DroidGPT derives data from third-party Artificial Intelligence (AI) tools and coordinates it with Endor Labs’ proprietary risk data to help you to quickly and easily research open source software packages.

1. Sign into Endor Labs application and click Droid GPT under Discover.

2. From Droid GPT, choose an Ecosystem.

3. Type your questions in the search bar and click Ask DroidGPT. Here are a few examples:

   • What are the best logging packages for Java?
   • What AI packages have most permissive license?
   • Which GO packages have least known vulnerabilities?
   • What are a few packages similar to log4j?

You’ll receive instant answers. All results include risk scores revealing the quality, popularity, trustworthiness, and security of each package.

See also Troubleshoot errors with DroidGPT for more information.

Open source packages provide flexible, customizable software solutions that can significantly reduce development costs and time, while also fostering innovation through community collaboration.

To look for open source packages, navigate to Discover > OSS Packages.

• Type in the search bar to look for open source packages and click Search Open Source Packages.

  

• Select a search result to view more details.

• Choose the Ecosystem and click Search Open Source Packages to look for packages by their ecosystem.

An AI model is a computational system designed to simulate human intelligence by performing tasks such as recognizing patterns, making decisions, predicting outcomes, or generating content. Many open source AI models are freely available for use, modification, and distribution. Just like dependencies, these AI models can bring operational and security risks in the organization that uses them. Gaining visibility into these risks can minimize the vulnerabilities introduced by them.

Endor Labs picks the top ten thousand open source AI models available on Hugging Face and assigns Endor scores to them, so that you can make informed decisions before using them in your organization. See AI Model scores for more information.

To look for AI models, navigate to Discover > AI models.

• Type in the search bar to look for AI Models and click Search AI Models.

  

• Select a search result to view more details such as its security, activity, popularity, or quality score. You can also view complete details of an AI model.

  

• Click Go to Hugging face to see more to view the AI model on Hugging Face website.

A vulnerability is a security weakness in a software package that attackers can exploit to compromise systems, steal data, or disrupt operations. Open-source software often contains vulnerabilities that can introduce risks to your organization, if not managed properly.

Endor Labs vulnerability database is a comprehensive compilation of known software vulnerabilities. You can search the vulnerability database to identify and discover vulnerabilities within your software dependencies.

The following are the vulnerability IDs that can be used to search within the Endor Labs platform:

Search for a vulnerability

Search for vulnerabilities using supported security identifiers across your software dependencies.

1. Sign in to Endor Labs and select Discover > Vulnerabilities from the left sidebar.

2. Type a search query using a vulnerability ID (for example, CVE, GHSA) and click Search Vulnerabilities.

   You can search using partial matches. For example, searching for CVE-2025- returns a list of all vulnerabilities that start with that prefix.

   

   You can view detailed information including the name of the vulnerability, CVE ID, vulnerability’s severity, description, and metadata to help users quickly identify important details about a vulnerability.

3. Select Affected Packages to view a list of all software packages impacted by the identified vulnerability, including their names, introduced and fixed versions, and the source of the vulnerability data.

4. Select a package to view its details.

   • Overview: Shows affected and fixed versions, severity, available patches, impacted classes, and a link to the fix commit. It helps users understand the issue and take necessary remediation steps.

     

   • Endor Details: Shows affected call paths and file paths to help identify where the vulnerable code is used and how it may be triggered in the project

     

   • Impact: Shows each package version, along with the number of findings, how many projects use it, and how many other packages depend on it

     

5. Select Containers to see all container images in your organization with known vulnerabilities. It lists which packages are affected, where the issues were introduced, whether fixes are available, and the severity of the issues.