Live Platform
Built for Security &
Compliance Teams
Every screen is engineered for actionability — from CVE triage to remediation tracking, no context switching required.
OsWL continuously scans your dependencies for CVEs, license obligations, and transitive risks — giving security and compliance teams complete SBOM visibility from a single self-hosted platform.
Core Capabilities
From dependency ingestion to remediation, OsWL covers the full SCA lifecycle with enterprise-grade accuracy and auditability.
On-demand enrichment from deps.dev and OSV. Every component is cross-referenced against CVSS 3.x scores and patch availability.
deps.dev · OSV · GHSAAutomatic SPDX classification of OSS licenses — copyleft, permissive, proprietary — with obligation rules, conflict detection, and NOTICE / SPDX SBOM export per scan.
GPL · LGPL · Apache · MIT · AGPL · MPLTrack your security posture across scans. Visualize critical, high, medium, and low severity trends over time, with optional AI-generated deviation insights when an LLM provider is configured.
Version-over-version deltaUncover vulnerabilities hidden deep in your dependency graph. DependencyPath analysis traces both direct and transitive exposure across every supported manifest.
Maven · npm · PyPI · Go · Cargo · NuGet · RubyGemsConnect GitHub, GitLab, or Bitbucket via Personal Access Token. Branch-aware imports, per-version snapshots, and per-project scan history out of the box.
GitHub · GitLab · BitbucketIntegrate OsWL into any build pipeline with a single CLI command. Only parsed manifest metadata is uploaded — no source code leaves your build host. Bearer-token API keys per project or organization-wide.
Manifest-only uploadLive Platform
Every screen is engineered for actionability — from CVE triage to remediation tracking, no context switching required.
Vulnerability Intelligence
OsWL surfaces exploitable, patchable vulnerabilities first. CVSS scores, exploit maturity, and fix availability are enriched automatically from deps.dev and OSV advisory feeds.
| Component | CVE ID | CVSS | Severity |
|---|---|---|---|
| jackson-databind 2.13.4.2 |
CVE-2022-42003 | 9.8 | Critical |
| spring-webmvc 5.3.27 |
CVE-2023-20861 | 8.6 | High |
| commons-io 2.11.0 |
CVE-2024-22011 | 7.5 | High |
| logback-classic 1.2.11 |
CVE-2023-6378 | 6.2 | Medium |
| guava 31.1-jre |
CVE-2023-2976 | 5.5 | Medium |
License Intelligence
Automatically classify every SPDX license across your dependency tree. Identify copyleft obligations, license conflicts, and components that need manual legal review before they reach production.
Workflow
OsWL integrates directly into your existing development workflow. No agents, no heavyweight setup.
Add a GitHub, GitLab, or Bitbucket Personal Access Token. OsWL discovers repositories and branches and imports manifests — no source code upload required.
OsWL parses your lock files and build manifests, resolves the transitive dependency graph, and cross-references every component against deps.dev, OSV, and your license policy.
Review findings in the Security Center, filter by severity, bulk-update statuses, and track your risk posture scan-over-scan in the Risk Trend dashboard.
Gate pull requests with the OsWL CLI. Bearer-token API keys enable automated scanning in any pipeline — Jenkins, GitHub Actions, GitLab CI, or custom build servers.
Deploy OsWL on-premise and gain full SBOM visibility across every project, team, and dependency in your organization.