Fortify CVE Exploitability Analysis

Purpose. Decide whether a CVE in a dependency is exploitable in this project. The answer is rarely “the lib is in our tree, therefore we are vulnerable.” It depends on which APIs of the vulnerable library are actually reached, with what input, under what configuration. This skill walks through that analysis methodically and writes the result to IMPACT_CVE_<id>.md.

Out of scope. This skill does not fix the vulnerability. After it produces a verdict, hand off to fortify-remediate (or apply an upgrade manually) if the verdict is affected.

Requires shell execution. The skill assumes shell access to run package-manager commands (mvn, npm, pip, go, etc.) and to grep the codebase. Without execution capability (read-only context, sandboxed evaluation, web-only session) the analysis degrades to lockfile / SBOM / manifest reading and most reachability questions resolve to under_investigation — say so in Method → Limitations and pause for an environment that has execution.

The analysis runs in six steps. Do not skip the gates.

---

Step 0: Establish context

Collect the inputs you need before doing anything else.

1. CVE identifier(s). Normalize to the canonical form CVE-YYYY-NNNNN (or GHSA-xxxx-xxxx-xxxx). If the user gave a free-text description, ask them to confirm the ID — exploit conditions vary across CVEs in the same library and the report file name depends on it.
2. Project root. Confirm the working directory contains the project to analyze. Skim the top-level for manifest files.
3. Ecosystem. Detect from manifests at the project root, and load the matching reference file when running Steps 2 and 4 — one file per ecosystem, not the whole catalogue. Files in references/ prefixed eco- are per-ecosystem references; load exactly one:
   • pom.xml → Maven → references/eco-maven.md
   • build.gradle[.kts] → Gradle (Java / Kotlin) → references/eco-gradle.md
   • build.sbt → Scala (SBT) → references/eco-scala.md
   • WORKSPACE / MODULE.bazel / BUILD.bazel → Bazel (cross-language: Java / Go / C/C++ / Python) → references/eco-bazel.md
   • package.json / bower.json → JavaScript (npm / yarn / pnpm / Bower) → references/eco-npm.md
   • requirements.txt / pyproject.toml / Pipfile / uv.lock → Python (pip / Poetry / Pipenv / uv) → references/eco-python.md
   • go.mod / Gopkg.lock → Go (Modules / legacy dep) → references/eco-go.md
   • Cargo.toml → Rust → references/eco-rust.md
   • *.csproj / packages.config / paket.dependencies → .NET (NuGet / Paket) → references/eco-dotnet.md
   • composer.json → PHP → references/eco-php.md
   • Gemfile → Ruby → references/eco-ruby.md
   • Podfile / Package.swift / Cartfile → iOS / macOS (CocoaPods / SPM / Carthage) → references/eco-ios-macos.md
   • Config.in + package/ + configs/*_defconfig (Buildroot) / oe-init-build-env + meta*/conf/layer.conf (Yocto / OpenEmbedded; conf/bblayers.conf appears post-init) / feeds.conf* + scripts/feeds (OpenWrt) → meta-build for embedded Linux → references/eco-buildroot.md.
   • conanfile.txt / conanfile.py / vcpkg.json / CMakeLists.txt / configure.ac / Makefile → C/C++ → references/eco-cpp.md
   • bom.json / bom.xml → CycloneDX SBOM (input format; can substitute for live package-manager invocation) → references/cyclonedx-sbom.md

   ⚠ Ordering note. Detect the meta-build row before the C/C++ row. Buildroot and OpenWrt trees carry a top-level Makefile (with BR2_* / OpenWrt-specific variables) that would otherwise route to eco-cpp.md, missing the meta-build entirely; Yocto has no root Makefile but is still better analyzed at the meta-build level than via any C/C++ source it happens to contain.

   A monorepo can have several. Ask the user which subproject(s) to analyze.

   No manifest detected? If the project has binary artifacts checked in (lib/*.jar, WEB-INF/lib/, vendor/, third_party/, prebuilt *.dll / *.so / *.a / *.framework), or if the input is a built artifact handed over without source (firmware image, squashfs / cpio rootfs, Docker image, .deb / .rpm / .ipa / .apk), the analysis still works — load references/non-manifest-projects.md for version-identification, image-extraction, and path-reconstruction techniques.

4. Package manager available? Run a non-destructive version probe (mvn -v, npm -v, pip --version, go version, cargo --version, bitbake --version, make --version, etc.). The skill needs the package manager (or, for meta-builds, the meta-build’s own enumeration command) to enumerate transitive paths in Step 4. If it isn’t installed, fall back in this order: (a) the project’s lockfile if one exists (still authoritative — the relevant ecosystem reference file names it); (b) a CycloneDX SBOM if one is present in the repo (references/cyclonedx-sbom.md); (c) the bundled-binary / image workflow in references/non-manifest-projects.md. Record the fallback used in the report’s Method → Limitations.
5. Output paths. Step 6 produces two artifacts: a human-readable Markdown report and a machine-readable CycloneDX VEX JSON. Default location is a vex/ subdirectory at the project root — friendlier than scattering IMPACT_* files in the root once a project accumulates a backlog of triaged CVEs, and a natural directory for downstream fcli / Dependency-Track / GitLab tooling to consume in bulk. Take the CVE/GHSA ID, replace - with _, prefix with IMPACT_; the Markdown gets .md, the VEX gets .vex.json. Examples:
   • CVE-2021-44228 → vex/IMPACT_CVE_2021_44228.md + vex/IMPACT_CVE_2021_44228.vex.json
   • GHSA-jfh8-c2jp-5v3q → vex/IMPACT_GHSA_jfh8_c2jp_5v3q.md + vex/IMPACT_GHSA_jfh8_c2jp_5v3q.vex.json

   Override the directory if the user specifies a different path. If vex/ doesn’t exist yet, create it in Step 6 before writing.

Step 0 → Step 1 gate

• CVE/GHSA ID is normalized and confirmed
• Project root and ecosystem(s) identified
• Package manager availability checked (and noted if missing)
• Both output file paths computed (.md and .vex.json)

---

Step 1: Research the CVE — extract exploit conditions

Load references/cve-research.md and follow it. The goal of this step is to produce a structured Exploit Conditions block that you will reuse in every later step:

• Vulnerable package: ecosystem + name + affected version range + fix version(s).
• Vulnerable API surface: which classes/functions/methods, files, or config keys are the actual sink. The library being on the classpath is not the same as the vulnerable code being reached. Include subclasses and wrapper classes that inherit the vulnerable code path, even when they live in sibling artifacts. For example, jackson-databind’s ObjectMapper is the vulnerable class — but XmlMapper, YAMLMapper, CBORMapper, etc. (in jackson-dataformat-* artifacts) extend it and trigger the same bug. Spring’s MappingJackson2HttpMessageConverter wraps it. Anything that, at runtime, executes the vulnerable code path is part of the surface.
• Trigger conditions: what input must reach the sink (attacker-controlled string? deserialized object? specific format? specific network position?).
• Required configuration: feature flag, JVM flag, parser option, plugin, default vs non-default behavior.
• Impact: RCE, DoS, info disclosure, etc., and the CVSS vector if known.
• Known mitigations: workarounds short of upgrading, e.g. setting a property, removing a config file, disabling a feature.
• PoC / exploit references: links if available.
• Known exploitation in the wild: CISA KEV listing (with due date) and inthewild.io activity, or “no public reports”. Informs urgency and how much scrutiny a not_affected verdict deserves; does not change the verdict, which is set purely by reachability in this project. See references/cve-research.md → Known exploitation in the wild.

Authoritative sources, in priority order:

1. The fix commit / fix PR in the upstream repo (most definitive — shows exactly what code path was vulnerable).
2. NVD entry (https://nvd.nist.gov/vuln/detail/CVE-…).
3. GitHub Advisory Database (https://github.com/advisories/GHSA-… or the Security tab of the upstream repo).
4. Vendor advisory (Spring, Apache, Oracle, etc.).
5. Independent write-ups (only as supplements; verify against primary).

Do not paraphrase guesses — if a source is ambiguous, say so in the report. Check the CVE’s NVD publication status before relying on it; if it’s pre-analysis (Received / Awaiting / Undergoing Analysis), Rejected, or absent from NVD entirely, follow CVE publication status in references/cve-research.md for how to proceed (and when to stop).

Step 1 → Step 2 gate

• Vulnerable package, version range, and fix version recorded
• Vulnerable API surface identified (specific symbols, not “the library”)
• Trigger conditions and required configuration documented
• At least one authoritative source consulted (commit / NVD / GHSA)

---

Step 2: Confirm the vulnerable version is present

Before doing any code analysis, confirm the project actually pulls in a vulnerable version of the package.

1. Resolve the dependency tree with the package manager (commands are in the ecosystem reference file you identified in Step 0). Use the resolved tree, not the manifest — version pinning, BOMs, lockfiles, and overrides change what actually ships.
2. Find every version of the vulnerable package in the tree.
3. Compare each version against the affected range from Step 1.

If no vulnerable version is present: write the report with verdict not_affected (justification: vulnerable_code_not_present — the version shipped is outside the affected range), and stop. Do not run Steps 3–5.

If a vulnerable version is present: proceed.

Step 2 → Step 3 gate

• Resolved dependency tree obtained (or partial-tree limitation noted)
• All versions of the vulnerable package enumerated
• Version comparison against the affected range completed
• If the verdict is already not_affected, the report is written and we stop here

---

Steps 3–5: Reachability analysis

Step 2 confirmed that a vulnerable version resolves in this project. The remaining technical question — does attacker-controllable input actually reach the vulnerable API surface? — is answered in three sub-steps: direct-usage analysis (Step 3), path enumeration (Step 4), and per-path transitive walk (Step 5).

Load references/reachability-analysis.md and follow it end-to-end. It contains the procedure for all three sub-steps, the gates between them, and the conditions under which you can short-circuit to Step 6. Return to SKILL.md when the Step 5 gate is cleared (or when Step 3 has already settled the verdict).

---

Step 6: Write the report and the VEX artifact

The skill produces two artifacts side by side: a human-readable Markdown report (IMPACT_CVE_<id>.md) and a machine-readable CycloneDX VEX JSON (IMPACT_CVE_<id>.vex.json). Write both — they have different consumers. The Markdown is for engineers, security reviewers, and leadership; the VEX is for SCA tooling (Dependency-Track, GitLab Vulnerability Management) and — most relevant in Fortify environments — for fcli-driven scripts that apply the verdict back to FoD / SSC issues as audit suppressions.

The Markdown report

Open assets/IMPACT_CVE_TEMPLATE.md, fill it in with everything you’ve gathered, and write it to the .md path computed in Step 0.

The report is for human stakeholders — engineers triaging the CVE, security reviewers approving a verdict, leadership deciding whether to patch. It is not a transcript of the skill’s workflow. Concretely:

• Do not write headings like “Step 3” or “Step 5”. The template uses content-named sections (Findings, Exploitable surfaces, Other dependency paths, Method, etc.) — use those.
• Do not write phrases like “in Step 3 we found…” or “as enumerated in Step 4”. Present every finding as a self-contained statement.
• Do not include a “Verdict” body that explains the stepwise process (“Step 2 confirmed X, Step 3 confirmed Y, therefore affected”). The verdict paragraph is an executive summary; the supporting evidence belongs in the Findings section.

Organize findings by what’s exploitable, not by where in the dependency graph the call lives. A direct call from the project’s source and a call from an intermediate library both go into Exploitable surfaces, side by side, ordered by clarity / severity. Paths that you investigated and ruled out go into Other dependency paths with a one-line reason each.

Set the top-level verdict using the VEX-aligned vocabulary. The template renders the verdict as a four-row table where all options are visible and the chosen row is marked — bold its cells and put ✓ in the This analysis column. Record the OpenVEX keyword on the OpenVEX status line so downstream tooling can grep for it.

Verdict	When to use	Justification field?
not_affected	Vulnerable version absent or present but no path leads to attacker-reachable invocation of the vulnerable API surface.	Yes — prose label + VEX keyword in parentheses, e.g. **Justification:** Vulnerable code is not in the execute path (vulnerable_code_not_in_execute_path). Keywords come from the OpenVEX/CycloneDX vocabulary listed in the template.
affected	At least one direct or transitive path lets attacker-controllable input reach the vulnerable API surface under the required configuration.	No — Findings → Exploitable surfaces is the justification. Delete the Justification line.
under_investigation	Analysis is incomplete (no package manager available, intermediate library closed-source, pre-publication CVE with no primary source, or genuine ambiguity).	No — list specific gaps under Open questions instead. Delete the Justification line.
fixed	The project resolves a version at or above the documented fix version.	No — the resolved version is the justification. Delete the Justification line.

The report should let a reviewer reproduce your analysis. Cite specific files, lines, commits, and external sources.

The VEX JSON

Open assets/IMPACT_VEX_TEMPLATE.md — it contains the CycloneDX structure plus the vocabulary translation tables (the report’s OpenVEX-leaning verdicts and justifications map to slightly different CycloneDX VEX keywords). Fill in the placeholders, then write the result to the .vex.json path computed in Step 0.

The VEX file mirrors the Markdown verdict but is much shorter — id, affects[].ref purl, analysis.state, optional analysis.justification, and a 1–3 sentence analysis.detail. Do not replicate the Markdown’s full reasoning; the Markdown is the canonical human-readable artifact, the VEX is for tooling. Both files share the same CVE/GHSA ID, the same verdict, and the same analysis date.

The vex/ directory README

The first time the skill writes to vex/ for a project (i.e. when vex/README.md does not already exist), also write a README from assets/VEX_README_TEMPLATE.md. The README explains to whoever operates the SCA pipeline how to consume the .vex.json files (VEX endpoint, not BOM endpoint), the foot-gun (naive ingest can wipe the inventory), the Fortify-specific fcli path, and how to validate. If vex/README.md already exists, leave it alone — don’t overwrite an operator’s edits.

Completion checklist

Markdown report:

• vex/IMPACT_CVE_<id>.md (or vex/IMPACT_GHSA_…) exists (directory created if it didn’t already)
• Verdict table has the chosen row marked (bold + ✓) and the OpenVEX keyword on the OpenVEX status line
• Justification line is present only when the verdict is not_affected, using prose label + VEX keyword in parentheses
• The verdict paragraph (executive summary) reads as a self-contained 2–4 sentence summary
• The vulnerability section captures vulnerable code, trigger, required configuration, impact, CVSS, and sources
• Every exploitable surface in Findings → Exploitable surfaces has a code excerpt and reasoning
• Transitive paths investigated and ruled out are accounted for in Findings → Other dependency paths (or explicitly omitted because there are none)
• Recommended actions names an upgrade target, mitigations, defense-in-depth, and verification (or, for under_investigation, “Open questions”)
• Method names tools, sink density, scope, reachability confidence (with the observation that would change it), and limitations
• Sources are cited inline (CVE entry, fix commit, library source files)
• The report does not mention “Step 1”, “Step 2”, etc., or otherwise expose the skill’s internal workflow

CycloneDX VEX JSON:

• vex/IMPACT_CVE_<id>.vex.json exists alongside the Markdown report and parses as valid JSON
• vex/README.md exists (written on first run from assets/VEX_README_TEMPLATE.md; left alone on subsequent runs)
• bomFormat, specVersion (1.5 or later), serialNumber (fresh UUID), version, and metadata.timestamp are populated
• metadata.component identifies the project being analyzed
• analysis.state is the translated CycloneDX keyword (not the OpenVEX verdict verbatim — see the template’s vocabulary table)
• analysis.justification is present only when state is not_affected, and is the translated CycloneDX keyword
• affects[].ref is a valid purl pinning the resolved vulnerable package version
• analysis.detail is a tight 1–3 sentence summary, not a copy of the Markdown’s reasoning

---

Reference files

File	When to load
references/cve-research.md	Step 1: extracting exploit conditions from CVE/GHSA/commit data
references/eco-<ecosystem>.md (e.g. eco-maven.md, eco-npm.md, eco-python.md, eco-cpp.md, eco-bazel.md, eco-buildroot.md)	Steps 2 and 4: package-manager-specific commands. Load only the file matching the ecosystem detected in Step 0 — not the whole catalogue. The full mapping is in Step 0.
references/non-manifest-projects.md	Steps 2 and 4 fallback when no manifest is present (bundled jars, .NET Framework lib/ DLLs, prebuilt native libs, frameworks, embedded firmware / rootfs images)
references/cyclonedx-sbom.md	Steps 2 and 4 fallback when working from a CycloneDX SBOM
references/reachability-analysis.md	Steps 3–5: direct-usage analysis, path enumeration, transitive walk — load only after Step 2 confirms a vulnerable version is present
references/transitive-analysis.md	Step 5 deep-dive: walking intermediate libraries, fetching their source, deciding when to stop (loaded from within reachability-analysis.md)
assets/IMPACT_CVE_TEMPLATE.md	Step 6: the Markdown report template
assets/IMPACT_VEX_TEMPLATE.md	Step 6: the CycloneDX VEX JSON template, including OpenVEX → CycloneDX vocabulary translation
assets/VEX_README_TEMPLATE.md	Step 6: the vex/README.md written on first run for operators who’ll consume the .vex.json files

Operating principles

• Don’t hard-wrap markdown prose. When writing the report (and when editing skill or reference files), each paragraph and each bullet item should be a single logical line. Let the editor or renderer wrap. Hard breaks belong only inside code blocks, tables, frontmatter, and ASCII diagrams.
• Cite, don’t paraphrase. Every non-trivial claim in the report should point to a file:line, a commit, or a URL. If you can’t cite it, you’re guessing.
• Resolved tree, not manifest. Direct-dependency lists in pom.xml / package.json / etc. are not what actually ships. Always go through the package manager’s resolution.
• Short of certainty is allowed. “I checked X and Y; Z is unreachable because the intermediate library never calls the vulnerable method” beats “I think it’s probably fine.” If you can’t reach a definite conclusion, say under_investigation and name what’s missing.
• Time-box, then name the gaps. Each transitive path gets exactly one outcome — a definitive citation or an explicit under_investigation marker; never both, never neither. Stop walking when the next path would cost more than the previous several combined, and put the unwalked paths under Method → Limitations. Coverage is a limitation to be named, not a threshold to be hit.
• Imports ≠ calls. Searching for an import is a starting point, not the answer. A class can be imported without the vulnerable code path being executed.
• Configuration matters. A vulnerability that requires a non-default config (e.g., spring.cloud.function.routing-expression) is not exploitable on a default deployment. Always check Step 1’s “required configuration” against the project’s actual config.