flag “Known Exploited Vulnerabilities” (KEV) in output

[JvD-Ericsson]

I’d like to propose adding optional tagging for CISA’s Known Exploited Vulnerabilities feed to help users prioritise findings.

Context:
OSV-Scanner matches packages/versions via OSV data. KEV is CVE-centric and doesn’t have package/version ranges, so it can’t be used as a primary matching source.
We can still add value by flagging when a matched OSV vulnerability has a CVE alias present in KEV.

Idea:
Ingest the KEV JSON feed separately (default URL: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json) and cache it
Post-process scan results: if any alias (CVE) in a finding is in KEV, mark the result as “known exploited” and optionally surface KEV metadata (required action, due date).

CLI options:
--kev (on by default) to enable enrichment
--kev-feed <url|file> to override for offline use
--kev-only only show KEV results if any

Output:
Add a boolean flag + KEV metadata to JSON output
Console: highlight KEV hits and maybe include a summary count
Limitations: Only works when OSV entries include a CVE alias; we wouldn’t generate OSV records from KEV.

Questions:
Would you be open to this approach?
Are there concerns about adding another external feed fetch (cache size/TTL, offline behaviour)?
Happy to draft an initial PR if this sounds reasonable.

[jess-lowe]

We've actually got some long-standing issues on adding this sort of enrichment data over on osv.dev google/osv.dev#3245, google/osv.dev#1153. I believe as it is CVE-centric, it may make sense to add it while converting it, and then be able to surface the data while scanning. This should also help solve the issue of extra feed fetches and still allow for the offline behaviour.

Happy to accept a PR there. :)