fortify-exploitability-analysis
>-
Install
mkdir -p .claude/skills/fortify-exploitability-analysis && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16054" && unzip -o skill.zip -d .claude/skills/fortify-exploitability-analysis && rm skill.zipInstalls to .claude/skills/fortify-exploitability-analysis
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Triage whether a known CVE/GHSA vulnerability is actually exploitable in this project. Use when the user wants a reachability verdict on a specific advisory — is the project really affected, or is the advisory noise? Analysis only; for fixes, hand off to fortify-remediate.About this skill
Fortify CVE Exploitability Analysis
Purpose. Decide whether a CVE in a dependency is exploitable in this project. The answer is rarely "the lib is in our tree, therefore we are vulnerable." It depends on which APIs of the vulnerable library are actually reached, with what input, under what configuration. This skill walks through that analysis methodically and writes the result to
IMPACT_CVE_<id>.md.Out of scope. This skill does not fix the vulnerability. After it produces a verdict, hand off to
fortify-remediate(or apply an upgrade manually) if the verdict isaffected.Requires shell execution. The skill assumes shell access to run package-manager commands (
mvn,npm,pip,go, etc.) and to grep the codebase. Without execution capability (read-only context, sandboxed evaluation, web-only session) the analysis degrades to lockfile / SBOM / manifest reading and most reachability questions resolve tounder_investigation— say so in Method → Limitations and pause for an environment that has execution.
The analysis runs in six steps. Do not skip the gates.
Step 0: Establish context
Collect the inputs you need before doing anything else.
-
CVE identifier(s). Normalize to the canonical form
CVE-YYYY-NNNNN(orGHSA-xxxx-xxxx-xxxx). If the user gave a free-text description, ask them to confirm the ID — exploit conditions vary across CVEs in the same library and the report file name depends on it. -
Project root. Confirm the working directory contains the project to analyze. Skim the top-level for manifest files.
-
Ecosystem. Detect from manifests at the project root, and load the matching reference file when running Steps 2 and 4 — one file per ecosystem, not the whole catalogue. Files in
references/prefixedeco-are per-ecosystem references; load exactly one:pom.xml→ Maven →references/eco-maven.mdbuild.gradle[.kts]→ Gradle (Java / Kotlin) →references/eco-gradle.mdbuild.sbt→ Scala (SBT) →references/eco-scala.mdWORKSPACE/MODULE.bazel/BUILD.bazel→ Bazel (cross-language: Java / Go / C/C++ / Python) →references/eco-bazel.mdpackage.json/bower.json→ JavaScript (npm / yarn / pnpm / Bower) →references/eco-npm.mdrequirements.txt/pyproject.toml/Pipfile/uv.lock→ Python (pip / Poetry / Pipenv / uv) →references/eco-python.mdgo.mod/Gopkg.lock→ Go (Modules / legacy dep) →references/eco-go.mdCargo.toml→ Rust →references/eco-rust.md*.csproj/packages.config/paket.dependencies→ .NET (NuGet / Paket) →references/eco-dotnet.mdcomposer.json→ PHP →references/eco-php.mdGemfile→ Ruby →references/eco-ruby.mdPodfile/Package.swift/Cartfile→ iOS / macOS (CocoaPods / SPM / Carthage) →references/eco-ios-macos.mdConfig.in+package/+configs/*_defconfig(Buildroot) /oe-init-build-env+meta*/conf/layer.conf(Yocto / OpenEmbedded;conf/bblayers.confappears post-init) /feeds.conf*+scripts/feeds(OpenWrt) → meta-build for embedded Linux →references/eco-buildroot.md.conanfile.txt/conanfile.py/vcpkg.json/CMakeLists.txt/configure.ac/Makefile→ C/C++ →references/eco-cpp.mdbom.json/bom.xml→ CycloneDX SBOM (input format; can substitute for live package-manager invocation) →references/cyclonedx-sbom.md
⚠ Ordering note. Detect the meta-build row before the C/C++ row. Buildroot and OpenWrt trees carry a top-level
Makefile(withBR2_*/ OpenWrt-specific variables) that would otherwise route toeco-cpp.md, missing the meta-build entirely; Yocto has no rootMakefilebut is still better analyzed at the meta-build level than via any C/C++ source it happens to contain.A monorepo can have several. Ask the user which subproject(s) to analyze.
No manifest detected? If the project has binary artifacts checked in (
lib/*.jar,WEB-INF/lib/,vendor/,third_party/, prebuilt*.dll/*.so/*.a/*.framework), or if the input is a built artifact handed over without source (firmware image, squashfs / cpio rootfs, Docker image,.deb/.rpm/.ipa/.apk), the analysis still works — loadreferences/non-manifest-projects.mdfor version-identification, image-extraction, and path-reconstruction techniques. -
Package manager available? Run a non-destructive version probe (
mvn -v,npm -v,pip --version,go version,cargo --version,bitbake --version,make --version, etc.). The skill needs the package manager (or, for meta-builds, the meta-build's own enumeration command) to enumerate transitive paths in Step 4. If it isn't installed, fall back in this order: (a) the project's lockfile if one exists (still authoritative — the relevant ecosystem reference file names it); (b) a CycloneDX SBOM if one is present in the repo (references/cyclonedx-sbom.md); (c) the bundled-binary / image workflow inreferences/non-manifest-projects.md. Record the fallback used in the report's Method → Limitations. -
Output paths. Step 6 produces two artifacts: a human-readable Markdown report and a machine-readable CycloneDX VEX JSON. Default location is a
vex/subdirectory at the project root — friendlier than scatteringIMPACT_*files in the root once a project accumulates a backlog of triaged CVEs, and a natural directory for downstream fcli / Dependency-Track / GitLab tooling to consume in bulk. Take the CVE/GHSA ID, replace-with_, prefix withIMPACT_; the Markdown gets.md, the VEX gets.vex.json. Examples:CVE-2021-44228→vex/IMPACT_CVE_2021_44228.md+vex/IMPACT_CVE_2021_44228.vex.jsonGHSA-jfh8-c2jp-5v3q→vex/IMPACT_GHSA_jfh8_c2jp_5v3q.md+vex/IMPACT_GHSA_jfh8_c2jp_5v3q.vex.json
Override the directory if the user specifies a different path. If
vex/doesn't exist yet, create it in Step 6 before writing.
Step 0 → Step 1 gate
- CVE/GHSA ID is normalized and confirmed
- Project root and ecosystem(s) identified
- Package manager availability checked (and noted if missing)
- Both output file paths computed (
.mdand.vex.json)
Step 1: Research the CVE — extract exploit conditions
Load references/cve-research.md and follow it. The goal of this step is to
produce a structured Exploit Conditions block that you will reuse in every
later step:
- Vulnerable package: ecosystem + name + affected version range + fix version(s).
- Vulnerable API surface: which classes/functions/methods, files, or config keys are the actual sink. The library being on the classpath is not the same as the vulnerable code being reached. Include subclasses and wrapper classes that inherit the vulnerable code path, even when they live in sibling artifacts. For example, jackson-databind's
ObjectMapperis the vulnerable class — butXmlMapper,YAMLMapper,CBORMapper, etc. (injackson-dataformat-*artifacts) extend it and trigger the same bug. Spring'sMappingJackson2HttpMessageConverterwraps it. Anything that, at runtime, executes the vulnerable code path is part of the surface. - Trigger conditions: what input must reach the sink (attacker-controlled string? deserialized object? specific format? specific network position?).
- Required configuration: feature flag, JVM flag, parser option, plugin, default vs non-default behavior.
- Impact: RCE, DoS, info disclosure, etc., and the CVSS vector if known.
- Known mitigations: workarounds short of upgrading, e.g. setting a property, removing a config file, disabling a feature.
- PoC / exploit references: links if available.
- Known exploitation in the wild: CISA KEV listing (with due date) and inthewild.io activity, or "no public reports". Informs urgency and how much scrutiny a
not_affectedverdict deserves; does not change the verdict, which is set purely by reachability in this project. Seereferences/cve-research.md→ Known exploitation in the wild.
Authoritative sources, in priority order:
- The fix commit / fix PR in the upstream repo (most definitive — shows exactly what code path was vulnerable).
- NVD entry (https://nvd.nist.gov/vuln/detail/CVE-…).
- GitHub Advisory Database (https://github.com/advisories/GHSA-… or the
Securitytab of the upstream repo). - Vendor advisory (Spring, Apache, Oracle, etc.).
- Independent write-ups (only as supplements; verify against primary).
Do not paraphrase guesses — if a source is ambiguous, say so in the report. Check the CVE's NVD publication status before relying on it; if it's pre-analysis (Received / Awaiting / Undergoing Analysis), Rejected, or absent from NVD entirely, follow CVE publication status in references/cve-research.md for how to proceed (and when to stop).
Step 1 → Step 2 gate
- Vulnerable package, version range, and fix version recorded
- Vulnerable API surface identified (specific symbols, not "the library")
- Trigger conditions and required configuration documented
- At least one authoritative source consulted (commit / NVD / GHSA)
Step 2: Confirm the vulnerable version is present
Before doing any code analysis, confirm the project actually pulls in a vulnerable version of the package.
- Resolve the dependency tree with the package manager (commands are in the ecosystem reference file you identified in Step 0). Use the resolved tree, not the manifest — version pinning, BOMs, lockfiles, and overrides change what actually ships.
- Find every version of the vulnerable package in the tree.
- Compare each version against the affected range from Step 1.
If no vulnerable version is present: write the report with verdict
not_affected (justification: vulnerable_code_not_present — the version
shipped is outside the affected range), and stop. Do not run Steps 3–5.
**If a
Content truncated.