--- name: fortify-exploitability-analysis description: >- Triage whether a known CVE/GHSA vulnerability is actually exploitable in this project. Use when the user wants a reachability verdict on a specific advisory — is the project really affected, or is the advisory noise? Analysis only; for fixes, hand off to fortify-remediate. license: MIT metadata: version: "1.0.0" --- # Fortify CVE Exploitability Analysis > **Purpose.** Decide whether a CVE in a dependency is exploitable in *this* > project. The answer is rarely "the lib is in our tree, therefore we are > vulnerable." It depends on which APIs of the vulnerable library are actually > reached, with what input, under what configuration. This skill walks through > that analysis methodically and writes the result to `IMPACT_CVE_.md`. > > **Out of scope.** This skill does *not* fix the vulnerability. After it > produces a verdict, hand off to `fortify-remediate` (or apply an upgrade > manually) if the verdict is `affected`. > > **Requires shell execution.** The skill assumes shell access to run package-manager commands (`mvn`, `npm`, `pip`, `go`, etc.) and to grep the codebase. Without execution capability (read-only context, sandboxed evaluation, web-only session) the analysis degrades to lockfile / SBOM / manifest reading and most reachability questions resolve to `under_investigation` — say so in *Method → Limitations* and pause for an environment that has execution. The analysis runs in six steps. Do not skip the gates. --- ## Step 0: Establish context Collect the inputs you need before doing anything else. 1. **CVE identifier(s).** Normalize to the canonical form `CVE-YYYY-NNNNN` (or `GHSA-xxxx-xxxx-xxxx`). If the user gave a free-text description, ask them to confirm the ID — exploit conditions vary across CVEs in the same library and the report file name depends on it. 2. **Project root.** Confirm the working directory contains the project to analyze. Skim the top-level for manifest files. 3. **Ecosystem.** Detect from manifests at the project root, and load the matching reference file when running Steps 2 and 4 — one file per ecosystem, not the whole catalogue. Files in `references/` prefixed `eco-` are per-ecosystem references; load exactly one: - `pom.xml` → Maven → `references/eco-maven.md` - `build.gradle[.kts]` → Gradle (Java / Kotlin) → `references/eco-gradle.md` - `build.sbt` → Scala (SBT) → `references/eco-scala.md` - `WORKSPACE` / `MODULE.bazel` / `BUILD.bazel` → Bazel (cross-language: Java / Go / C/C++ / Python) → `references/eco-bazel.md` - `package.json` / `bower.json` → JavaScript (npm / yarn / pnpm / Bower) → `references/eco-npm.md` - `requirements.txt` / `pyproject.toml` / `Pipfile` / `uv.lock` → Python (pip / Poetry / Pipenv / uv) → `references/eco-python.md` - `go.mod` / `Gopkg.lock` → Go (Modules / legacy dep) → `references/eco-go.md` - `Cargo.toml` → Rust → `references/eco-rust.md` - `*.csproj` / `packages.config` / `paket.dependencies` → .NET (NuGet / Paket) → `references/eco-dotnet.md` - `composer.json` → PHP → `references/eco-php.md` - `Gemfile` → Ruby → `references/eco-ruby.md` - `Podfile` / `Package.swift` / `Cartfile` → iOS / macOS (CocoaPods / SPM / Carthage) → `references/eco-ios-macos.md` - `Config.in` + `package/` + `configs/*_defconfig` (Buildroot) / `oe-init-build-env` + `meta*/conf/layer.conf` (Yocto / OpenEmbedded; `conf/bblayers.conf` appears post-init) / `feeds.conf*` + `scripts/feeds` (OpenWrt) → meta-build for embedded Linux → `references/eco-buildroot.md`. - `conanfile.txt` / `conanfile.py` / `vcpkg.json` / `CMakeLists.txt` / `configure.ac` / `Makefile` → C/C++ → `references/eco-cpp.md` - `bom.json` / `bom.xml` → CycloneDX SBOM (input format; can substitute for live package-manager invocation) → `references/cyclonedx-sbom.md` **⚠ Ordering note.** Detect the meta-build row *before* the C/C++ row. Buildroot and OpenWrt trees carry a top-level `Makefile` (with `BR2_*` / OpenWrt-specific variables) that would otherwise route to `eco-cpp.md`, missing the meta-build entirely; Yocto has no root `Makefile` but is still better analyzed at the meta-build level than via any C/C++ source it happens to contain. A monorepo can have several. Ask the user which subproject(s) to analyze. **No manifest detected?** If the project has binary artifacts checked in (`lib/*.jar`, `WEB-INF/lib/`, `vendor/`, `third_party/`, prebuilt `*.dll` / `*.so` / `*.a` / `*.framework`), or if the input is a built artifact handed over without source (firmware image, squashfs / cpio rootfs, Docker image, `.deb` / `.rpm` / `.ipa` / `.apk`), the analysis still works — load `references/non-manifest-projects.md` for version-identification, image-extraction, and path-reconstruction techniques. 4. **Package manager available?** Run a non-destructive version probe (`mvn -v`, `npm -v`, `pip --version`, `go version`, `cargo --version`, `bitbake --version`, `make --version`, etc.). The skill needs the package manager (or, for meta-builds, the meta-build's own enumeration command) to enumerate transitive paths in Step 4. If it isn't installed, fall back in this order: (a) the project's lockfile if one exists (still authoritative — the relevant ecosystem reference file names it); (b) a CycloneDX SBOM if one is present in the repo (`references/cyclonedx-sbom.md`); (c) the bundled-binary / image workflow in `references/non-manifest-projects.md`. Record the fallback used in the report's *Method → Limitations*. 5. **Output paths.** Step 6 produces two artifacts: a human-readable Markdown report and a machine-readable CycloneDX VEX JSON. Default location is a `vex/` subdirectory at the project root — friendlier than scattering `IMPACT_*` files in the root once a project accumulates a backlog of triaged CVEs, and a natural directory for downstream fcli / Dependency-Track / GitLab tooling to consume in bulk. Take the CVE/GHSA ID, replace `-` with `_`, prefix with `IMPACT_`; the Markdown gets `.md`, the VEX gets `.vex.json`. Examples: - `CVE-2021-44228` → `vex/IMPACT_CVE_2021_44228.md` + `vex/IMPACT_CVE_2021_44228.vex.json` - `GHSA-jfh8-c2jp-5v3q` → `vex/IMPACT_GHSA_jfh8_c2jp_5v3q.md` + `vex/IMPACT_GHSA_jfh8_c2jp_5v3q.vex.json` Override the directory if the user specifies a different path. If `vex/` doesn't exist yet, create it in Step 6 before writing. ### Step 0 → Step 1 gate - [ ] CVE/GHSA ID is normalized and confirmed - [ ] Project root and ecosystem(s) identified - [ ] Package manager availability checked (and noted if missing) - [ ] Both output file paths computed (`.md` and `.vex.json`) --- ## Step 1: Research the CVE — extract exploit conditions Load `references/cve-research.md` and follow it. The goal of this step is to produce a structured **Exploit Conditions** block that you will reuse in every later step: - **Vulnerable package**: ecosystem + name + affected version range + fix version(s). - **Vulnerable API surface**: which classes/functions/methods, files, or config keys are the actual sink. *The library being on the classpath is not the same as the vulnerable code being reached.* Include *subclasses and wrapper classes that inherit the vulnerable code path*, even when they live in sibling artifacts. For example, jackson-databind's `ObjectMapper` is the vulnerable class — but `XmlMapper`, `YAMLMapper`, `CBORMapper`, etc. (in `jackson-dataformat-*` artifacts) extend it and trigger the same bug. Spring's `MappingJackson2HttpMessageConverter` wraps it. Anything that, at runtime, executes the vulnerable code path is part of the surface. - **Trigger conditions**: what input must reach the sink (attacker-controlled string? deserialized object? specific format? specific network position?). - **Required configuration**: feature flag, JVM flag, parser option, plugin, default vs non-default behavior. - **Impact**: RCE, DoS, info disclosure, etc., and the CVSS vector if known. - **Known mitigations**: workarounds short of upgrading, e.g. setting a property, removing a config file, disabling a feature. - **PoC / exploit references**: links if available. - **Known exploitation in the wild**: CISA KEV listing (with due date) and inthewild.io activity, or "no public reports". Informs urgency and how much scrutiny a `not_affected` verdict deserves; *does not* change the verdict, which is set purely by reachability in this project. See `references/cve-research.md` → *Known exploitation in the wild*. Authoritative sources, in priority order: 1. The fix commit / fix PR in the upstream repo (most definitive — shows exactly what code path was vulnerable). 2. NVD entry (https://nvd.nist.gov/vuln/detail/CVE-…). 3. GitHub Advisory Database (https://github.com/advisories/GHSA-… or the `Security` tab of the upstream repo). 4. Vendor advisory (Spring, Apache, Oracle, etc.). 5. Independent write-ups (only as supplements; verify against primary). Do not paraphrase guesses — if a source is ambiguous, say so in the report. Check the CVE's NVD publication status before relying on it; if it's pre-analysis (Received / Awaiting / Undergoing Analysis), Rejected, or absent from NVD entirely, follow *CVE publication status* in `references/cve-research.md` for how to proceed (and when to stop). ### Step 1 → Step 2 gate - [ ] Vulnerable package, version range, and fix version recorded - [ ] Vulnerable API surface identified (specific symbols, not "the library") - [ ] Trigger conditions and required configuration documented - [ ] At least one authoritative source consulted (commit / NVD / GHSA) --- ## Step 2: Confirm the vulnerable version is present Before doing any code analysis, confirm the project actually pulls in a vulnerable version of the package. 1. Resolve the dependency tree with the package manager (commands are in the ecosystem reference file you identified in Step 0). Use the *resolved* tree, not the manifest — version pinning, BOMs, lockfiles, and overrides change what actually ships. 2. Find every version of the vulnerable package in the tree. 3. Compare each version against the affected range from Step 1. **If no vulnerable version is present**: write the report with verdict `not_affected` (justification: `vulnerable_code_not_present` — the version shipped is outside the affected range), and stop. Do not run Steps 3–5. **If a vulnerable version is present**: proceed. ### Step 2 → Step 3 gate - [ ] Resolved dependency tree obtained (or partial-tree limitation noted) - [ ] All versions of the vulnerable package enumerated - [ ] Version comparison against the affected range completed - [ ] If the verdict is already `not_affected`, the report is written and we stop here --- ## Steps 3–5: Reachability analysis Step 2 confirmed that a vulnerable version resolves in this project. The remaining technical question — does attacker-controllable input actually reach the vulnerable API surface? — is answered in three sub-steps: direct-usage analysis (Step 3), path enumeration (Step 4), and per-path transitive walk (Step 5). **Load `references/reachability-analysis.md` and follow it end-to-end.** It contains the procedure for all three sub-steps, the gates between them, and the conditions under which you can short-circuit to Step 6. Return to SKILL.md when the Step 5 gate is cleared (or when Step 3 has already settled the verdict). --- ## Step 6: Write the report and the VEX artifact The skill produces two artifacts side by side: a human-readable Markdown report (`IMPACT_CVE_.md`) and a machine-readable CycloneDX VEX JSON (`IMPACT_CVE_.vex.json`). Write both — they have different consumers. The Markdown is for engineers, security reviewers, and leadership; the VEX is for SCA tooling (Dependency-Track, GitLab Vulnerability Management) and — most relevant in Fortify environments — for fcli-driven scripts that apply the verdict back to FoD / SSC issues as audit suppressions. ### The Markdown report Open `assets/IMPACT_CVE_TEMPLATE.md`, fill it in with everything you've gathered, and write it to the `.md` path computed in Step 0. The report is for human stakeholders — engineers triaging the CVE, security reviewers approving a verdict, leadership deciding whether to patch. **It is not a transcript of the skill's workflow.** Concretely: - Do not write headings like "Step 3" or "Step 5". The template uses content-named sections (`Findings`, `Exploitable surfaces`, `Other dependency paths`, `Method`, etc.) — use those. - Do not write phrases like "in Step 3 we found…" or "as enumerated in Step 4". Present every finding as a self-contained statement. - Do not include a "Verdict" body that explains the stepwise process ("Step 2 confirmed X, Step 3 confirmed Y, therefore affected"). The verdict paragraph is an executive summary; the supporting evidence belongs in the `Findings` section. Organize findings by **what's exploitable**, not by where in the dependency graph the call lives. A direct call from the project's source and a call from an intermediate library both go into `Exploitable surfaces`, side by side, ordered by clarity / severity. Paths that you investigated and ruled out go into `Other dependency paths` with a one-line reason each. Set the top-level verdict using the VEX-aligned vocabulary. The template renders the verdict as a four-row table where all options are visible and the chosen row is marked — bold its cells and put `✓` in the *This analysis* column. Record the OpenVEX keyword on the *OpenVEX status* line so downstream tooling can grep for it. | Verdict | When to use | Justification field? | |---|---|---| | `not_affected` | Vulnerable version absent **or** present but no path leads to attacker-reachable invocation of the vulnerable API surface. | **Yes** — prose label + VEX keyword in parentheses, e.g. `**Justification:** Vulnerable code is not in the execute path (`vulnerable_code_not_in_execute_path`)`. Keywords come from the OpenVEX/CycloneDX vocabulary listed in the template. | | `affected` | At least one direct or transitive path lets attacker-controllable input reach the vulnerable API surface under the required configuration. | No — *Findings → Exploitable surfaces* is the justification. Delete the *Justification* line. | | `under_investigation` | Analysis is incomplete (no package manager available, intermediate library closed-source, pre-publication CVE with no primary source, or genuine ambiguity). | No — list specific gaps under *Open questions* instead. Delete the *Justification* line. | | `fixed` | The project resolves a version at or above the documented fix version. | No — the resolved version is the justification. Delete the *Justification* line. | The report should let a reviewer reproduce your analysis. Cite specific files, lines, commits, and external sources. ### The VEX JSON Open `assets/IMPACT_VEX_TEMPLATE.md` — it contains the CycloneDX structure plus the vocabulary translation tables (the report's OpenVEX-leaning verdicts and justifications map to slightly different CycloneDX VEX keywords). Fill in the placeholders, then write the result to the `.vex.json` path computed in Step 0. The VEX file mirrors the Markdown verdict but is much shorter — `id`, `affects[].ref` purl, `analysis.state`, optional `analysis.justification`, and a 1–3 sentence `analysis.detail`. Do not replicate the Markdown's full reasoning; the Markdown is the canonical human-readable artifact, the VEX is for tooling. Both files share the same CVE/GHSA ID, the same verdict, and the same analysis date. ### The vex/ directory README The first time the skill writes to `vex/` for a project (i.e. when `vex/README.md` does **not** already exist), also write a README from `assets/VEX_README_TEMPLATE.md`. The README explains to whoever operates the SCA pipeline how to consume the `.vex.json` files (VEX endpoint, not BOM endpoint), the foot-gun (naive ingest can wipe the inventory), the Fortify-specific fcli path, and how to validate. If `vex/README.md` already exists, leave it alone — don't overwrite an operator's edits. ### Completion checklist Markdown report: - [ ] `vex/IMPACT_CVE_.md` (or `vex/IMPACT_GHSA_…`) exists (directory created if it didn't already) - [ ] Verdict table has the chosen row marked (bold + `✓`) and the OpenVEX keyword on the *OpenVEX status* line - [ ] *Justification* line is present **only** when the verdict is `not_affected`, using prose label + VEX keyword in parentheses - [ ] The verdict paragraph (executive summary) reads as a self-contained 2–4 sentence summary - [ ] `The vulnerability` section captures vulnerable code, trigger, required configuration, impact, CVSS, and sources - [ ] Every exploitable surface in `Findings → Exploitable surfaces` has a code excerpt and reasoning - [ ] Transitive paths investigated and ruled out are accounted for in `Findings → Other dependency paths` (or explicitly omitted because there are none) - [ ] `Recommended actions` names an upgrade target, mitigations, defense-in-depth, and verification (or, for `under_investigation`, "Open questions") - [ ] `Method` names tools, sink density, scope, reachability confidence (with the observation that would change it), and limitations - [ ] Sources are cited inline (CVE entry, fix commit, library source files) - [ ] **The report does not mention "Step 1", "Step 2", etc., or otherwise expose the skill's internal workflow** CycloneDX VEX JSON: - [ ] `vex/IMPACT_CVE_.vex.json` exists alongside the Markdown report and parses as valid JSON - [ ] `vex/README.md` exists (written on first run from `assets/VEX_README_TEMPLATE.md`; left alone on subsequent runs) - [ ] `bomFormat`, `specVersion` (`1.5` or later), `serialNumber` (fresh UUID), `version`, and `metadata.timestamp` are populated - [ ] `metadata.component` identifies the project being analyzed - [ ] `analysis.state` is the **translated** CycloneDX keyword (not the OpenVEX verdict verbatim — see the template's vocabulary table) - [ ] `analysis.justification` is present only when state is `not_affected`, and is the translated CycloneDX keyword - [ ] `affects[].ref` is a valid purl pinning the resolved vulnerable package version - [ ] `analysis.detail` is a tight 1–3 sentence summary, not a copy of the Markdown's reasoning --- ## Reference files | File | When to load | |------|--------------| | `references/cve-research.md` | Step 1: extracting exploit conditions from CVE/GHSA/commit data | | `references/eco-.md` (e.g. `eco-maven.md`, `eco-npm.md`, `eco-python.md`, `eco-cpp.md`, `eco-bazel.md`, `eco-buildroot.md`) | Steps 2 and 4: package-manager-specific commands. Load only the file matching the ecosystem detected in Step 0 — not the whole catalogue. The full mapping is in Step 0. | | `references/non-manifest-projects.md` | Steps 2 and 4 fallback when no manifest is present (bundled jars, .NET Framework `lib/` DLLs, prebuilt native libs, frameworks, embedded firmware / rootfs images) | | `references/cyclonedx-sbom.md` | Steps 2 and 4 fallback when working from a CycloneDX SBOM | | `references/reachability-analysis.md` | Steps 3–5: direct-usage analysis, path enumeration, transitive walk — load only after Step 2 confirms a vulnerable version is present | | `references/transitive-analysis.md` | Step 5 deep-dive: walking intermediate libraries, fetching their source, deciding when to stop (loaded from within `reachability-analysis.md`) | | `assets/IMPACT_CVE_TEMPLATE.md` | Step 6: the Markdown report template | | `assets/IMPACT_VEX_TEMPLATE.md` | Step 6: the CycloneDX VEX JSON template, including OpenVEX → CycloneDX vocabulary translation | | `assets/VEX_README_TEMPLATE.md` | Step 6: the `vex/README.md` written on first run for operators who'll consume the `.vex.json` files | ## Operating principles - **Don't hard-wrap markdown prose.** When writing the report (and when editing skill or reference files), each paragraph and each bullet item should be a single logical line. Let the editor or renderer wrap. Hard breaks belong only inside code blocks, tables, frontmatter, and ASCII diagrams. - **Cite, don't paraphrase.** Every non-trivial claim in the report should point to a file:line, a commit, or a URL. If you can't cite it, you're guessing. - **Resolved tree, not manifest.** Direct-dependency lists in `pom.xml` / `package.json` / etc. are not what actually ships. Always go through the package manager's resolution. - **Short of certainty is allowed.** "I checked X and Y; Z is unreachable because the intermediate library never calls the vulnerable method" beats "I think it's probably fine." If you can't reach a definite conclusion, say `under_investigation` and name what's missing. - **Time-box, then name the gaps.** Each transitive path gets exactly one outcome — a definitive citation or an explicit `under_investigation` marker; never both, never neither. Stop walking when the next path would cost more than the previous several combined, and put the unwalked paths under *Method → Limitations*. Coverage is a limitation to be named, not a threshold to be hit. - **Imports ≠ calls.** Searching for an import is a starting point, not the answer. A class can be imported without the vulnerable code path being executed. - **Configuration matters.** A vulnerability that requires a non-default config (e.g., `spring.cloud.function.routing-expression`) is not exploitable on a default deployment. Always check Step 1's "required configuration" against the project's actual config.