# `MobDev.SecurityScan.OsvScanner.Parser`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/osv_scanner/parser.ex#L1)

Pure parser: `osv-scanner` JSON → `[Finding.t()]`.

The osv-scanner output schema (as of 2.x):

    {
      "results": [
        {
          "source": {"path": "...", "type": "lockfile"},
          "packages": [
            {
              "package": {"name": "...", "version": "...", "ecosystem": "..."},
              "groups": [{"ids": [...], "max_severity": "8.2"}],
              "vulnerabilities": [
                {
                  "id": "GHSA-XXX",
                  "summary": "...",
                  "details": "...",
                  "aliases": ["CVE-...", "GHSA-..."],
                  "affected": [{"ranges": [{"events": [{"fixed": "1.11.0"}]}]}],
                  "references": [{"url": "..."}]
                }
              ]
            }
          ]
        }
      ]
    }

Severity comes from the package's `groups[].max_severity` field,
which is a CVSS 3.x base score as a string. We normalize using
the standard CVSS severity bands (NVD qualitative ratings).

# `findings`

```elixir
@spec findings(map(), atom()) :: [MobDev.SecurityScan.Finding.t()]
```

Walk an osv-scanner JSON map and return findings tagged with `layer`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*