AgentSkillsCN

dependency-cve-triage

针对依赖项漏洞的分类工作流:明确可达性、影响范围,以及安全升级与修复方案。

SKILL.md
--- frontmatter
name: dependency-cve-triage
description: Triage workflow for dependency vulnerabilities: determine reachability, impact, and safe upgrade/remediation plan.

Dependency CVE Triage

When to use

Use this skill when asked to triage CVEs, decide upgrade priority, or prepare remediation tickets.

Inputs to collect (if available)

  • CVE identifier and advisory links
  • Current dependency version(s) and dependency tree (direct/transitive)
  • Exposure assumptions (internet-facing? behind auth? feature enabled?)
  • Existing compensating controls (WAF, sandboxing, auth boundaries)

Step-by-step process

  1. Confirm the vulnerable component
    • Package name, affected versions, transitive vs direct dependency
  2. Assess reachability
    • Is the vulnerable code path used? Under what configuration?
    • Is it internet-exposed or behind auth?
  3. Assess impact
    • RCE vs info leak vs DoS; required privileges; exploit maturity
  4. Choose a remediation
    • Upgrade to a fixed version (preferred)
    • Pin/override transitive versions
    • Disable the vulnerable feature/code path
    • Compensating controls (WAF rules, config hardening) as a stopgap
  5. Plan the change
    • Minimal version jump, note breaking changes
    • Add regression tests for the vulnerable behavior if practical
  6. Document
    • Ticket with: affected services, urgency, change plan, validation steps

Output template

  • CVE / Package
  • Affected versions / current version
  • Exploit preconditions
  • Reachability assessment
  • Recommended fix
  • Validation / rollout notes

Repo integration (optional)

Related prompt:

  • dependency-cve-triage.prompt.md

Output format

  • CVE / Package
  • Affected versions / current version
  • Exploit preconditions
  • Reachability assessment (with code evidence)
  • Recommended fix (upgrade preferred; workarounds labeled stopgap)
  • Verification / rollout notes

Examples

  • “CVE affects optional parser feature” → document whether the parser is enabled/configured and whether any call sites are reachable from untrusted input.