agentskills.codes
FO

fortify-exploitability-analysis

>-

Install

mkdir -p .claude/skills/fortify-exploitability-analysis && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16054" && unzip -o skill.zip -d .claude/skills/fortify-exploitability-analysis && rm skill.zip

Installs to .claude/skills/fortify-exploitability-analysis

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Triage whether a known CVE/GHSA vulnerability is actually exploitable in this project. Use when the user wants a reachability verdict on a specific advisory — is the project really affected, or is the advisory noise? Analysis only; for fixes, hand off to fortify-remediate.
273 chars✓ has a “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

Fortify CVE Exploitability Analysis

Purpose. Decide whether a CVE in a dependency is exploitable in this project. The answer is rarely "the lib is in our tree, therefore we are vulnerable." It depends on which APIs of the vulnerable library are actually reached, with what input, under what configuration. This skill walks through that analysis methodically and writes the result to IMPACT_CVE_<id>.md.

Out of scope. This skill does not fix the vulnerability. After it produces a verdict, hand off to fortify-remediate (or apply an upgrade manually) if the verdict is affected.

Requires shell execution. The skill assumes shell access to run package-manager commands (mvn, npm, pip, go, etc.) and to grep the codebase. Without execution capability (read-only context, sandboxed evaluation, web-only session) the analysis degrades to lockfile / SBOM / manifest reading and most reachability questions resolve to under_investigation — say so in Method → Limitations and pause for an environment that has execution.

The analysis runs in six steps. Do not skip the gates.


Step 0: Establish context

Collect the inputs you need before doing anything else.

  1. CVE identifier(s). Normalize to the canonical form CVE-YYYY-NNNNN (or GHSA-xxxx-xxxx-xxxx). If the user gave a free-text description, ask them to confirm the ID — exploit conditions vary across CVEs in the same library and the report file name depends on it.

  2. Project root. Confirm the working directory contains the project to analyze. Skim the top-level for manifest files.

  3. Ecosystem. Detect from manifests at the project root, and load the matching reference file when running Steps 2 and 4 — one file per ecosystem, not the whole catalogue. Files in references/ prefixed eco- are per-ecosystem references; load exactly one:

    • pom.xml → Maven → references/eco-maven.md
    • build.gradle[.kts] → Gradle (Java / Kotlin) → references/eco-gradle.md
    • build.sbt → Scala (SBT) → references/eco-scala.md
    • WORKSPACE / MODULE.bazel / BUILD.bazel → Bazel (cross-language: Java / Go / C/C++ / Python) → references/eco-bazel.md
    • package.json / bower.json → JavaScript (npm / yarn / pnpm / Bower) → references/eco-npm.md
    • requirements.txt / pyproject.toml / Pipfile / uv.lock → Python (pip / Poetry / Pipenv / uv) → references/eco-python.md
    • go.mod / Gopkg.lock → Go (Modules / legacy dep) → references/eco-go.md
    • Cargo.toml → Rust → references/eco-rust.md
    • *.csproj / packages.config / paket.dependencies → .NET (NuGet / Paket) → references/eco-dotnet.md
    • composer.json → PHP → references/eco-php.md
    • Gemfile → Ruby → references/eco-ruby.md
    • Podfile / Package.swift / Cartfile → iOS / macOS (CocoaPods / SPM / Carthage) → references/eco-ios-macos.md
    • Config.in + package/ + configs/*_defconfig (Buildroot) / oe-init-build-env + meta*/conf/layer.conf (Yocto / OpenEmbedded; conf/bblayers.conf appears post-init) / feeds.conf* + scripts/feeds (OpenWrt) → meta-build for embedded Linux → references/eco-buildroot.md.
    • conanfile.txt / conanfile.py / vcpkg.json / CMakeLists.txt / configure.ac / Makefile → C/C++ → references/eco-cpp.md
    • bom.json / bom.xml → CycloneDX SBOM (input format; can substitute for live package-manager invocation) → references/cyclonedx-sbom.md

    ⚠ Ordering note. Detect the meta-build row before the C/C++ row. Buildroot and OpenWrt trees carry a top-level Makefile (with BR2_* / OpenWrt-specific variables) that would otherwise route to eco-cpp.md, missing the meta-build entirely; Yocto has no root Makefile but is still better analyzed at the meta-build level than via any C/C++ source it happens to contain.

    A monorepo can have several. Ask the user which subproject(s) to analyze.

    No manifest detected? If the project has binary artifacts checked in (lib/*.jar, WEB-INF/lib/, vendor/, third_party/, prebuilt *.dll / *.so / *.a / *.framework), or if the input is a built artifact handed over without source (firmware image, squashfs / cpio rootfs, Docker image, .deb / .rpm / .ipa / .apk), the analysis still works — load references/non-manifest-projects.md for version-identification, image-extraction, and path-reconstruction techniques.

  4. Package manager available? Run a non-destructive version probe (mvn -v, npm -v, pip --version, go version, cargo --version, bitbake --version, make --version, etc.). The skill needs the package manager (or, for meta-builds, the meta-build's own enumeration command) to enumerate transitive paths in Step 4. If it isn't installed, fall back in this order: (a) the project's lockfile if one exists (still authoritative — the relevant ecosystem reference file names it); (b) a CycloneDX SBOM if one is present in the repo (references/cyclonedx-sbom.md); (c) the bundled-binary / image workflow in references/non-manifest-projects.md. Record the fallback used in the report's Method → Limitations.

  5. Output paths. Step 6 produces two artifacts: a human-readable Markdown report and a machine-readable CycloneDX VEX JSON. Default location is a vex/ subdirectory at the project root — friendlier than scattering IMPACT_* files in the root once a project accumulates a backlog of triaged CVEs, and a natural directory for downstream fcli / Dependency-Track / GitLab tooling to consume in bulk. Take the CVE/GHSA ID, replace - with _, prefix with IMPACT_; the Markdown gets .md, the VEX gets .vex.json. Examples:

    • CVE-2021-44228vex/IMPACT_CVE_2021_44228.md + vex/IMPACT_CVE_2021_44228.vex.json
    • GHSA-jfh8-c2jp-5v3qvex/IMPACT_GHSA_jfh8_c2jp_5v3q.md + vex/IMPACT_GHSA_jfh8_c2jp_5v3q.vex.json

    Override the directory if the user specifies a different path. If vex/ doesn't exist yet, create it in Step 6 before writing.

Step 0 → Step 1 gate

  • CVE/GHSA ID is normalized and confirmed
  • Project root and ecosystem(s) identified
  • Package manager availability checked (and noted if missing)
  • Both output file paths computed (.md and .vex.json)

Step 1: Research the CVE — extract exploit conditions

Load references/cve-research.md and follow it. The goal of this step is to produce a structured Exploit Conditions block that you will reuse in every later step:

  • Vulnerable package: ecosystem + name + affected version range + fix version(s).
  • Vulnerable API surface: which classes/functions/methods, files, or config keys are the actual sink. The library being on the classpath is not the same as the vulnerable code being reached. Include subclasses and wrapper classes that inherit the vulnerable code path, even when they live in sibling artifacts. For example, jackson-databind's ObjectMapper is the vulnerable class — but XmlMapper, YAMLMapper, CBORMapper, etc. (in jackson-dataformat-* artifacts) extend it and trigger the same bug. Spring's MappingJackson2HttpMessageConverter wraps it. Anything that, at runtime, executes the vulnerable code path is part of the surface.
  • Trigger conditions: what input must reach the sink (attacker-controlled string? deserialized object? specific format? specific network position?).
  • Required configuration: feature flag, JVM flag, parser option, plugin, default vs non-default behavior.
  • Impact: RCE, DoS, info disclosure, etc., and the CVSS vector if known.
  • Known mitigations: workarounds short of upgrading, e.g. setting a property, removing a config file, disabling a feature.
  • PoC / exploit references: links if available.
  • Known exploitation in the wild: CISA KEV listing (with due date) and inthewild.io activity, or "no public reports". Informs urgency and how much scrutiny a not_affected verdict deserves; does not change the verdict, which is set purely by reachability in this project. See references/cve-research.mdKnown exploitation in the wild.

Authoritative sources, in priority order:

  1. The fix commit / fix PR in the upstream repo (most definitive — shows exactly what code path was vulnerable).
  2. NVD entry (https://nvd.nist.gov/vuln/detail/CVE-…).
  3. GitHub Advisory Database (https://github.com/advisories/GHSA-… or the Security tab of the upstream repo).
  4. Vendor advisory (Spring, Apache, Oracle, etc.).
  5. Independent write-ups (only as supplements; verify against primary).

Do not paraphrase guesses — if a source is ambiguous, say so in the report. Check the CVE's NVD publication status before relying on it; if it's pre-analysis (Received / Awaiting / Undergoing Analysis), Rejected, or absent from NVD entirely, follow CVE publication status in references/cve-research.md for how to proceed (and when to stop).

Step 1 → Step 2 gate

  • Vulnerable package, version range, and fix version recorded
  • Vulnerable API surface identified (specific symbols, not "the library")
  • Trigger conditions and required configuration documented
  • At least one authoritative source consulted (commit / NVD / GHSA)

Step 2: Confirm the vulnerable version is present

Before doing any code analysis, confirm the project actually pulls in a vulnerable version of the package.

  1. Resolve the dependency tree with the package manager (commands are in the ecosystem reference file you identified in Step 0). Use the resolved tree, not the manifest — version pinning, BOMs, lockfiles, and overrides change what actually ships.
  2. Find every version of the vulnerable package in the tree.
  3. Compare each version against the affected range from Step 1.

If no vulnerable version is present: write the report with verdict not_affected (justification: vulnerable_code_not_present — the version shipped is outside the affected range), and stop. Do not run Steps 3–5.

**If a


Content truncated.

Search skills

Search the agent skills registry