// Analyze CVE reachability against downstream repository forks at version-specific release branches
Safely query and report on OpenShift CI prow job and test data in BigQuery with cost controls, dry-run validation, and local caching of results
Query and deduplicate open CVE vulnerability issues from OCPBUGS for Node team components
Generate triage reports and post findings to Jira and Slack
Categorize Jira issues into Red Hat Sankey Activity Type categories using MCP Jira tools. Supports single-issue and batch modes. Use when the user wants to categorize or set activity types on Jira issues, or mentions activity types, work types, Sankey, or capacity allocation.
Jira conventions for the CNTRLPLANE project used by OpenShift teams
Implementation guide for creating well-formed Jira bug reports
| name | analyze-cve-repos |
| description | Analyze CVE reachability against downstream repository forks at version-specific release branches |
Use this skill when Phase 2 of the node-cve:triage command needs to determine whether a CVE's vulnerable code path is actually reachable in a Node team repository. Each CVE is analyzed against ALL affected release branches in parallel (one agent per CVE-branch combination). Features can be added, removed, or refactored across releases, so a CVE may be reachable on one version but not affected on another. Analysis targets downstream forks only; if the downstream fork or branch is not found, the CVE is classified as Uncertain.
.work/node-cve/repos/<repo-name>-<branch>/ (the triage command clones all repos at the correct branch before spawning parallel analysis agents)Analysis must target the release branch corresponding to the affected OpenShift version. The main branch may have newer dependencies or Go versions that mask vulnerabilities present in shipped releases. Analysis must target downstream forks only. If the downstream fork or branch does not exist, classify as Uncertain with note "downstream fork/branch not found" and skip analysis.
Component to repository mapping:
Also check pscomponent: labels for additional repo mapping:
pscomponent:cadvisor -> https://github.com/openshift/google-cadvisor (release-4.Y) (Go)pscomponent:conmon -> https://github.com/openshift/conmon (release-4.Y) (C)pscomponent:conmon-rs -> https://github.com/openshift/conmon-rs (release-4.Y) (Rust + Go)pscomponent:cri-tools -> downstream: https://github.com/openshift/cri-tools, upstream: https://github.com/kubernetes-sigs/cri-tools (release-1.X) (Go)Version mapping: Determine the Kubernetes/CRI-O minor version for each OCP release. For OCP 4.Y, the formula is K8s/CRI-O minor = Y + 13 (e.g., OCP 4.18 -> 1.31). When OCP 5.x is released, the formula will change; check the OCP release notes or go.mod in the downstream fork to determine the correct Kubernetes version. Repos using K8s-aligned versioning use release-1.X; repos using OCP-aligned versioning use release-4.Y (or release-5.Y for OCP 5.x).
If the component does not map to a known repo, classify as Uncertain and skip analysis. If the downstream fork or release branch does not exist, classify as Uncertain with note "downstream fork/branch not found" and skip analysis.
The repository should already be cloned at the correct branch to .work/node-cve/repos/<repo-name>-<branch>/ by the triage command before this skill runs. Verify the directory exists and the checked-out branch matches the expected release branch. If the repo directory does not exist, classify as Uncertain and skip analysis.
Fetch vulnerability details to understand what to look for in the source code:
golang.org/x/net/html, crypto/x509, capnproto.org/go/capnp)html.Parse, x509.ParseCertificate)If vulnerability details cannot be determined, classify as Uncertain with note "insufficient CVE details available".
For Go repos, check if the vulnerable package is a dependency:
cd .work/node-cve/repos/<repo-name>-<branch>
grep -r "<affected-package>" go.mod go.sum vendor/modules.txt 2>/dev/null
For Rust repos (conmon-rs), check Cargo.toml and Cargo.lock.
For C repos (conmon), check for the affected library in build files, vendored code, or linked libraries.
If the affected package is not present in the dependency tree, classify as Unaffected with high confidence. Continue to next CVE.
This is the core analysis step. Read the repository source code to determine if the vulnerable code path is actually exercised.
Find imports/usage of the affected package:
grep -rn "import.*<affected-package>" .work/node-cve/repos/<repo-name>-<branch>/ --include="*.go" --include="*.rs" --include="*.c" --include="*.h"
grep -rn "<vulnerable-function>" .work/node-cve/repos/<repo-name>-<branch>/ --include="*.go" --include="*.rs" --include="*.c" --include="*.h"
Read the files that use the affected package. For each call site:
Trace the call path from entry points (main, HTTP handlers, gRPC servers, CLI commands) to the vulnerable function. Determine if the path is reachable in normal operation.
Check for mitigating controls:
Assess exploitability in context:
Based on the source code analysis:
| Finding | Classification | Confidence |
|---|---|---|
| Vulnerable function called with attacker-controlled input, no mitigations | Reachable | High |
| Vulnerable function called, but input is partially validated | Reachable | Medium |
| Vulnerable function called, but only with trusted/internal data | Present but not exploitable | High |
| Package imported but vulnerable function not called | Present but not reachable | High |
| Package not in dependency tree | Unaffected | High |
| Repo too large to fully analyze, or CVE details insufficient | Uncertain | Low |
Write a concise analysis for the report:
Save the analysis to .work/node-cve/triage-$(date +%Y-%m-%d)/<CVE-ID>-<branch>-analysis.md.
{
"skill": "analyze-cve-repos",
"cve_id": "CVE-2026-32281",
"repo": "https://github.com/openshift/cri-o",
"branch": "release-1.32",
"ocp_version": "4.19",
"classification": "REACHABLE",
"confidence": "HIGH",
"evidence": {
"affected_package": "crypto/x509",
"vulnerable_function": "x509.ParseCertificate",
"call_sites": [
"pkg/server/tls.go:42 - called from TLS handshake path",
"pkg/server/auth.go:118 - called during client cert validation"
],
"call_path": "main -> server.New -> setupTLS -> x509.ParseCertificate",
"input_source": "network (client TLS certificates, attacker-controlled)",
"mitigations": "none found",
"fixed_version": "go1.22.5"
},
"remediation_hint": "Update Go runtime to 1.22.5+. Vulnerable function processes untrusted client certificates during TLS handshake."
}