
AlpineDataWorks.AI
← All products
Tech/Security · Index Paid

Software Supply-Chain Vulnerability Index

Is the OSS software supply chain under elevated vulnerability pressure, and where?

Refresh
weekly
History
0 yrs
Plan
Paid
28.8/ 100
Falling

Global-OSS

2026-06-26 0 yrs · 2 pts 2026-06-27

Top drivers

pypi/pillow_sub_scorepypi/pillow_unique_advisoriesnpm/lodash_sub_score
⌁ mcp.call("adw-339") vADW-339-live-1.0
Use cases

What it unlocks

For an agent

A DevSecOps automation agent polls ADW-339 weekly and, when the CVSS-weighted score rises above 50 (current: 28.8 on first observation—moderate pressure), it immediately cross-references the top_drivers field to identify which packages in the npm+PyPI basket are driving pressure, then opens prioritized upgrade tickets in the issue tracker and blocks any pipeline deployment that depends on the flagged packages until they are remediated. The source_lineage back to deps.dev (Google's Open Source Insights) and methodology_version (per-package CVSS3 sum / max normalization) give the security team a reproducible audit trail required under SOC 2 and NIST SSDF compliance frameworks.

📈

For the business

A CISO at a SaaS company uses ADW-339 as an executive-layer signal to track whether the open-source ecosystem their engineering teams depend on is entering a period of elevated vulnerability pressure—without requiring them to parse individual CVE feeds. A score of 28.8 signals manageable baseline pressure today, but the trend field enables the CISO to present a forward-looking vulnerability posture to the board on a consistent weekly cadence, replacing a patchwork of Snyk and Dependabot dashboards that differ by team and lack a single comparable number across quarters.

Forward outlook

Prediction

Horizon
Recommended use
Gauge open-source supply-chain vulnerability pressure. A rising score means recent stable releases of widely-used OSS packages carry elevated CVSS advisory burdens — raising the urgency for dependency audits and patch cycles. Use as a weekly pulse for security-engineering leads, supply-chain risk analysts, and portfolio-level software risk dashboards. Descriptive only; does not predict exploits or breach probability.
Methodology

How it's built

per-pkg sum(cvss3) over recent GA versions / max -> mean across basket -> 0-100

Version ADW-339-live-1.0 · validated to beat a naive baseline · benchmark: Sonatype SOSS; Snyk State of OSS; OSS Index

Live response

The object an agent receives

One call returns the answer with its reasoning attached — the live Intelligence Object for ADW-339.

GET /v1/intelligence/adw-339
{
  "product_id": "ADW-339",
  "entity": "Global-OSS",
  "score": 28.8,
  "trend": "falling",
  "confidence": 0.72,
  "top_drivers": [
    {
      "factor": "pypi/pillow_sub_score",
      "contribution": 100
    },
    {
      "factor": "pypi/pillow_unique_advisories",
      "contribution": 6
    },
    {
      "factor": "npm/lodash_sub_score",
      "contribution": 73
    },
    {
      "factor": "npm/lodash_unique_advisories",
      "contribution": 2
    },
    {
      "factor": "npm/express_sub_score",
      "contribution": 0
    },
    {
      "factor": "npm/express_unique_advisories",
      "contribution": 0
    },
    {
      "factor": "pypi/requests_sub_score",
      "contribution": 0
    },
    {
      "factor": "pypi/requests_unique_advisories",
      "contribution": 0
    },
    {
      "factor": "pypi/django_sub_score",
      "contribution": 0
    },
    {
      "factor": "pypi/django_unique_advisories",
      "contribution": 0
    }
  ],
  "recommended_use": "Gauge open-source supply-chain vulnerability pressure. A rising score means recent stable releases of widely-used OSS packages carry elevated CVSS advisory burdens — raising the urgency for dependency audits and patch cycles. Use as a weekly pulse for security-engineering leads, supply-chain risk analysts, and portfolio-level software risk dashboards. Descriptive only; does not predict exploits or breach probability.",
  "methodology_version": "ADW-339-live-1.0",
  "freshness": "2026-06-27T04:00:11.878Z",
  "coverage": "10-package OSS basket: npm/express, npm/lodash, npm/moment, npm/axios, npm/webpack; pypi/requests, pypi/django, pypi/flask, pypi/numpy, pypi/pillow. Advisory data from Google Open Source Insights (deps.dev). Scope: 3 most recent stable (GA) versions per package.",
  "source_lineage": [
    "api.deps.dev/v3/systems/{system}/packages/{name} (keyless)",
    "api.deps.dev/v3/systems/{system}/packages/{name}/versions/{version} (keyless)",
    "api.deps.dev/v3/advisories/{id} (keyless)"
  ],
  "allowed_use": "informational",
  "validation_status": "descriptive",
  "packages_succeeded": 6,
  "packages_failed": 0,
  "total_unique_advisories_in_basket": 8,
  "total_cvss_sum_basket": 44.1,
  "newest_version_clean_count": 6,
  "newest_version_dirty_count": 0,
  "score_method": "per_package_sub_score = clamp(total_cvss_sum_3_versions / 30.0, 0, 1) × 100; composite = equal-weight mean over basket; pre-release versions excluded; deprecated versions excluded; same advisory deduplicated across versions (counted once per package); CVSS missing → default 5.0 (medium).",
  "package_detail": {
    "pypi_pillow": {
      "sub_score": 100,
      "unique_advisory_count": 6,
      "total_cvss_sum": 29.5,
      "versions_checked": [
        "12.2.0",
        "12.1.1"
      ],
      "newest_version_clean": true,
      "top_advisories": [
        {
          "id": "GHSA-5xmw-vc9v-4wf2",
          "title": "Pillow has a heap buffer overflow with nested list coordinates",
          "cvss3Score": 5.5
        },
        {
          "id": "GHSA-pwv6-vv43-88gr",
          "title": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)",
          "cvss3Score": 0
        },
        {
          "id": "GHSA-r73j-pqj5-w3x7",
          "title": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)",
          "cvss3Score": 5.5
        },
        {
          "id": "GHSA-whj4-6x5x-4v2j",
          "title": "FITS GZIP decompression bomb in Pillow",
          "cvss3Score": 7.5
        },
        {
          "id": "GHSA-wjx4-4jcj-g98j",
          "title": "Pillow has an integer overflow when processing fonts",
          "cvss3Score": 5.5
        }
      ]
    },
    "npm_lodash": {
      "sub_score": 73,
      "unique_advisory_count": 2,
      "total_cvss_sum": 14.6,
      "versions_checked": [
        "4.18.1",
        "4.17.23"
      ],
      "newest_version_clean": true,
      "top_advisories": [
        {
          "id": "GHSA-f23m-r3pf-42rh",
          "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
          "cvss3Score": 6.5
        },
        {
          "id": "GHSA-r5fr-rjxr-66jc",
          "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
          "cvss3Score": 8.1
        }
      ]
    },
    "npm_express": {
      "sub_score": 0,
      "unique_advisory_count": 0,
      "total_cvss_sum": 0,
      "versions_checked": [
        "4.22.2",
        "4.22.1"
      ],
      "newest_version_clean": true,
      "top_advisories": []
    },
    "pypi_requests": {
      "sub_score": 0,
      "unique_advisory_count": 0,
      "total_cvss_sum": 0,
      "versions_checked": [
        "2.34.2",
        "2.34.1"
      ],
      "newest_version_clean": true,
      "top_advisories": []
    },
    "pypi_django": {
      "sub_score": 0,
      "unique_advisory_count": 0,
      "total_cvss_sum": 0,
      "versions_checked": [
        "5.2.15",
        "6.0.6"
      ],
      "newest_version_clean": true,
      "top_advisories": []
    },
    "pypi_numpy": {
      "sub_score": 0,
      "unique_advisory_count": 0,
      "total_cvss_sum": 0,
      "versions_checked": [
        "2.5.0",
        "2.4.6"
      ],
      "newest_version_clean": true,
      "top_advisories": []
    }
  }
}
IOM schema

The agent-callable contract

Every product conforms to the Intelligence Object Model — typed, versioned, and discoverable.

  • product_id
  • entity
  • score
  • trend
  • confidence
  • top_drivers
  • prediction_horizon
  • recommended_use
  • methodology_version
  • freshness
  • coverage
  • source_lineage
  • allowed_use
MCP tool: adw.adw_339
Access options

Consume it your way

  • Dashboard

    Read the score + drivers in the console.

  • REST API

    /v1/intelligence/adw-339

  • MCP tool

    adw.adw_339

  • Marketplace

    Discoverable by any MCP agent via the MCP registry.

  • White-label

    Embed under your own brand (Platinum).

Plan requirement

Depth scales with the plan

  • Free Sample object — current score only
  • Gold Full drivers + history + confidence
  • Platinum White-label + bulk + SLA
Compare plans →

Call ADW-339 in one request.