scanoss · agustingroh · Jan 7, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 6, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [0.8.0] - 2026/01/07
+### Added
+- Included Exploit Prediction Scoring System (EPSS) to vulnerability response
+### Changed
+- Refactored OSV use case
+- Upgraded `scanoss/papi` to v0.28.0
+
 ## [0.7.0] - 2025/11/13
 ### Changed
 - Optimized query performance for retrieving vulnerabilities by PURL version using CTE (Common Table Expression) approach in `pkg/models/vulns_purl.go:111`
@@ -81,4 +88,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [0.5.0]: https://github.com/scanoss/vulnerabilities/compare/v0.4.0...v0.5.0
 [0.6.0]: https://github.com/scanoss/vulnerabilities/compare/v0.5.0...v0.6.0
 [0.6.1]: https://github.com/scanoss/vulnerabilities/compare/v0.6.0...v0.6.1
-[0.6.2]: https://github.com/scanoss/vulnerabilities/compare/v0.6.1...v0.6.2
+[0.6.2]: https://github.com/scanoss/vulnerabilities/compare/v0.6.1...v0.6.2
+[0.7.0]: https://github.com/scanoss/vulnerabilities/compare/v0.6.2...v0.7.0
+[0.8.0]: https://github.com/scanoss/vulnerabilities/compare/v0.7.0...v0.8.0
diff --git a/Makefile b/Makefile
@@ -79,12 +79,6 @@ build_arm: version  ## Build an ARM 64 binary
 	go generate ./pkg/cmd/server.go
 	GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o ./target/scanoss-vulnerabilities-api-linux-arm64 ./cmd/server
 
-build_arm: version  ## Build an ARM 64 binary
-	@echo "Building ARM binary $(VERSION)..."
-	go generate ./pkg/cmd/server.go
-	GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o ./target/scanoss-vulnerabilities-api-darwin-arm64 ./cmd/server
-
-
 package: package_amd  ## Build & Package an AMD 64 binary
 
 package_amd: version  ## Build & Package an AMD 64 binary

diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/pandatix/go-cvss v0.6.2
 	github.com/scanoss/go-grpc-helper v0.9.0
 	github.com/scanoss/go-models v0.2.0
-	github.com/scanoss/papi v0.17.0
+	github.com/scanoss/papi v0.28.0
 	github.com/scanoss/zap-logging-helper v0.4.0
 	go.uber.org/zap v1.27.0
 	google.golang.org/grpc v1.75.0

diff --git a/go.sum b/go.sum
@@ -659,8 +659,8 @@ github.com/scanoss/go-purl-helper v0.2.1 h1:jp960a585ycyJSlqZky1NatMJBIQi/JGITDf
 github.com/scanoss/go-purl-helper v0.2.1/go.mod h1:v20/bKD8G+vGrILdiq6r0hyRD2bO8frCJlu9drEcQ38=
 github.com/scanoss/ipfilter/v2 v2.0.2 h1:GaB9i8kVJg9JQZm5XGStYkEpiaCVdsrj7ezI2wV/oh8=
 github.com/scanoss/ipfilter/v2 v2.0.2/go.mod h1:AwrpX4XGbZ7EKISMi1d6E5csBk1nWB8+ugpvXHFcTpA=
-github.com/scanoss/papi v0.17.0 h1:YKS6hN1hXbE0yV9LwAridOreNLTPfrwFozUfbrAYv+Y=
-github.com/scanoss/papi v0.17.0/go.mod h1:Z4E/4IpwYdzHHRJXTgBCGG1GjksgrFjNW5cvhbKUfeU=
+github.com/scanoss/papi v0.28.0 h1:uvevFYoxwzvSH1hvgBoAkScIGTK2U1+rLzHSoJdnARk=
+github.com/scanoss/papi v0.28.0/go.mod h1:Z4E/4IpwYdzHHRJXTgBCGG1GjksgrFjNW5cvhbKUfeU=
 github.com/scanoss/zap-logging-helper v0.4.0 h1:2qTYoaFa9+MlD2/1wmPtiDHfh+42NIEwgKVU3rPpl0Y=
 github.com/scanoss/zap-logging-helper v0.4.0/go.mod h1:9QuEZcq73g/0Izv1tWeOWukoIK0oTBzM4jSNQ5kRR1w=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=

diff --git a/pkg/adapters/vulnerability_support.go b/pkg/adapters/vulnerability_support.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"strings"
 
+	purlhelper "github.com/scanoss/go-purl-helper/pkg"
 	common "github.com/scanoss/papi/api/commonv2"
 	pb "github.com/scanoss/papi/api/vulnerabilitiesv2"
 	zlog "github.com/scanoss/zap-logging-helper/pkg/logger"
@@ -33,7 +34,7 @@ func sanitizeComponents(components []dtos.ComponentDTO) ([]dtos.ComponentDTO, []
 	var sanitized []dtos.ComponentDTO
 	var invalid []dtos.ComponentDTO
 	for _, component := range components {
-		_, err := utils.PurlFromString(component.Purl)
+		_, err := purlhelper.PurlFromString(component.Purl)
 		if err != nil {
 			invalid = append(invalid, component)
 			continue

diff --git a/pkg/config/server_config.go b/pkg/config/server_config.go
@@ -76,6 +76,7 @@ type ServerConfig struct {
 			APIBaseURL  string `env:"VULN_OSV_API_BASE_URL"`
 			InfoBaseURL string `env:"VULN_OSV_INFO_BASE_URL"`
 			Enabled     bool   `env:"VULN_OSV_SOURCE_ENABLED"`
+			APIWorkers  int    `env:"VULN_OSV_API_WORKERS"`
 		}
 		SCANOSS struct {
 			Enabled bool `env:"VULN_SCANOSS_SOURCE_ENABLED"`
@@ -121,6 +122,7 @@ func setServerConfigDefaults(cfg *ServerConfig) {
 	cfg.Source.OSV.APIBaseURL = "https://api.osv.dev/v1"
 	cfg.Source.OSV.InfoBaseURL = "https://osv.dev/vulnerability"
 	cfg.Source.OSV.Enabled = true
+	cfg.Source.OSV.APIWorkers = 5
 	cfg.Source.SCANOSS.Enabled = true
 }
 

diff --git a/pkg/dtos/vulnerability_output.go b/pkg/dtos/vulnerability_output.go
@@ -51,6 +51,11 @@ type CVSS struct {
 	CvssSeverity string  `json:"cvss_severity"`
 }
 
+type EPSS struct {
+	Percentile  float32 `json:"percentile"`
+	Probability float32 `json:"probability"`
+}
+
 type VulnerabilitiesOutput struct {
 	ID        string     `json:"id"`
 	Cve       string     `json:"cve"`
@@ -61,6 +66,7 @@ type VulnerabilitiesOutput struct {
 	Modified  u.OnlyDate `json:"modified"`
 	Source    string     `json:"source"`
 	Cvss      []CVSS     `json:"cvss"`
+	Epss      EPSS       `json:"epss"`
 }
 
 // ParseVulnerabilityOutput converts the input byte array to a VulnerabilityOutput structure.

diff --git a/pkg/models/all_urls.go b/pkg/models/all_urls.go