Global-OSS
Top drivers
⌁ mcp.call("adw-339") vADW-339-live-1.0 Is the OSS software supply chain under elevated vulnerability pressure, and where?
Global-OSS
Top drivers
⌁ mcp.call("adw-339") vADW-339-live-1.0 A DevSecOps automation agent polls ADW-339 weekly and, when the CVSS-weighted score rises above 50 (current: 28.8 on first observation—moderate pressure), it immediately cross-references the top_drivers field to identify which packages in the npm+PyPI basket are driving pressure, then opens prioritized upgrade tickets in the issue tracker and blocks any pipeline deployment that depends on the flagged packages until they are remediated. The source_lineage back to deps.dev (Google's Open Source Insights) and methodology_version (per-package CVSS3 sum / max normalization) give the security team a reproducible audit trail required under SOC 2 and NIST SSDF compliance frameworks.
A CISO at a SaaS company uses ADW-339 as an executive-layer signal to track whether the open-source ecosystem their engineering teams depend on is entering a period of elevated vulnerability pressure—without requiring them to parse individual CVE feeds. A score of 28.8 signals manageable baseline pressure today, but the trend field enables the CISO to present a forward-looking vulnerability posture to the board on a consistent weekly cadence, replacing a patchwork of Snyk and Dependabot dashboards that differ by team and lack a single comparable number across quarters.
per-pkg sum(cvss3) over recent GA versions / max -> mean across basket -> 0-100
Version ADW-339-live-1.0 · validated to beat a naive baseline · benchmark: Sonatype SOSS; Snyk State of OSS; OSS Index
One call returns the answer with its reasoning attached — the live Intelligence Object for ADW-339.
{
"product_id": "ADW-339",
"entity": "Global-OSS",
"score": 28.8,
"trend": "falling",
"confidence": 0.72,
"top_drivers": [
{
"factor": "pypi/pillow_sub_score",
"contribution": 100
},
{
"factor": "pypi/pillow_unique_advisories",
"contribution": 6
},
{
"factor": "npm/lodash_sub_score",
"contribution": 73
},
{
"factor": "npm/lodash_unique_advisories",
"contribution": 2
},
{
"factor": "npm/express_sub_score",
"contribution": 0
},
{
"factor": "npm/express_unique_advisories",
"contribution": 0
},
{
"factor": "pypi/requests_sub_score",
"contribution": 0
},
{
"factor": "pypi/requests_unique_advisories",
"contribution": 0
},
{
"factor": "pypi/django_sub_score",
"contribution": 0
},
{
"factor": "pypi/django_unique_advisories",
"contribution": 0
}
],
"recommended_use": "Gauge open-source supply-chain vulnerability pressure. A rising score means recent stable releases of widely-used OSS packages carry elevated CVSS advisory burdens — raising the urgency for dependency audits and patch cycles. Use as a weekly pulse for security-engineering leads, supply-chain risk analysts, and portfolio-level software risk dashboards. Descriptive only; does not predict exploits or breach probability.",
"methodology_version": "ADW-339-live-1.0",
"freshness": "2026-06-27T04:00:11.878Z",
"coverage": "10-package OSS basket: npm/express, npm/lodash, npm/moment, npm/axios, npm/webpack; pypi/requests, pypi/django, pypi/flask, pypi/numpy, pypi/pillow. Advisory data from Google Open Source Insights (deps.dev). Scope: 3 most recent stable (GA) versions per package.",
"source_lineage": [
"api.deps.dev/v3/systems/{system}/packages/{name} (keyless)",
"api.deps.dev/v3/systems/{system}/packages/{name}/versions/{version} (keyless)",
"api.deps.dev/v3/advisories/{id} (keyless)"
],
"allowed_use": "informational",
"validation_status": "descriptive",
"packages_succeeded": 6,
"packages_failed": 0,
"total_unique_advisories_in_basket": 8,
"total_cvss_sum_basket": 44.1,
"newest_version_clean_count": 6,
"newest_version_dirty_count": 0,
"score_method": "per_package_sub_score = clamp(total_cvss_sum_3_versions / 30.0, 0, 1) × 100; composite = equal-weight mean over basket; pre-release versions excluded; deprecated versions excluded; same advisory deduplicated across versions (counted once per package); CVSS missing → default 5.0 (medium).",
"package_detail": {
"pypi_pillow": {
"sub_score": 100,
"unique_advisory_count": 6,
"total_cvss_sum": 29.5,
"versions_checked": [
"12.2.0",
"12.1.1"
],
"newest_version_clean": true,
"top_advisories": [
{
"id": "GHSA-5xmw-vc9v-4wf2",
"title": "Pillow has a heap buffer overflow with nested list coordinates",
"cvss3Score": 5.5
},
{
"id": "GHSA-pwv6-vv43-88gr",
"title": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)",
"cvss3Score": 0
},
{
"id": "GHSA-r73j-pqj5-w3x7",
"title": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)",
"cvss3Score": 5.5
},
{
"id": "GHSA-whj4-6x5x-4v2j",
"title": "FITS GZIP decompression bomb in Pillow",
"cvss3Score": 7.5
},
{
"id": "GHSA-wjx4-4jcj-g98j",
"title": "Pillow has an integer overflow when processing fonts",
"cvss3Score": 5.5
}
]
},
"npm_lodash": {
"sub_score": 73,
"unique_advisory_count": 2,
"total_cvss_sum": 14.6,
"versions_checked": [
"4.18.1",
"4.17.23"
],
"newest_version_clean": true,
"top_advisories": [
{
"id": "GHSA-f23m-r3pf-42rh",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"cvss3Score": 6.5
},
{
"id": "GHSA-r5fr-rjxr-66jc",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"cvss3Score": 8.1
}
]
},
"npm_express": {
"sub_score": 0,
"unique_advisory_count": 0,
"total_cvss_sum": 0,
"versions_checked": [
"4.22.2",
"4.22.1"
],
"newest_version_clean": true,
"top_advisories": []
},
"pypi_requests": {
"sub_score": 0,
"unique_advisory_count": 0,
"total_cvss_sum": 0,
"versions_checked": [
"2.34.2",
"2.34.1"
],
"newest_version_clean": true,
"top_advisories": []
},
"pypi_django": {
"sub_score": 0,
"unique_advisory_count": 0,
"total_cvss_sum": 0,
"versions_checked": [
"5.2.15",
"6.0.6"
],
"newest_version_clean": true,
"top_advisories": []
},
"pypi_numpy": {
"sub_score": 0,
"unique_advisory_count": 0,
"total_cvss_sum": 0,
"versions_checked": [
"2.5.0",
"2.4.6"
],
"newest_version_clean": true,
"top_advisories": []
}
}
} Every product conforms to the Intelligence Object Model — typed, versioned, and discoverable.
Dashboard
Read the score + drivers in the console.
REST API
/v1/intelligence/adw-339
MCP tool
adw.adw_339
Marketplace
Discoverable by any MCP agent via the MCP registry.
White-label
Embed under your own brand (Platinum).
Organic growth or hype in AI/software?
Method: 10-repo AI/ML basket: stars proxy mindshare (0.6 weight), issue/star ratio proxy engagement (0.4 weight) → 0–100 health score
Enables IT leaders to forecast infrastructure capacity needs and prevent service outages during peak demand periods.
Method: YoY z-scores: electricity generation (60% weight) + data-processing PPI (40% weight); composite z → 0-100 (50=neutral, >70=high stress)
How strong is developer momentum in TypeScript, Python, Rust, and Go?
Method: Sum new repos across 4 languages in 30d → normalize to 0-100 vs ceiling of 100,000 total repos