vulnerability-validation

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Vulnerability Validation

漏洞验证

Validate security findings by assessing whether they are actually exploitable in the context of this codebase. This skill filters false positives, confirms real vulnerabilities, and generates proof-of-concept exploits.

通过评估这些发现在当前代码库中是否真的可被利用，来验证安全扫描结果。此工具会过滤误报、确认真实漏洞，并生成概念验证（PoC）漏洞利用程序。

When to Use This Skill

何时使用此工具

After commit-security-scan - Validate findings before creating issues or blocking PRs
HIGH/CRITICAL findings - Prioritize validation of severe findings
Before patching - Confirm vulnerability is real before investing in fixes
Security review - Deep-dive validation of specific findings

在commit-security-scan之后 - 在创建问题或阻止PR之前验证扫描结果
高/严重级别发现 - 优先验证严重级别的漏洞
修复之前 - 在投入资源修复前确认漏洞真实存在
安全评审 - 对特定发现进行深度验证

Prerequisites

前置条件

.factory/threat-model.md

must exist (from

threat-model-generation

skill)

security-findings.json

must exist (from

commit-security-scan

skill)

必须存在

.factory/threat-model.md

（来自

threat-model-generation

工具）

必须存在

security-findings.json

（来自

commit-security-scan

工具）

Inputs

输入参数

Input	Description	Required	Default
Findings file	Path to `security-findings.json`	Yes	`security-findings.json`
Threat model	Path to threat model	No	`.factory/threat-model.md`
Finding IDs	Specific findings to validate (comma-separated)	No	All findings
Severity filter	Only validate findings at or above this severity	No	All severities

输入项	描述	是否必填	默认值
扫描结果文件	`security-findings.json` 的路径	是	`security-findings.json`
威胁模型	威胁模型文件的路径	否	`.factory/threat-model.md`
漏洞ID	需要验证的特定漏洞ID（逗号分隔）	否	所有漏洞
严重级别过滤器	仅验证等于或高于此级别的漏洞	否	所有级别

Instructions

操作步骤

Follow these steps for each finding to validate:

对每个待验证的漏洞执行以下步骤：

Step 1: Load Context

步骤1：加载上下文

Read

security-findings.json

from

commit-security-scan

Read
```
.factory/threat-model.md
```
for system context
Identify which findings to validate based on inputs

读取来自

commit-security-scan

的

security-findings.json

文件

读取
```
.factory/threat-model.md
```
获取系统上下文
根据输入参数确定需要验证的漏洞

Step 2: Reachability Analysis

步骤2：可达性分析

For each finding, determine if the vulnerable code is reachable:

Trace entry points
- Can external users reach this code path?
- What HTTP endpoints, CLI commands, or event handlers lead here?
- Is authentication required to reach this code?
Map the call chain
- Starting from the entry point, trace the path to the vulnerable code
- Document each function call in the chain
- Note any branching conditions that must be satisfied
Classify reachability
- ```
EXTERNAL
```
  - Reachable from unauthenticated external input
- ```
AUTHENTICATED
```
  - Requires valid user session
- ```
INTERNAL
```
  - Only reachable from internal services
- ```
UNREACHABLE
```
  - Dead code or blocked by conditions

针对每个漏洞，确定存在漏洞的代码是否可被访问：

追踪入口点
- 外部用户能否访问此代码路径？
- 哪些HTTP端点、CLI命令或事件处理程序会指向这里？
- 访问此代码是否需要身份验证？
映射调用链
- 从入口点开始，追踪到存在漏洞代码的路径
- 记录调用链中的每个函数调用
- 记录必须满足的分支条件
分类可达性
- ```
EXTERNAL
```
  - 可通过未认证的外部输入访问
- ```
AUTHENTICATED
```
  - 需要有效的用户会话
- ```
INTERNAL
```
  - 仅能从内部服务访问
- ```
UNREACHABLE
```
  - 死代码或被条件阻断

Step 3: Control Flow Analysis

步骤3：控制流分析

Determine if an attacker can control the vulnerable input:

Identify the source
- Where does the tainted data originate?
- HTTP parameter, file upload, database query, environment variable?
Trace data flow
- Follow the data from source to sink (vulnerable function)
- Document each transformation or validation step
- Note any sanitization, encoding, or type conversion
Assess attacker control
- Can the attacker fully control the input?
- Are there length limits, character restrictions, or format validation?
- Does the data pass through any sanitization?

确定攻击者是否能控制存在漏洞的输入：

识别数据源
- 受污染的数据来自哪里？
- HTTP参数、文件上传、数据库查询还是环境变量？
追踪数据流
- 跟随数据从源头到漏洞点（存在漏洞的函数）
- 记录每个转换或验证步骤
- 记录任何清理、编码或类型转换操作
评估攻击者控制能力
- 攻击者能否完全控制输入？
- 是否有长度限制、字符限制或格式验证？
- 数据是否经过任何清理处理？

Step 4: Mitigation Assessment

步骤4：缓解措施评估

Check if existing security controls prevent exploitation:

Input validation
- Is the input validated before reaching the vulnerable code?
- What validation rules are applied?
Framework protections
- Does the framework provide automatic protection? (e.g., ORM parameterization, React XSS escaping)
- Is the protection enabled and properly configured?
Security middleware
- Are there WAF rules, rate limiting, or other controls?
- Do CSP headers or other browser protections apply?
Reference threat model
- Check the "Existing Mitigations" section for this threat type
- Verify mitigations are actually in place

检查现有安全控制措施是否能阻止漏洞被利用：

输入验证
- 输入在到达存在漏洞的代码前是否经过验证？
- 应用了哪些验证规则？
框架防护
- 框架是否提供自动防护？（例如：ORM参数化、React XSS转义）
- 防护是否已启用且配置正确？
安全中间件
- 是否有WAF规则、速率限制或其他控制措施？
- 是否应用了CSP头或其他浏览器防护措施？
参考威胁模型
- 查看此威胁类型对应的“现有缓解措施”部分
- 验证缓解措施是否已实际部署

Step 5: Exploitability Assessment

步骤5：可利用性评估

Determine how difficult it is to exploit:

Rating	Criteria
`EASY`	No special conditions, standard tools, publicly known technique
`MEDIUM`	Requires specific conditions, timing, or chained vulnerabilities
`HARD`	Requires insider knowledge, rare conditions, or advanced techniques
`NOT_EXPLOITABLE`	Theoretical vulnerability but not practically exploitable

Consider:

Attack complexity
Required privileges
User interaction needed
Scope of impact

确定漏洞被利用的难度：

评级	标准
`EASY`	无特殊条件，使用标准工具，公开已知技术
`MEDIUM`	需要特定条件、时机或链式漏洞
`HARD`	需要内部知识、罕见条件或高级技术
`NOT_EXPLOITABLE`	理论上存在漏洞但实际无法被利用

需考虑：

攻击复杂度
所需权限
是否需要用户交互
影响范围

Step 6: Generate Proof-of-Concept

步骤6：生成概念验证（PoC）

For confirmed vulnerabilities, create a proof-of-concept:

Craft exploit payload
- Create a minimal payload that demonstrates the vulnerability
- Use benign payloads (no actual damage)
Document the request
- HTTP method, URL, headers, body
- Or CLI command, file input, etc.
Describe expected vs actual behavior
- What should happen (secure behavior)
- What actually happens (vulnerable behavior)

Example PoC structure:

json

{
  "payload": "' OR '1'='1",
  "request": "GET /api/users?search=' OR '1'='1",
  "expected_behavior": "Returns users matching search term",
  "actual_behavior": "Returns all users due to SQL injection"
}

对于已确认的漏洞，创建概念验证程序：

构造漏洞利用 payload
- 创建最小化的payload以演示漏洞
- 使用无害的payload（不造成实际破坏）
记录请求信息
- HTTP方法、URL、请求头、请求体
- 或CLI命令、文件输入等
描述预期与实际行为
- 应该发生的情况（安全行为）
- 实际发生的情况（漏洞行为）

示例PoC结构：

json

{
  "payload": "' OR '1'='1",
  "request": "GET /api/users?search=' OR '1'='1",
  "expected_behavior": "Returns users matching search term",
  "actual_behavior": "Returns all users due to SQL injection"
}

Step 7: Calculate CVSS Score

步骤7：计算CVSS评分

Assign a CVSS 3.1 score based on:

Metric	Options
Attack Vector (AV)	Network (N), Adjacent (A), Local (L), Physical (P)
Attack Complexity (AC)	Low (L), High (H)
Privileges Required (PR)	None (N), Low (L), High (H)
User Interaction (UI)	None (N), Required (R)
Scope (S)	Unchanged (U), Changed (C)
Confidentiality (C)	None (N), Low (L), High (H)
Integrity (I)	None (N), Low (L), High (H)
Availability (A)	None (N), Low (L), High (H)

Example:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

= 9.1 (Critical)

基于以下指标分配CVSS 3.1评分：

指标	选项
Attack Vector (AV)	Network (N), Adjacent (A), Local (L), Physical (P)
Attack Complexity (AC)	Low (L), High (H)
Privileges Required (PR)	None (N), Low (L), High (H)
User Interaction (UI)	None (N), Required (R)
Scope (S)	Unchanged (U), Changed (C)
Confidentiality (C)	None (N), Low (L), High (H)
Integrity (I)	None (N), Low (L), High (H)
Availability (A)	None (N), Low (L), High (H)

示例：

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

= 9.1（严重）

Step 8: Classify Finding

步骤8：分类扫描结果

Based on analysis, classify each finding:

Status	Meaning
`CONFIRMED`	Vulnerability is real and exploitable
`LIKELY`	Probably exploitable but couldn't fully verify
`FALSE_POSITIVE`	Not actually a vulnerability (document why)
`NEEDS_MANUAL_REVIEW`	Requires human security expert review

基于分析结果，对每个发现进行分类：

状态	含义
`CONFIRMED`	漏洞真实存在且可被利用
`LIKELY`	可能可被利用但无法完全验证
`FALSE_POSITIVE`	并非实际漏洞（需记录原因）
`NEEDS_MANUAL_REVIEW`	需要人工安全专家评审

Step 9: Generate Output

步骤9：生成输出

Create

validated-findings.json

json

{
  "validation_id": "val-<timestamp>",
  "validation_date": "<ISO timestamp>",
  "scan_id": "<from security-findings.json>",
  "threat_model_version": "<from threat-model.md>",
  "validated_findings": [
    {
      "id": "VULN-001",
      "status": "CONFIRMED",
      "original_severity": "HIGH",
      "validated_severity": "HIGH",
      "exploitability": "EASY",
      "reachability": "EXTERNAL",
      "existing_mitigations": [],
      "exploitation_path": [
        "User submits search query via GET /api/users?search=<payload>",
        "Express router passes query to searchUsers() handler",
        "Handler passes unsanitized input to SQL template literal",
        "PostgreSQL executes malicious SQL"
      ],
      "proof_of_concept": {
        "payload": "' OR '1'='1",
        "request": "GET /api/users?search=' OR '1'='1",
        "expected_behavior": "Returns users matching search term",
        "actual_behavior": "Returns all users due to SQL injection"
      },
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "cvss_score": 9.1,
      "validation_notes": "Confirmed via code tracing. No input validation or parameterization."
    }
  ],
  "false_positives": [
    {
      "id": "VULN-003",
      "original_severity": "MEDIUM",
      "reason": "Input is validated by Joi schema in middleware before reaching this code. Schema enforces UUID format which prevents injection.",
      "evidence": "See src/middleware/validation.js:45 - Joi.string().uuid()"
    }
  ],
  "needs_manual_review": [
    {
      "id": "VULN-005",
      "original_severity": "HIGH",
      "reason": "Complex data flow through message queue. Unable to fully trace if sanitization occurs in consumer service."
    }
  ],
  "summary": {
    "total_analyzed": 10,
    "confirmed": 5,
    "likely": 2,
    "false_positives": 2,
    "needs_manual_review": 1,
    "by_severity": {
      "CRITICAL": 1,
      "HIGH": 3,
      "MEDIUM": 1,
      "LOW": 0
    }
  }
}

创建

validated-findings.json

文件：

json

{
  "validation_id": "val-<timestamp>",
  "validation_date": "<ISO timestamp>",
  "scan_id": "<from security-findings.json>",
  "threat_model_version": "<from threat-model.md>",
  "validated_findings": [
    {
      "id": "VULN-001",
      "status": "CONFIRMED",
      "original_severity": "HIGH",
      "validated_severity": "HIGH",
      "exploitability": "EASY",
      "reachability": "EXTERNAL",
      "existing_mitigations": [],
      "exploitation_path": [
        "User submits search query via GET /api/users?search=<payload>",
        "Express router passes query to searchUsers() handler",
        "Handler passes unsanitized input to SQL template literal",
        "PostgreSQL executes malicious SQL"
      ],
      "proof_of_concept": {
        "payload": "' OR '1'='1",
        "request": "GET /api/users?search=' OR '1'='1",
        "expected_behavior": "Returns users matching search term",
        "actual_behavior": "Returns all users due to SQL injection"
      },
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "cvss_score": 9.1,
      "validation_notes": "Confirmed via code tracing. No input validation or parameterization."
    }
  ],
  "false_positives": [
    {
      "id": "VULN-003",
      "original_severity": "MEDIUM",
      "reason": "Input is validated by Joi schema in middleware before reaching this code. Schema enforces UUID format which prevents injection.",
      "evidence": "See src/middleware/validation.js:45 - Joi.string().uuid()"
    }
  ],
  "needs_manual_review": [
    {
      "id": "VULN-005",
      "original_severity": "HIGH",
      "reason": "Complex data flow through message queue. Unable to fully trace if sanitization occurs in consumer service."
    }
  ],
  "summary": {
    "total_analyzed": 10,
    "confirmed": 5,
    "likely": 2,
    "false_positives": 2,
    "needs_manual_review": 1,
    "by_severity": {
      "CRITICAL": 1,
      "HIGH": 3,
      "MEDIUM": 1,
      "LOW": 0
    }
  }
}

Success Criteria

成功标准

The skill is complete when:

All specified findings have been analyzed
Each finding has a status (CONFIRMED, LIKELY, FALSE_POSITIVE, NEEDS_MANUAL_REVIEW)
Confirmed findings have exploitation paths documented
Confirmed findings have proof-of-concept exploits
False positives have clear reasoning
```
validated-findings.json
```
is valid JSON
CVSS scores are calculated for confirmed findings

满足以下条件时，工具执行完成：

所有指定的漏洞都已分析
每个漏洞都有状态标记（CONFIRMED、LIKELY、FALSE_POSITIVE、NEEDS_MANUAL_REVIEW）
已确认的漏洞记录了利用路径
已确认的漏洞附带概念验证程序
误报有明确的原因说明
```
validated-findings.json
```
是有效的JSON格式
已为确认的漏洞计算CVSS评分

Verification

验证检查

Run these checks before completing:

bash

undefined

完成前执行以下检查：

bash

undefined

Verify output exists and is valid JSON

验证输出文件存在且为有效JSON

cat validated-findings.json | jq . > /dev/null && echo "✓ Valid JSON"

Check all findings have status

检查所有漏洞都有状态标记

jq '.validated_findings | all(.status)' validated-findings.json

Check confirmed findings have PoC

检查已确认的漏洞都有PoC

jq '.validated_findings | map(select(.status == "CONFIRMED")) | all(.proof_of_concept)' validated-findings.json

Check false positives have reasoning

检查误报都有原因说明

jq '.false_positives | all(.reason)' validated-findings.json

undefined

jq '.false_positives | all(.reason)' validated-findings.json

undefined

Example Invocations

调用示例

Validate all findings:

Validate the security findings from the last scan.

Validate specific findings:

Validate findings VULN-001 and VULN-002 from security-findings.json.

Validate only HIGH/CRITICAL:

Validate all HIGH and CRITICAL severity findings from the security scan.

Validate with specific files:

Validate findings in security-findings.json using threat model at .factory/threat-model.md.

验证所有漏洞：

Validate the security findings from the last scan.

验证特定漏洞：

Validate findings VULN-001 and VULN-002 from security-findings.json.

仅验证高/严重级别漏洞：

Validate all HIGH and CRITICAL severity findings from the security scan.

使用特定文件验证：

Validate findings in security-findings.json using threat model at .factory/threat-model.md.

References

参考资料

CVSS 3.1 Calculator: https://www.first.org/cvss/calculator/3.1
OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
Examples:
```
validation-examples.md
```
(in this skill directory)
Upstream:
```
commit-security-scan
```
skill
Downstream:
```
security-patch-generation
```
skill

CVSS 3.1计算器：https://www.first.org/cvss/calculator/3.1
OWASP测试指南：https://owasp.org/www-project-web-security-testing-guide/
示例：
```
validation-examples.md
```
（在此工具目录中）
上游工具：
```
commit-security-scan
```
下游工具：
```
security-patch-generation
```