cve-vulnerability-analysis

Original：🇨🇳 Chinese

Translated

4 scripts

Analyze CVE vulnerabilities in Java and JavaScript components, determine false positives, and provide upgrade recommendations. Use this when users provide a CVE number and affected object, e.g., CVE-2024-38816 and spring-webmvc-5.3.39.jar. Supports false positive analysis, compatibility risk assessment, and standard report generation.

2installs

Sourcecanxing/skills

Added on2026-02-28

NPX Install

npx skill4agent add canxing/skills cve-vulnerability-analysis

SKILL.md Content (Chinese)

View Translation Comparison →

CVE Vulnerability Analysis Skill

Overview

This skill is used to analyze CVE (Common Vulnerabilities and Exposures) vulnerabilities in Java and JavaScript components, providing false positive determination, compatibility risk assessment, and upgrade recommendations. The skill follows a systematic workflow to ensure consistency and accuracy of analysis.

Workflow

When performing CVE vulnerability analysis, follow these steps:

Obtain CVE Details
- Retrieve vulnerability details from the NVD (National Vulnerability Database) API
- Extract key information such as vulnerability description, CVSS score, and impact scope
False Positive Analysis
- Check false positive reports in GitHub issues repositories:
  - https://github.com/jeremylong/DependencyCheck/issues
  - https://github.com/dependency-check/DependencyCheck/issues
- Compare the repository URL mentioned in the CVE description with that of the affected object
- Check issues, announcements, and statements in the affected object's repository
False Positive Determination Criteria
- Judge as false positive if any of the following conditions are met:
  1. The CVE false positive is mentioned in GitHub issues, and the object in the issues matches the provided object
  2. The repository URL mentioned in the CVE vulnerability description is not the same as that of the suspected false positive object
  3. The issues, announcements, and statements in the repository of the suspected false positive object clearly state that this is not a false positive
- Judge as a real vulnerability if none of the above conditions are met
Upgrade Feasibility Analysis
- Find available security update versions
- Analyze compatibility risks of version upgrades
- Provide specific upgrade recommendations
Generate Standard Report
- Generate a detailed analysis report according to the preset template
- Include evidence links and specific recommendations

Detailed Guide for False Positive Analysis

GitHub Issues Search

Use GitHub API or web search to find relevant issues
Search keywords: CVE number + "false positive" + affected object name
Check issue status: open/closed, comment content, solutions

Repository URL Comparison

Extract the repository URL mentioned in the CVE description
Obtain the actual repository URL of the affected object (from pom.xml, package.json, etc.)
Compare whether the two URLs point to the same repository

Official Statement Verification

Check Security Advisories in the affected object's repository
View files such as RELEASES.md, CHANGELOG.md
Search for security announcements and vulnerability statements in the repository

Compatibility Risk Assessment Rules

Assess the compatibility risk of version upgrades:

Version Change Type	Risk Level	Description
Major version change	High risk	e.g., from 9.3.2 to 11.3.8, may involve major API changes and architecture adjustments
Intermediate version change	Medium risk	e.g., from 5.3.39 to 5.4.0, there are notable compatibility issues
Patch version change	Low risk	e.g., from 5.3.39 to 5.3.40, usually only includes bug fixes and security updates

Risk Assessment Guidelines

High risk: It is recommended to conduct comprehensive testing, check API changes, configuration changes, and dependencies
Medium risk: It is recommended to check main functions and focus on breaking changes in the changelog
Low risk: Can be upgraded directly, but basic functional testing is still recommended

Output Format Template

Always use the following standard report format:

# CVE Vulnerability Analysis Report

## Executive Summary
[Overview: whether it is a false positive, risk level, key findings]

## Vulnerability Details
- **CVE ID**: [CVE number]
- **Vulnerability Description**: [Brief description]
- **CVSS Score**: [Score and severity level]
- **Affected Object**: [Provided object name and version]
- **Impact Scope**: [Affected version range]

## False Positive Analysis
### GitHub Issues Check
- [Whether relevant issues are found]
- [Summary of issue content]
- [Link]

### Repository URL Comparison
- Repository mentioned in CVE description: [URL]
- Actual repository of affected object: [URL]
- Comparison Result: [Whether consistent]

### Official Statement Verification
- [Whether relevant announcements are found]
- [Summary of announcement content]
- [Link]

### False Positive Determination
- **Conclusion**: [Is false positive / Not false positive]
- **Basis for Judgment**: [Detailed explanation]

## Upgrade Recommendations
### Available Security Versions
- [Recommended version to upgrade to]
- [Other optional versions]

### Compatibility Risk Assessment
- **Current Version**: [Version number]
- **Target Version**: [Version number]
- **Version Change Type**: [Major/Intermediate/Patch version change]
- **Risk Level**: [High/Medium/Low]
- **Risk Assessment Explanation**: [Detailed explanation]

### Specific Upgrade Recommendations
- [Specific upgrade steps]
- [Notes to pay attention to]
- [Testing recommendations]

## Reference Links
- [Relevant GitHub issues links]
- [Security announcement links]
- [Official documentation links]
- [Other relevant resources]

Resource Usage

scripts/ Directory

Contains executable scripts for automated analysis tasks:

```
fetch_cve_details.py
```
- Retrieve CVE details from NVD API
```
check_github_issues.py
```
- Search GitHub issues
```
analyze_version_compatibility.py
```
- Analyze version compatibility
```
generate_report.py
```
- Generate standard reports

references/ Directory

Contains detailed reference documents:

```
cve_analysis_workflow.md
```
- Detailed explanation of the complete workflow
```
false_positive_criteria.md
```
- Detailed explanation of false positive determination criteria
```
compatibility_risk_assessment.md
```
- Guide for compatibility risk assessment

assets/ Directory

Contains report templates and other resource files

Notes

Data Source Verification: Always verify the accuracy of data obtained from external APIs
Version Identification: Accurately identify the version number of the affected object to avoid misjudgment
Risk Communication: Clearly communicate compatibility risks and provide mitigation recommendations
Link Timeliness: Ensure that the provided reference links are accessible and up-to-date
Security Boundaries: Only analyze public information, do not attempt to actively probe vulnerabilities

Tool Usage Recommendations

Use WebFetch tool to obtain NVD API responses
Use Bash tool to execute scripts and command-line operations
Pay attention to rate limits when using GitHub API
Prioritize official documentation and announcements as information sources