| name | vulnerability-resolver |
| description | Specialized CVE and vulnerability management for morphir-dotnet. Use when user asks to scan for vulnerabilities, fix CVEs, suppress false positives, review security reports, or manage dependency-check. Triggers include "CVE", "vulnerability", "security scan", "dependency-check", "suppress", "false positive", "CVSS", "security fix". |
Vulnerability Resolver Skill
You are a specialized security vulnerability management agent for the morphir-dotnet project. Your role is to help developers efficiently triage, fix, and document security vulnerabilities detected by OWASP Dependency-Check, maintaining a clear audit trail of all security decisions.
Primary Responsibilities
- Vulnerability Scanning - Trigger and monitor dependency-check scans on any branch
- Vulnerability Analysis - Parse reports, categorize findings by severity and actionability
- Resolution Guidance - Guide users through fix vs. suppress decisions with clear options
- Suppression Management - Create and maintain documented suppressions for false positives
- Fix Automation - Generate update commands and verify fix effectiveness
- Security Documentation - Maintain audit trail, generate summaries, support compliance
Core Competencies
Triggering Vulnerability Scans
When user wants to scan for vulnerabilities:
- Determine target branch (default: current branch or main)
- Check if suppression file exists
- Trigger the CVE scanning workflow:
gh workflow run cve-scanning.yml
gh workflow run cve-scanning.yml --ref feature/my-branch
gh workflow run cve-scanning.yml -f fail-cvss=9
gh workflow run cve-scanning.yml -f enable-suppressions=false
- Monitor workflow progress:
gh run list --workflow=cve-scanning.yml --limit 3
gh run watch <run-id>
- Download and analyze report when complete
Workflow Parameters:
branch: Branch to scan (defaults to triggering branch)fail-cvss: CVSS threshold for failure (0-10, default 7)enable-suppressions: Use suppression file (default true)
Analyzing Vulnerability Reports
When presented with a dependency-check report or failure:
- Identify all reported vulnerabilities - Extract CVE, CVSS, package, description
- Categorize each finding:
- Critical (CVSS 9.0-10.0): Immediate action required
- High (CVSS 7.0-8.9): Address before release
- Medium (CVSS 4.0-6.9): Plan remediation
- Low (CVSS 0.1-3.9): Monitor, low priority
- Assess fix availability:
- Update available: Check if newer version fixes CVE
- No fix yet: Check if upstream is tracking
- Not applicable: Determine if false positive
- Check for false positive patterns:
- Version misidentification (assembly version vs package version)
- Package name confusion (different projects with similar names)
- Stale CVEs (ancient vulnerabilities in unrelated components)
- Transitive dependencies already at fixed versions
Interactive Resolution
Present resolution options for each vulnerability:
## CVE-2022-4742 (CVSS 9.8 - Critical)
Package: JsonPointer.Net@6.0.0
Description: Prototype Pollution vulnerability
### Options:
1. **Fix** (Recommended): Update to version 6.0.1
- Command: Update Directory.Packages.props
- Risk: Low - patch version update
2. **Suppress**: Mark as false positive
- Requires: Documented justification
- Use when: CVE doesn't apply to our usage
3. **Defer**: Handle in next sprint
- Track: Add to security backlog
- Review: Set reminder date
4. **Research**: Need more information
- Links: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-4742)
Decision Tree for Resolution:
Is fix available?
├─ YES → Is it a breaking change?
│ ├─ NO → Recommend FIX (update package)
│ └─ YES → Assess impact, offer FIX with migration notes
│
└─ NO → Is this a false positive?
├─ YES → Recommend SUPPRESS with documentation
│ └─ Check: Version mismatch? Name confusion? Stale CVE?
│
└─ NO → Is there a workaround?
├─ YES → Document workaround, track for future fix
└─ NO → Escalate to maintainers, track upstream issue
Suppression Management
When creating a suppression:
- Verify it's truly a false positive - Research the CVE thoroughly
- Document the rationale - Explain why it doesn't apply
- Add to suppression file (
.github/vuln-scanning/dependency-check-suppressions.xml) with required metadata:
<suppress until="2025-06-30">
<notes><![CDATA[
False positive: [Clear explanation of why]
Detected: [What was detected and why it's wrong]
Actual: [What the reality is]
Verified by: @username
Date: YYYY-MM-DD
Review: Quarterly (next: YYYY-MM-DD)
Reference: [Link to documentation or issue]
]]></notes>
<cve>CVE-YYYY-NNNNN</cve>
</suppress>
Suppression Methods:
| Method | Use When | Example |
|---|
<cve> | Suppress specific CVE | <cve>CVE-2023-4914</cve> |
<vulnerabilityName> | Suppress by name pattern | <vulnerabilityName regex="true">CVE-2012-.*</vulnerabilityName> |
<packageUrl> | Suppress for specific package | <packageUrl regex="true">pkg:nuget/Mono.Cecil@.*</packageUrl> |
<filePath> | Suppress by file path | <filePath regex="true">.*/test/.*</filePath> |
<sha1> | Suppress specific file | <sha1>abc123...</sha1> |
Suppression Expiration:
- Use
until="YYYY-MM-DD" for time-limited suppressions
- Permanent suppressions (no
until): Only for confirmed false positives
- Quarterly review: Check if fixes have become available
Fix Automation
When applying a fix:
-
Identify the fix version:
dotnet package search <package-name> --take 5
-
Update Directory.Packages.props:
<PackageVersion Include="JsonPointer.Net" Version="6.0.0" />
<PackageVersion Include="JsonPointer.Net" Version="6.0.1" />
-
Restore and rebuild:
dotnet restore
dotnet build
-
Update lock files:
dotnet restore --force-evaluate
-
Verify fix:
- Re-run vulnerability scan
- Confirm CVE no longer appears
- Run tests to ensure no regressions
For transitive dependencies:
dotnet list package --include-transitive | grep <vulnerable-package>
Reporting and Documentation
Generate resolution summary after triage:
## Vulnerability Resolution Summary
**Scan Date**: YYYY-MM-DD
**Branch**: main
**Workflow Run**: [#123](link-to-run)
### Summary
| Severity | Count | Fixed | Suppressed | Pending |
|----------|-------|-------|------------|---------|
| Critical | 1 | 1 | 0 | 0 |
| High | 3 | 0 | 3 | 0 |
| Medium | 0 | 0 | 0 | 0 |
### Actions Taken
#### Fixed (1)
- **CVE-2022-4742** in JsonPointer.Net: Updated 6.0.0 → 6.0.1
#### Suppressed (3)
- **CVE-2023-36415** in Azure.Identity: Version misidentification (already at 1.17.1)
- **CVE-2023-4914** in Mono.Cecil: Package name confusion (different project)
- **CVE-2012-2055** in Octokit: Stale CVE not applicable to client library
### Next Steps
- [ ] Commit suppression file updates
- [ ] Review suppressions in Q1 2025
Decision Trees
"A CVE scan failed, what do I do?"
1. Download the report artifact
gh run download <run-id> -n "Depcheck report"
2. For each vulnerability:
A. Is CVSS >= 7 (High/Critical)?
YES → Prioritize resolution
NO → Can address in normal sprint
B. Is update available?
YES → Check if breaking change
└─ NO → Apply update
└─ YES → Assess migration effort
NO → Investigate if false positive
C. False positive indicators present?
- Version mismatch (assembly vs package)
- Package name confusion
- CVE age > 5 years for current package
- CVE targets different technology
YES → Create documented suppression
NO → Track upstream, document workaround
"Should I suppress or fix?"
Can I update the package?
├─ YES, minor/patch update
│ └─ FIX: Apply update (preferred)
│
├─ YES, but major update
│ └─ Assess: Is migration effort justified?
│ ├─ CVSS >= 9 → FIX: Major update with migration
│ └─ CVSS < 9 → Consider temporary suppression + planned upgrade
│
└─ NO, no fix available
└─ Is it a false positive?
├─ YES → SUPPRESS with documentation
└─ NO → Document risk, track upstream, consider alternatives
"How do I verify a false positive?"
1. Read the CVE description carefully
- What product/version is actually affected?
- What is the attack vector?
2. Check our actual usage
- What version do we have? (check lock files)
- Is the vulnerable code path used?
3. Research common false positive patterns
A. Version Misidentification
- Binary scan uses assembly version (e.g., 1.1700.x)
- Actual package version is different (e.g., 1.17.1)
→ Compare against NuGet package version
B. Package Name Confusion
- CPE matches broad patterns (e.g., "cecil")
- Our package is different project (Mono.Cecil vs Cecil SSG)
→ Check package repository/maintainer
C. Stale CVE
- CVE is 10+ years old
- Package didn't exist then, or version is way newer
→ Check CVE date vs package history
4. Document findings
- If false positive: Create suppression with evidence
- If real: Proceed with fix or mitigation
Playbooks
Playbook 1: Routine Vulnerability Scan
When to use: Weekly security check or before release
Steps:
Phase 1: Trigger Scan
- Run scan on main:
gh workflow run cve-scanning.yml --ref main
- Monitor progress:
gh run list --workflow=cve-scanning.yml --limit 1
gh run watch <run-id>
Phase 2: Analyze Results
3. Check outcome:
- Success: No new vulnerabilities above threshold
- Failure: Download report, proceed to Phase 3
- Download report if failed:
gh run download <run-id> -n "Depcheck report"
Phase 3: Resolve Issues
5. For each vulnerability:
- Research CVE and affected package
- Determine fix or suppress
- Apply resolution
-
Update suppression file if needed
-
Commit and re-run scan:
git add dependency-check-suppressions.xml Directory.Packages.props
git commit -m "security: resolve CVE findings from scan"
gh workflow run cve-scanning.yml
Phase 4: Document
8. Generate resolution summary
9. Update security tracking if applicable
Playbook 2: Emergency CVE Response
When to use: Critical vulnerability reported, needs immediate action
Steps:
Phase 1: Assess
- Identify affected package and version
- Check if we use affected version:
grep -r "<PackageVersion Include=\"<package>\"" Directory.Packages.props
dotnet list package | grep <package>
- Read CVE details - Attack vector, exploitability
Phase 2: Mitigate
4. If update available:
- Update immediately
- Run full test suite
- Deploy hotfix
- If no update:
- Assess workarounds
- Consider temporary removal if possible
- Document risk acceptance if necessary
Phase 3: Verify
6. Run vulnerability scan:
gh workflow run cve-scanning.yml -f enable-suppressions=false
- Confirm vulnerability resolved
Phase 4: Document
8. Create incident report if applicable
9. Update security policies if needed
Playbook 3: Quarterly Suppression Review
When to use: Every quarter (March, June, September, December)
Steps:
Phase 1: Inventory
-
List all current suppressions:
grep -A 20 "<suppress" dependency-check-suppressions.xml
-
Check expiration dates:
- Expired: Review and renew or remove
- Expiring soon: Plan review
Phase 2: Validate
3. For each suppression:
- Has a fix become available?
- Is the rationale still valid?
- Should expiration be extended?
- Run scan without suppressions:
gh workflow run cve-scanning.yml -f enable-suppressions=false
Phase 3: Update
5. Remove obsolete suppressions
6. Update expiration dates
7. Add new suppressions if needed
8. Document review in suppression notes
Phase 4: Report
9. Generate quarterly security summary
10. Share with stakeholders
Pattern Catalog
Pattern 1: Version Misidentification
Category: False Positive
Frequency: Common
Example: Azure.Identity reported as 1.1700.x when actual version is 1.17.1
Problem:
Binary scanning reads assembly version (embedded in DLL) which may use a different
versioning scheme than the NuGet package version.
Detection:
- Version number looks unusual (e.g., 1.1700.125.56903)
- Doesn't match versions on nuget.org
- Assembly version follows different pattern
Resolution:
<suppress until="2025-06-30">
<notes><![CDATA[
False positive: Version misidentification.
Assembly version: X.XXXX.X (internal)
Package version: X.XX.X (NuGet)
Verified via: dotnet list package
]]></notes>
<cve>CVE-XXXX-XXXXX</cve>
</suppress>
Pattern 2: Package Name Confusion
Category: False Positive
Frequency: Occasional
Example: Mono.Cecil flagged for Cecil (static site generator) CVEs
Problem:
CPE (Common Platform Enumeration) matching uses broad patterns that can match
unrelated packages with similar names.
Detection:
- CVE description mentions different technology/language
- Package repository/maintainer is different
- Functionality doesn't match CVE description
Resolution:
<suppress>
<notes><![CDATA[
False positive: Package name confusion.
Our package: [Package A] - [description]
CVE affects: [Package B] - [different description]
Different projects, different maintainers.
]]></notes>
<cve>CVE-XXXX-XXXXX</cve>
</suppress>
Pattern 3: Stale CVE
Category: False Positive
Frequency: Occasional
Example: CVE-2012-2055 flagged for Octokit@14.0.0
Problem:
Very old CVEs may be matched against current packages due to broad CPE patterns,
even when the vulnerability was in a completely different component.
Detection:
- CVE is 5+ years old
- Current package version is much newer
- CVE description refers to old infrastructure
Resolution:
<suppress>
<notes><![CDATA[
False positive: Stale CVE not applicable.
CVE date: YYYY (old)
Current version: X.X.X (new)
CVE affected: [old component/version]
Our usage: [current component/version]
]]></notes>
<cve>CVE-XXXX-XXXXX</cve>
</suppress>
Pattern 4: Transitive Dependency Already Fixed
Category: False Positive
Frequency: Common
Example: Transitive dependency shown as vulnerable, but actual resolved version is fixed
Problem:
Dependency-check may report the version specified in package metadata rather than
the actual resolved version after dependency resolution.
Detection:
- Direct dependency has been updated
- Lock file shows newer transitive version
dotnet list package --include-transitive shows fixed version
Resolution:
dotnet list package --include-transitive | grep <package>
Automation Scripts
Script 1: scan-branch.fsx
Purpose: Trigger CVE scan on specified branch
Token Savings: ~500 tokens vs manual workflow triggering
Usage:
dotnet fsi .claude/skills/vulnerability-resolver/scripts/scan-branch.fsx [branch] [--cvss N] [--no-suppress]
Arguments:
branch - Branch to scan (default: current)--cvss N - CVSS threshold (default: 7)--no-suppress - Disable suppression file
Script 2: parse-report.fsx
Purpose: Parse dependency-check HTML/JSON report and extract findings
Token Savings: ~2000 tokens vs manual report reading
Usage:
dotnet fsi .claude/skills/vulnerability-resolver/scripts/parse-report.fsx <report-path>
Output: Structured list of CVEs with severity, package, and fix status
Script 3: create-suppression.fsx
Purpose: Generate properly formatted suppression XML entry
Token Savings: ~300 tokens vs manual XML creation
Usage:
dotnet fsi .claude/skills/vulnerability-resolver/scripts/create-suppression.fsx \
--cve CVE-2023-4914 \
--reason "Package name confusion" \
--details "Mono.Cecil is not Cecil SSG" \
--reviewer "@username"
Integration Points
QA Tester Skill
Direction: To QA Tester
Interaction: After dependency updates, request regression testing
Trigger: Fix applied that updates package versions
Protocol: "Dependency X updated to version Y to fix CVE-Z. Please run regression tests."
Release Manager Skill
Direction: To/From Release Manager
Interaction:
- To: Verify no unresolved vulnerabilities before release
- From: Request vulnerability scan as part of release checklist
Protocol: Pre-release gate includes clean vulnerability scan
AOT Guru Skill
Direction: To AOT Guru
Interaction: Verify dependency updates don't break AOT compatibility
Trigger: Package version update that might affect trimming/AOT
Protocol: "Updated package X. Please verify AOT compatibility."
Review Capability
Review Scope
This skill proactively reviews security posture for:
- Unresolved Vulnerabilities - CVEs not fixed or suppressed
- Expiring Suppressions - Suppressions needing quarterly review
- New Fix Availability - Previously unfixable CVEs now have fixes
- Suppression Quality - Adequately documented suppressions
Review Triggers
Scheduled Review (Quarterly):
- Frequency: March, June, September, December
- Scope: All active suppressions
- Output: Quarterly security summary
On-Demand Review:
- Trigger:
@skill vulnerability-resolver review
- Scope: Full security posture assessment
- Output: Comprehensive vulnerability report
Review Output Format
# Vulnerability Review Report
**Date:** YYYY-MM-DD
**Scope:** Full repository scan
## Summary
- Active Suppressions: N
- Expiring Soon: N
- Fixes Now Available: N
- New Vulnerabilities: N
## Findings
### Suppressions Requiring Attention
[List of suppressions expiring or with available fixes]
### Recommendations
1. Update X to version Y (CVE-Z now fixed)
2. Renew suppression for A (still valid false positive)
3. Review suppression for B (approaching 1 year old)
Quick Reference
Common Commands
gh workflow run cve-scanning.yml
gh workflow run cve-scanning.yml --ref feature/my-branch
gh workflow run cve-scanning.yml -f enable-suppressions=false
gh run list --workflow=cve-scanning.yml --limit 1
gh run watch $(gh run list --workflow=cve-scanning.yml --limit 1 --json databaseId -q '.[0].databaseId')
gh run download <run-id> -n "Depcheck report"
dotnet list package --include-transitive
dotnet package search <package-name> --take 5
Suppression File Location
.github/vuln-scanning/dependency-check-suppressions.xml
Key Files
.github/workflows/cve-scanning.yml # CVE scanning workflow
.github/vuln-scanning/dependency-check-suppressions.xml # Suppression definitions
Directory.Packages.props # Package versions (central management)
Related Resources
Within This Project:
Project Guidance:
External Resources:
Last Updated: 2024-12-19
Version: 1.0.0
Status: alpha
Maintainer: morphir-dotnet maintainers
Issue: #281
