---
name: cve-research
description: Research CVEs and security advisories for project dependencies. Uses Exa, NVD API, OSV.dev, and GitHub Advisory Database to find known vulnerabilities.
argument-hint: "<package-name> [version]"
user-invocable: true
---

# CVE Research Skill

## Overview

Research known vulnerabilities for project dependencies using multiple sources.

## Data Sources

| Source | API | Coverage |
|--------|-----|----------|
| NVD | nvd.nist.gov/vuln/api | All CVEs |
| OSV.dev | api.osv.dev | npm, PyPI, Go, crates, Maven |
| GitHub Advisory | github.com/advisories | npm, pip, composer, cargo |
| Exa Search | Via MCP | Real-time web search |

## Workflow

1. **Extract** dependencies from project (package.json, etc.)
2. **Query** each source for known CVEs
3. **Cross-reference** findings across sources
4. **Prioritize** by CVSS score and exploitability
5. **Report** with fix versions and workarounds

## Query Strategy

For each dependency:
1. Search OSV.dev first (fastest, most accurate for packages)
2. Cross-check NVD for CVSS scoring
3. Use Exa for recent advisories not yet in databases
4. Check GitHub Advisory for maintainer responses

## Severity Mapping

| CVSS Score | Severity | Action |
|------------|----------|--------|
| 9.0 - 10.0 | CRITICAL | Fix immediately |
| 7.0 - 8.9 | HIGH | Fix before merge |
| 4.0 - 6.9 | MEDIUM | Plan fix |
| 0.1 - 3.9 | LOW | Document |

## References

- [CVE APIs Reference](references/cve-apis.md)
- [Query Templates](references/templates/cve-query.md)