Pure parser: osv-scanner JSON → [Finding.t()].
The osv-scanner output schema (as of 2.x):
{
"results": [
{
"source": {"path": "...", "type": "lockfile"},
"packages": [
{
"package": {"name": "...", "version": "...", "ecosystem": "..."},
"groups": [{"ids": [...], "max_severity": "8.2"}],
"vulnerabilities": [
{
"id": "GHSA-XXX",
"summary": "...",
"details": "...",
"aliases": ["CVE-...", "GHSA-..."],
"affected": [{"ranges": [{"events": [{"fixed": "1.11.0"}]}]}],
"references": [{"url": "..."}]
}
]
}
]
}
]
}Severity comes from the package's groups[].max_severity field,
which is a CVSS 3.x base score as a string. We normalize using
the standard CVSS severity bands (NVD qualitative ratings).
Summary
Functions
Walk an osv-scanner JSON map and return findings tagged with layer.
Functions
@spec findings(map(), atom()) :: [MobDev.SecurityScan.Finding.t()]
Walk an osv-scanner JSON map and return findings tagged with layer.