Back to Details

cve-vulnerability-analysis

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

CVE漏洞分析技能

CVE Vulnerability Analysis Skill

概述

Overview

本技能用于分析Java和JavaScript组件的CVE(通用漏洞披露)漏洞,提供误报判断、兼容性风险评估和升级建议。技能遵循系统化工作流程,确保分析的一致性和准确性。
This skill is used to analyze CVE (Common Vulnerabilities and Exposures) vulnerabilities in Java and JavaScript components, providing false positive determination, compatibility risk assessment, and upgrade recommendations. The skill follows a systematic workflow to ensure consistency and accuracy of analysis.

工作流程

Workflow

执行CVE漏洞分析时,遵循以下步骤:
  1. 获取CVE详情
    • 从NVD(国家漏洞数据库)API获取漏洞详细信息
    • 提取漏洞描述、CVSS评分、影响范围等关键信息
  2. 误报分析
  3. 误报判断标准
    • 如果满足以下任一条件,判断为误报
      1. GitHub issues中提到了CVE误报,且issues中的对象与提供的对象相匹配
      2. CVE漏洞描述中提到的仓库地址与被疑似误报的仓库地址不是同一个
      3. 被疑似误报对象的仓库中的issues、公告、声明中明确表示这不是一个误报
    • 如果不满足以上条件,判断为真实漏洞
  4. 升级可行性分析
    • 查找可用的安全更新版本
    • 分析版本升级的兼容性风险
    • 提供具体的升级建议
  5. 生成标准报告
    • 按照预设模板生成详细分析报告
    • 包含证据链接和具体建议
When performing CVE vulnerability analysis, follow these steps:
  1. Obtain CVE Details
    • Retrieve vulnerability details from the NVD (National Vulnerability Database) API
    • Extract key information such as vulnerability description, CVSS score, and impact scope
  2. False Positive Analysis
  3. False Positive Determination Criteria
    • Judge as false positive if any of the following conditions are met:
      1. The CVE false positive is mentioned in GitHub issues, and the object in the issues matches the provided object
      2. The repository URL mentioned in the CVE vulnerability description is not the same as that of the suspected false positive object
      3. The issues, announcements, and statements in the repository of the suspected false positive object clearly state that this is not a false positive
    • Judge as a real vulnerability if none of the above conditions are met
  4. Upgrade Feasibility Analysis
    • Find available security update versions
    • Analyze compatibility risks of version upgrades
    • Provide specific upgrade recommendations
  5. Generate Standard Report
    • Generate a detailed analysis report according to the preset template
    • Include evidence links and specific recommendations

误报分析详细指南

Detailed Guide for False Positive Analysis

GitHub Issues搜索

GitHub Issues Search

  • 使用GitHub API或web搜索查找相关issues
  • 搜索关键词:CVE编号 + "false positive" + 受影响对象名称
  • 检查issue状态:open/closed、评论内容、解决方案
  • Use GitHub API or web search to find relevant issues
  • Search keywords: CVE number + "false positive" + affected object name
  • Check issue status: open/closed, comment content, solutions

仓库地址比对

Repository URL Comparison

  • 从CVE描述中提取提到的仓库URL
  • 获取受影响对象的实际仓库URL(从pom.xml、package.json等)
  • 比较两个URL是否指向同一仓库
  • Extract the repository URL mentioned in the CVE description
  • Obtain the actual repository URL of the affected object (from pom.xml, package.json, etc.)
  • Compare whether the two URLs point to the same repository

官方声明核实

Official Statement Verification

  • 检查受影响对象仓库的Security Advisories
  • 查看RELEASES.md、CHANGELOG.md等文件
  • 搜索仓库中的安全公告和漏洞声明
  • Check Security Advisories in the affected object's repository
  • View files such as RELEASES.md, CHANGELOG.md
  • Search for security announcements and vulnerability statements in the repository

兼容性风险评估规则

Compatibility Risk Assessment Rules

评估版本升级的兼容性风险:
版本变更类型风险等级说明
大版本变更高风险如9.3.2变更为11.3.8,可能涉及重大API变更和架构调整
中间版本变更中风险如5.3.39变更为5.4.0,存在值得注意的兼容性问题
小版本变更低风险如5.3.39变更为5.3.40,通常只包含bug修复和安全更新
Assess the compatibility risk of version upgrades:
Version Change TypeRisk LevelDescription
Major version changeHigh riske.g., from 9.3.2 to 11.3.8, may involve major API changes and architecture adjustments
Intermediate version changeMedium riske.g., from 5.3.39 to 5.4.0, there are notable compatibility issues
Patch version changeLow riske.g., from 5.3.39 to 5.3.40, usually only includes bug fixes and security updates

风险评估指导

Risk Assessment Guidelines

  • 高风险:建议进行全面的测试,检查API变更、配置变更和依赖关系
  • 中风险:建议检查主要功能,关注变更日志中的破坏性变更
  • 低风险:可以直接升级,但仍建议进行基本功能测试
  • High risk: It is recommended to conduct comprehensive testing, check API changes, configuration changes, and dependencies
  • Medium risk: It is recommended to check main functions and focus on breaking changes in the changelog
  • Low risk: Can be upgraded directly, but basic functional testing is still recommended

输出格式模板

Output Format Template

始终使用以下标准报告格式
undefined
Always use the following standard report format:
undefined

CVE漏洞分析报告

CVE Vulnerability Analysis Report

执行摘要

Executive Summary

[概述:是否误报、风险等级、关键发现]
[Overview: whether it is a false positive, risk level, key findings]

漏洞详情

Vulnerability Details

  • CVE编号:[CVE编号]
  • 漏洞描述:[简要描述]
  • CVSS评分:[评分及严重等级]
  • 受影响对象:[提供的对象名称和版本]
  • 影响范围:[受影响版本范围]
  • CVE ID: [CVE number]
  • Vulnerability Description: [Brief description]
  • CVSS Score: [Score and severity level]
  • Affected Object: [Provided object name and version]
  • Impact Scope: [Affected version range]

误报分析

False Positive Analysis

GitHub Issues检查

GitHub Issues Check

  • [是否找到相关issues]
  • [issues内容摘要]
  • [链接]
  • [Whether relevant issues are found]
  • [Summary of issue content]
  • [Link]

仓库地址比对

Repository URL Comparison

  • CVE描述中提到的仓库:[URL]
  • 受影响对象的实际仓库:[URL]
  • 比对结果:[是否一致]
  • Repository mentioned in CVE description: [URL]
  • Actual repository of affected object: [URL]
  • Comparison Result: [Whether consistent]

官方声明核实

Official Statement Verification

  • [是否找到相关公告]
  • [公告内容摘要]
  • [链接]
  • [Whether relevant announcements are found]
  • [Summary of announcement content]
  • [Link]

误报判断

False Positive Determination

  • 结论:[是误报/不是误报]
  • 判断依据:[详细说明]
  • Conclusion: [Is false positive / Not false positive]
  • Basis for Judgment: [Detailed explanation]

升级建议

Upgrade Recommendations

可用安全版本

Available Security Versions

  • [推荐升级到的版本]
  • [其他可选版本]
  • [Recommended version to upgrade to]
  • [Other optional versions]

兼容性风险评估

Compatibility Risk Assessment

  • 当前版本:[版本号]
  • 目标版本:[版本号]
  • 版本变更类型:[大/中/小版本变更]
  • 风险等级:[高/中/低]
  • 风险评估说明:[详细说明]
  • Current Version: [Version number]
  • Target Version: [Version number]
  • Version Change Type: [Major/Intermediate/Patch version change]
  • Risk Level: [High/Medium/Low]
  • Risk Assessment Explanation: [Detailed explanation]

具体升级建议

Specific Upgrade Recommendations

  • [具体的升级步骤]
  • [需要注意的事项]
  • [测试建议]
  • [Specific upgrade steps]
  • [Notes to pay attention to]
  • [Testing recommendations]

参考链接

Reference Links

  • [相关GitHub issues链接]
  • [安全公告链接]
  • [官方文档链接]
  • [其他相关资源]
undefined
  • [Relevant GitHub issues links]
  • [Security announcement links]
  • [Official documentation links]
  • [Other relevant resources]
undefined

资源使用

Resource Usage

scripts/ 目录

scripts/ Directory

包含可执行脚本,用于自动化分析任务:
  • fetch_cve_details.py
    - 从NVD API获取CVE详情
  • check_github_issues.py
    - 搜索GitHub issues
  • analyze_version_compatibility.py
    - 分析版本兼容性
  • generate_report.py
    - 生成标准报告
Contains executable scripts for automated analysis tasks:
  • fetch_cve_details.py
    - Retrieve CVE details from NVD API
  • check_github_issues.py
    - Search GitHub issues
  • analyze_version_compatibility.py
    - Analyze version compatibility
  • generate_report.py
    - Generate standard reports

references/ 目录

references/ Directory

包含详细参考文档:
  • cve_analysis_workflow.md
    - 完整工作流程详解
  • false_positive_criteria.md
    - 误报判断标准详细说明
  • compatibility_risk_assessment.md
    - 兼容性风险评估指南
Contains detailed reference documents:
  • cve_analysis_workflow.md
    - Detailed explanation of the complete workflow
  • false_positive_criteria.md
    - Detailed explanation of false positive determination criteria
  • compatibility_risk_assessment.md
    - Guide for compatibility risk assessment

assets/ 目录

assets/ Directory

包含报告模板和其他资源文件
Contains report templates and other resource files

注意事项

Notes

  1. 数据来源验证:始终验证从外部API获取的数据的准确性
  2. 版本识别:准确识别受影响对象的版本号,避免误判
  3. 风险沟通:明确传达兼容性风险,提供缓解建议
  4. 链接时效性:提供的参考链接应确保可访问和最新
  5. 安全边界:仅分析公开信息,不尝试主动探测漏洞
  1. Data Source Verification: Always verify the accuracy of data obtained from external APIs
  2. Version Identification: Accurately identify the version number of the affected object to avoid misjudgment
  3. Risk Communication: Clearly communicate compatibility risks and provide mitigation recommendations
  4. Link Timeliness: Ensure that the provided reference links are accessible and up-to-date
  5. Security Boundaries: Only analyze public information, do not attempt to actively probe vulnerabilities

工具使用建议

Tool Usage Recommendations

  • 使用WebFetch工具获取NVD API响应
  • 使用Bash工具执行脚本和命令行操作
  • 使用GitHub API时注意速率限制
  • 优先使用官方文档和公告作为信息源
  • Use WebFetch tool to obtain NVD API responses
  • Use Bash tool to execute scripts and command-line operations
  • Pay attention to rate limits when using GitHub API
  • Prioritize official documentation and announcements as information sources