Security Audit Skill
Investigate security status of SkiaSharp's native dependencies. Produces a report with actionable recommendations.
ℹ️ This skill is read-only. To create PRs and fix issues, use the
native-dependency-updateskill.
Key References
- •documentation/dependencies.md — Which dependencies to audit, cgmanifest format, known false positives
- •references/report-template.md — Report format templates
Workflow
1. Search issues/PRs 2. Get versions from DEPS 3. Web search CVEs 4. Verify fix commits for each CVE ├─ Fixed? → Mark clean └─ Not fixed? → Flag for action 5. Check false positives 6. Generate report
Step 1: Search Issues & PRs
Search mono/SkiaSharp open issues for:
- •CVE numbers (e.g., "CVE-2024")
- •Keywords: "security", "vulnerability"
- •Dependency names: libpng, expat, zlib, webp, harfbuzz, freetype
Search PRs in both mono/SkiaSharp and mono/skia for dependency updates.
Step 2: Get Dependency Versions
cd externals/skia/third_party/externals/{dep}
git describe --tags --always
Only audit security-relevant dependencies (see dependencies.md).
Step 3: Web Search for CVEs
"{dependency} CVE {current year}"
"{dependency} security vulnerability"
Step 4: Verify Fix Commits (CRITICAL)
⚠️ CVE databases often have WRONG version ranges. Always verify.
cd externals/skia/third_party/externals/{dependency}
# Check if fix commit is ancestor of current HEAD
git merge-base --is-ancestor {fix_commit} HEAD && echo "FIXED" || echo "VULNERABLE"
Example: CVE-2025-27363 claimed FreeType ≤2.13.3 was affected, fix in 2.13.4. Verification showed the fix commit was in 2.13.1 — SkiaSharp's 2.13.3 was already patched.
Step 5: Check False Positives
Before flagging, verify the CVE actually affects SkiaSharp:
- •MiniZip (in zlib) — Not compiled, not vulnerable
- •FreeType's bundled zlib — Separate from Skia's zlib
See dependencies.md for details.
Step 6: Generate Report
Use references/report-template.md.
Priority order:
- •🔴 User-reported + no PR
- •✅ User-reported + PR ready
- •🟡 User-reported + PR needs work
- •🆕 Undiscovered CVEs
- •⚪ False positives
Handoff
After audit, use native-dependency-update skill:
- •"Merge PR #3458"
- •"Update libwebp to 1.6.0"
- •"Bump libpng to fix CVE-2024-XXXXX"