| name | vulnerability-context-enricher |
| description | Enriches CVE identifiers with multi-source intelligence from NVD, GitHub Advisory Database (via OSV.dev), EPSS exploit prediction scores, and CISA Known Exploited Vulnerabilities catalog. For each CVE, retrieves CVSS scores with full vector decomposition, CWE weakness classification, MITRE ATT&CK technique mapping, affected package versions and fix availability, 30-day exploitation probability, and active exploitation status. Generates plain-language exploitability summaries and composite priority scores suitable for non-security engineering teams. Works standalone with individual CVE IDs or in batch mode from Trivy scan output. Chains with devsecops-repo-analyzer to add external intelligence to reachability analysis findings. Use when the user asks to "look up a CVE", "enrich vulnerabilities", "check if a CVE is exploited in the wild", "get EPSS score", "map CVEs to ATT&CK", "prioritize vulnerabilities", "check CISA KEV", or "explain this vulnerability to my team". |
| metadata | {"author":"cambamwham2","version":"1.0"} |
Vulnerability Context Enricher
A multi-source vulnerability intelligence aggregator that transforms raw CVE identifiers into actionable, contextualized security intelligence. The enricher queries five data sources in parallel and produces a unified enrichment profile with plain-language summaries designed for engineering teams without dedicated security staff.
When to Use This Skill
Use when the user asks to:
- Look up details on a specific CVE or set of CVEs
- Enrich vulnerability scan results with external intelligence
- Check whether a CVE is actively exploited in the wild (CISA KEV)
- Get the EPSS exploit prediction score for a vulnerability
- Map CVEs to MITRE ATT&CK techniques
- Prioritize a list of vulnerabilities for remediation
- Generate a plain-language vulnerability summary for non-security audiences
- Chain with
devsecops-repo-analyzer output to add threat intelligence to findings
- Determine if a fix is available and what version to upgrade to
Prerequisites
The enrichment script uses only Python standard library (no pip installs required). It queries public APIs:
- NVD API 2.0 (no key required, but rate-limited to 5 req/30s)
- OSV.dev API (no key required)
- EPSS API via FIRST (no key required)
- CISA KEV JSON catalog (static file download)
No scanning tools need to be installed — this skill is pure intelligence gathering.
Pipeline Overview
Input (CVE IDs, Trivy JSON, or manual list)
│
├─► NVD API 2.0 ──────► CVSS scores, CWE, references, KEV status
├─► OSV.dev API ───────► Affected versions, fix versions, GHSA details
├─► EPSS API ──────────► 30-day exploitation probability
└─► CISA KEV catalog ──► Active exploitation confirmation
│
▼
Enrichment Engine
├─► CWE → MITRE ATT&CK mapping
├─► Composite priority scoring (0-100)
├─► Plain-language summary generation
└─► Fix availability analysis
│
▼
Output (enriched JSON + optional report)
Instructions
Input Modes
The enricher supports three input modes:
Mode 1: Individual CVE IDs
User provides one or more CVE identifiers directly.
"Look up CVE-2026-1774"
"Enrich CVE-2026-1774 and CVE-2026-25223"
Mode 2: CVE list file
User provides a file with one CVE per line.
"Enrich the CVEs in /path/to/cves.txt"
Mode 3: Trivy scan output
User provides Trivy SCA JSON output (from devsecops-repo-analyzer Stage 3 or any Trivy run). The enricher extracts all CVEs above a severity threshold.
"Enrich all High and Critical findings from the Trivy scan"
Step 1: Determine Input and Prepare
- Identify the input mode based on the user's request.
- If the user provides a repo name that was previously analyzed with
devsecops-repo-analyzer, check for existing scan results at:
/home/user/workspace/devsecops-analysis/{repo-name}/scan-results/trivy-sca.json
- Set the minimum severity threshold. Default is HIGH. User can override:
CRITICAL — only critical findings
HIGH — high and critical (default)
MEDIUM — medium and above
LOW — all findings
Step 2: Run the Enrichment Script
Execute the enrichment script based on the input mode:
Individual CVEs:
python3 /home/user/workspace/skills/vulnerability-context-enricher/scripts/enrich-cve.py \
CVE-2026-1774 CVE-2026-25223 \
--output /home/user/workspace/devsecops-analysis/{context}/enriched-cves.json
Individual CVE with package context (improves OSV matching):
python3 /home/user/workspace/skills/vulnerability-context-enricher/scripts/enrich-cve.py \
CVE-2026-1774 \
--package "@casl/ability" --ecosystem npm \
--output /home/user/workspace/devsecops-analysis/{context}/enriched-cves.json
From CVE list file:
python3 /home/user/workspace/skills/vulnerability-context-enricher/scripts/enrich-cve.py \
--from-file /path/to/cves.txt \
--output /home/user/workspace/devsecops-analysis/{context}/enriched-cves.json
From Trivy scan results:
python3 /home/user/workspace/skills/vulnerability-context-enricher/scripts/enrich-cve.py \
--from-trivy /home/user/workspace/devsecops-analysis/{repo-name}/scan-results/trivy-sca.json \
--min-severity HIGH \
--output /home/user/workspace/devsecops-analysis/{repo-name}/enriched-cves.json
Important notes:
- The script rate-limits NVD requests to 1 every 6.5 seconds (NVD allows 5/30s without API key)
- For large batches (50+ CVEs), expect 5-6 minutes of enrichment time
- The
--max-cves flag (default 50) prevents runaway queries
- Output is always JSON with a structured schema
Step 3: Review Enrichment Results
Load and review the enriched JSON output. For each CVE, the enrichment provides:
| Field | Description | Source |
|---|
nvd.cvss | CVSS v3.1 score with full vector (AV, AC, PR, UI, S, C, I, A) | NVD |
nvd.weaknesses | CWE IDs assigned to the vulnerability | NVD |
nvd.descriptions | Official CVE description | NVD |
nvd.references | All known references (patches, advisories, PoCs) | NVD |
osv.advisories | GHSA and ecosystem-specific advisory details | OSV.dev |
osv.advisories[].affected | Exact affected version ranges per ecosystem | OSV.dev |
epss.epss_score | 30-day exploitation probability (0-1) | EPSS/FIRST |
epss.epss_percentile | How this CVE compares to all others (0-1) | EPSS/FIRST |
cisa_kev.in_kev | Whether confirmed actively exploited | CISA |
cwe_ids | All CWE classifications | NVD |
mitre_attack_techniques | Mapped ATT&CK technique IDs | Derived |
fix.fix_available | Whether a patch exists | OSV + NVD |
fix.fixed_versions | Specific versions that fix the issue per ecosystem | OSV |
priority.composite_score | 0-100 composite priority score | Derived |
priority.label | P0-P4 priority classification | Derived |
plain_language_summary | Non-technical explanation of the vulnerability | Generated |
Step 4: Generate Enrichment Report (Optional)
If the user wants a formatted report, use the template at assets/templates/enrichment-report-template.md to compile the enrichment results into a readable document.
- Load the enriched JSON from Step 3.
- Read the report template.
- For each finding, format the detail section:
### CVE-{id} — {title}
**Priority:** {priority_label} (Score: {composite_score}/100)
| Attribute | Value |
|-----------|-------|
| CVSS | {score} {severity} |
| EPSS | {epss_score}% (top {100 - percentile}%) |
| CISA KEV | {Yes/No} |
| CWE | {cwe_ids} |
| ATT&CK | {techniques} |
| Fix Available | {yes/no} → {fixed_version} |
**Summary:** {plain_language_summary}
**References:**
- {reference_urls}
- Save the report as Markdown at:
/home/user/workspace/devsecops-analysis/{context}/enrichment-report.md
- Share the report with the user via
share_file.
Step 5: Chain with devsecops-repo-analyzer (When Applicable)
When enriching CVEs from a previous devsecops-repo-analyzer run, merge the enrichment data with the existing reachability analysis:
-
Load the reachability analysis:
/home/user/workspace/devsecops-analysis/{repo-name}/reachability-analysis.json
-
For each finding in the reachability analysis, match by CVE ID to the enriched data.
-
The enrichment adds external intelligence to the internal reachability analysis:
- EPSS validates or challenges the Real Risk Score — a high EPSS with low reachability means the vulnerability is dangerous elsewhere even if not in this codebase
- CISA KEV is an override signal — if a CVE is in the KEV, it should be treated as high priority regardless of local reachability
- ATT&CK mapping contextualizes the finding in the broader kill chain
- Fix availability from OSV provides the exact upgrade path
-
Save the merged analysis:
/home/user/workspace/devsecops-analysis/{repo-name}/enriched-reachability.json
Enrichment Data Schema
The output JSON follows this structure:
{
"schema_version": "1.0",
"enriched_at": "2026-03-23T00:00:00Z",
"total_cves": 10,
"sources_queried": ["NVD", "OSV.dev", "EPSS", "CISA_KEV"],
"findings": [
{
"cve_id": "CVE-2026-1774",
"enriched_at": "...",
"package": "@casl/ability",
"ecosystem": "npm",
"nvd": {
"source": "NVD",
"status": "found",
"descriptions": ["..."],
"cvss": {
"cvssMetricV31": {
"score": 9.8,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attack_vector": "NETWORK",
"attack_complexity": "LOW",
"privileges_required": "NONE"
}
},
"weaknesses": [{"cwe_id": "CWE-1321"}],
"references": [{"url": "...", "tags": ["Patch"]}]
},
"osv": {
"source": "OSV",
"status": "found",
"advisories": [{
"id": "GHSA-xxxx-xxxx-xxxx",
"affected": [{
"package_name": "@casl/ability",
"ecosystem": "npm",
"ranges": [{"type": "SEMVER", "introduced": "0", "fixed": "6.7.5"}]
}]
}]
},
"epss": {
"epss_score": 0.0234,
"epss_percentile": 0.89,
"risk_label": "MODERATE",
"interpretation": "2.34% probability of exploitation..."
},
"cisa_kev": {"in_kev": false},
"cwe_ids": ["CWE-1321"],
"mitre_attack_techniques": ["T1190"],
"fix": {
"fix_available": true,
"fixed_versions": [{"package": "@casl/ability", "ecosystem": "npm", "fixed_in": "6.7.5"}]
},
"priority": {
"composite_score": 72.5,
"label": "P1 — HIGH: Remediate within 7 days",
"factors": ["CVSS 9.8/10 → 39/40 pts", "EPSS 0.0234 → 1.4/30 pts", ...]
},
"plain_language_summary": "..."
}
],
"summary": {
"total_enriched": 10,
"in_cisa_kev": 0,
"fix_available": 8,
"priority_distribution": {"P0": 0, "P1": 2, "P2": 3, "P3": 3, "P4": 2}
}
}
Composite Priority Scoring
The enricher computes a 0-100 composite score from four weighted factors:
| Factor | Max Points | Source | Rationale |
|---|
| CVSS base score | 40 | NVD | How bad the vulnerability could be |
| EPSS score | 30 | FIRST | How likely it is to be exploited |
| CISA KEV status | 20 | CISA | Confirmed active exploitation |
| Fix availability | 10 | OSV | Is remediation immediately actionable |
Priority thresholds:
| Score | Priority | SLA |
|---|
| ≥ 80 | P0 — Critical | Remediate immediately |
| 60–79 | P1 — High | Remediate within 7 days |
| 40–59 | P2 — Medium | Remediate within 30 days |
| 20–39 | P3 — Low | Next maintenance cycle |
| < 20 | P4 — Informational | Monitor only |
MITRE ATT&CK Mapping
Read references/cwe-attack-mapping.md for the full CWE → ATT&CK mapping table.
The enricher automatically maps CWE IDs from NVD to corresponding MITRE ATT&CK Enterprise techniques. This helps engineering teams understand where a vulnerability fits in an attacker's kill chain — for example, whether it enables initial access, privilege escalation, or data exfiltration.
Important Notes
- NVD rate limits are strict. Without an API key, you get 5 requests per 30 seconds. The enrichment script spaces requests at 6.5-second intervals. For large batches, consider registering for a free NVD API key.
- EPSS scores change daily. The model is updated every 24 hours. A low EPSS today doesn't mean it stays low — check again if a PoC is published.
- CISA KEV is the strongest signal. If a CVE is in the KEV catalog, treat it as confirmed dangerous regardless of other scores. KEV inclusion means real attackers are using it.
- OSV covers open-source ecosystems only. Proprietary software vulnerabilities may not appear in OSV. NVD is the fallback for those.
- Plain-language summaries are for communication. They're designed to help security engineers explain findings to product teams, engineering managers, and non-technical stakeholders. Always verify technical details against the raw data.
Output Files
After a complete enrichment run:
devsecops-analysis/{context}/
├── enriched-cves.json # Full enrichment data (structured JSON)
├── enrichment-report.md # Formatted report (if requested)
└── enriched-reachability.json # Merged with repo analyzer output (if chaining)
References
- Read
references/enrichment-sources.md for detailed API documentation, rate limits, and fallback strategies
- Read
references/cwe-attack-mapping.md for the full CWE → MITRE ATT&CK technique mapping
- See
assets/templates/enrichment-report-template.md for the report output format