From fortify
Determines whether a known CVE/GHSA advisory is actually exploitable in a given project using reachability analysis across multiple ecosystems (npm, Maven, pip, Go, Rust, etc.).
How this skill is triggered — by the user, by Claude, or both
Slash command
/fortify:fortify-exploitability-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Purpose.** Decide whether a CVE in a dependency is exploitable in *this*
assets/IMPACT_CVE_TEMPLATE.mdassets/IMPACT_VEX_TEMPLATE.mdassets/VEX_README_TEMPLATE.mdreferences/cve-research.mdreferences/cyclonedx-sbom.mdreferences/eco-bazel.mdreferences/eco-buildroot.mdreferences/eco-cpp.mdreferences/eco-dotnet.mdreferences/eco-go.mdreferences/eco-gradle.mdreferences/eco-ios-macos.mdreferences/eco-maven.mdreferences/eco-npm.mdreferences/eco-php.mdreferences/eco-python.mdreferences/eco-ruby.mdreferences/eco-rust.mdreferences/eco-scala.mdreferences/non-manifest-projects.mdPurpose. Decide whether a CVE in a dependency is exploitable in this project. The answer is rarely "the lib is in our tree, therefore we are vulnerable." It depends on which APIs of the vulnerable library are actually reached, with what input, under what configuration. This skill walks through that analysis methodically and writes the result to
IMPACT_CVE_<id>.md.Out of scope. This skill does not fix the vulnerability. After it produces a verdict, hand off to
fortify-remediate(or apply an upgrade manually) if the verdict isaffected.Requires shell execution. The skill assumes shell access to run package-manager commands (
mvn,npm,pip,go, etc.) and to grep the codebase. Without execution capability (read-only context, sandboxed evaluation, web-only session) the analysis degrades to lockfile / SBOM / manifest reading and most reachability questions resolve tounder_investigation— say so in Method → Limitations and pause for an environment that has execution.
The analysis runs in six steps. Do not skip the gates.
Collect the inputs you need before doing anything else.
CVE identifier(s). Normalize to the canonical form CVE-YYYY-NNNNN
(or GHSA-xxxx-xxxx-xxxx). If the user gave a free-text description, ask
them to confirm the ID — exploit conditions vary across CVEs in the same
library and the report file name depends on it.
Project root. Confirm the working directory contains the project to analyze. Skim the top-level for manifest files.
Ecosystem. Detect from manifests at the project root, and load the matching reference file when running Steps 2 and 4 — one file per ecosystem, not the whole catalogue. Files in references/ prefixed eco- are per-ecosystem references; load exactly one:
pom.xml → Maven → references/eco-maven.mdbuild.gradle[.kts] → Gradle (Java / Kotlin) → references/eco-gradle.mdbuild.sbt → Scala (SBT) → references/eco-scala.mdWORKSPACE / MODULE.bazel / BUILD.bazel → Bazel (cross-language: Java / Go / C/C++ / Python) → references/eco-bazel.mdpackage.json / bower.json → JavaScript (npm / yarn / pnpm / Bower) → references/eco-npm.mdrequirements.txt / pyproject.toml / Pipfile / uv.lock → Python (pip / Poetry / Pipenv / uv) → references/eco-python.mdgo.mod / Gopkg.lock → Go (Modules / legacy dep) → references/eco-go.mdCargo.toml → Rust → references/eco-rust.md*.csproj / packages.config / paket.dependencies → .NET (NuGet / Paket) → references/eco-dotnet.mdcomposer.json → PHP → references/eco-php.mdGemfile → Ruby → references/eco-ruby.mdPodfile / Package.swift / Cartfile → iOS / macOS (CocoaPods / SPM / Carthage) → references/eco-ios-macos.mdConfig.in + package/ + configs/*_defconfig (Buildroot) / oe-init-build-env + meta*/conf/layer.conf (Yocto / OpenEmbedded; conf/bblayers.conf appears post-init) / feeds.conf* + scripts/feeds (OpenWrt) → meta-build for embedded Linux → references/eco-buildroot.md.conanfile.txt / conanfile.py / vcpkg.json / CMakeLists.txt / configure.ac / Makefile → C/C++ → references/eco-cpp.mdbom.json / bom.xml → CycloneDX SBOM (input format; can substitute for live package-manager invocation) → references/cyclonedx-sbom.md⚠ Ordering note. Detect the meta-build row before the C/C++ row. Buildroot and OpenWrt trees carry a top-level Makefile (with BR2_* / OpenWrt-specific variables) that would otherwise route to eco-cpp.md, missing the meta-build entirely; Yocto has no root Makefile but is still better analyzed at the meta-build level than via any C/C++ source it happens to contain.
A monorepo can have several. Ask the user which subproject(s) to analyze.
No manifest detected? If the project has binary artifacts checked in (lib/*.jar, WEB-INF/lib/, vendor/, third_party/, prebuilt *.dll / *.so / *.a / *.framework), or if the input is a built artifact handed over without source (firmware image, squashfs / cpio rootfs, Docker image, .deb / .rpm / .ipa / .apk), the analysis still works — load references/non-manifest-projects.md for version-identification, image-extraction, and path-reconstruction techniques.
Package manager available? Run a non-destructive version probe (mvn -v, npm -v, pip --version, go version, cargo --version, bitbake --version, make --version, etc.). The skill needs the package manager (or, for meta-builds, the meta-build's own enumeration command) to enumerate transitive paths in Step 4. If it isn't installed, fall back in this order: (a) the project's lockfile if one exists (still authoritative — the relevant ecosystem reference file names it); (b) a CycloneDX SBOM if one is present in the repo (references/cyclonedx-sbom.md); (c) the bundled-binary / image workflow in references/non-manifest-projects.md. Record the fallback used in the report's Method → Limitations.
Output paths. Step 6 produces two artifacts: a human-readable Markdown report and a machine-readable CycloneDX VEX JSON. Default location is a vex/ subdirectory at the project root — friendlier than scattering IMPACT_* files in the root once a project accumulates a backlog of triaged CVEs, and a natural directory for downstream fcli / Dependency-Track / GitLab tooling to consume in bulk. Take the CVE/GHSA ID, replace - with _, prefix with IMPACT_; the Markdown gets .md, the VEX gets .vex.json. Examples:
CVE-2021-44228 → vex/IMPACT_CVE_2021_44228.md + vex/IMPACT_CVE_2021_44228.vex.jsonGHSA-jfh8-c2jp-5v3q → vex/IMPACT_GHSA_jfh8_c2jp_5v3q.md + vex/IMPACT_GHSA_jfh8_c2jp_5v3q.vex.jsonOverride the directory if the user specifies a different path. If vex/ doesn't exist yet, create it in Step 6 before writing.
.md and .vex.json)Load references/cve-research.md and follow it. The goal of this step is to
produce a structured Exploit Conditions block that you will reuse in every
later step:
ObjectMapper is the vulnerable class — but XmlMapper, YAMLMapper, CBORMapper, etc. (in jackson-dataformat-* artifacts) extend it and trigger the same bug. Spring's MappingJackson2HttpMessageConverter wraps it. Anything that, at runtime, executes the vulnerable code path is part of the surface.not_affected verdict deserves; does not change the verdict, which is set purely by reachability in this project. See references/cve-research.md → Known exploitation in the wild.Authoritative sources, in priority order:
Security tab of the upstream repo).Do not paraphrase guesses — if a source is ambiguous, say so in the report. Check the CVE's NVD publication status before relying on it; if it's pre-analysis (Received / Awaiting / Undergoing Analysis), Rejected, or absent from NVD entirely, follow CVE publication status in references/cve-research.md for how to proceed (and when to stop).
Before doing any code analysis, confirm the project actually pulls in a vulnerable version of the package.
If no vulnerable version is present: write the report with verdict
not_affected (justification: vulnerable_code_not_present — the version
shipped is outside the affected range), and stop. Do not run Steps 3–5.
If a vulnerable version is present: proceed.
not_affected, the report is written and we
stop hereStep 2 confirmed that a vulnerable version resolves in this project. The remaining technical question — does attacker-controllable input actually reach the vulnerable API surface? — is answered in three sub-steps: direct-usage analysis (Step 3), path enumeration (Step 4), and per-path transitive walk (Step 5).
Load references/reachability-analysis.md and follow it end-to-end. It contains the procedure for all three sub-steps, the gates between them, and the conditions under which you can short-circuit to Step 6. Return to SKILL.md when the Step 5 gate is cleared (or when Step 3 has already settled the verdict).
The skill produces two artifacts side by side: a human-readable Markdown report (IMPACT_CVE_<id>.md) and a machine-readable CycloneDX VEX JSON (IMPACT_CVE_<id>.vex.json). Write both — they have different consumers. The Markdown is for engineers, security reviewers, and leadership; the VEX is for SCA tooling (Dependency-Track, GitLab Vulnerability Management) and — most relevant in Fortify environments — for fcli-driven scripts that apply the verdict back to FoD / SSC issues as audit suppressions.
Open assets/IMPACT_CVE_TEMPLATE.md, fill it in with everything you've gathered, and write it to the .md path computed in Step 0.
The report is for human stakeholders — engineers triaging the CVE, security reviewers approving a verdict, leadership deciding whether to patch. It is not a transcript of the skill's workflow. Concretely:
Findings, Exploitable surfaces, Other dependency paths, Method, etc.) — use those.Findings section.Organize findings by what's exploitable, not by where in the
dependency graph the call lives. A direct call from the project's
source and a call from an intermediate library both go into
Exploitable surfaces, side by side, ordered by clarity / severity.
Paths that you investigated and ruled out go into Other dependency paths with a one-line reason each.
Set the top-level verdict using the VEX-aligned vocabulary. The template renders the verdict as a four-row table where all options are visible and the chosen row is marked — bold its cells and put ✓ in the This analysis column. Record the OpenVEX keyword on the OpenVEX status line so downstream tooling can grep for it.
| Verdict | When to use | Justification field? |
|---|---|---|
not_affected | Vulnerable version absent or present but no path leads to attacker-reachable invocation of the vulnerable API surface. | Yes — prose label + VEX keyword in parentheses, e.g. **Justification:** Vulnerable code is not in the execute path (vulnerable_code_not_in_execute_path). Keywords come from the OpenVEX/CycloneDX vocabulary listed in the template. |
affected | At least one direct or transitive path lets attacker-controllable input reach the vulnerable API surface under the required configuration. | No — Findings → Exploitable surfaces is the justification. Delete the Justification line. |
under_investigation | Analysis is incomplete (no package manager available, intermediate library closed-source, pre-publication CVE with no primary source, or genuine ambiguity). | No — list specific gaps under Open questions instead. Delete the Justification line. |
fixed | The project resolves a version at or above the documented fix version. | No — the resolved version is the justification. Delete the Justification line. |
The report should let a reviewer reproduce your analysis. Cite specific files, lines, commits, and external sources.
Open assets/IMPACT_VEX_TEMPLATE.md — it contains the CycloneDX structure plus the vocabulary translation tables (the report's OpenVEX-leaning verdicts and justifications map to slightly different CycloneDX VEX keywords). Fill in the placeholders, then write the result to the .vex.json path computed in Step 0.
The VEX file mirrors the Markdown verdict but is much shorter — id, affects[].ref purl, analysis.state, optional analysis.justification, and a 1–3 sentence analysis.detail. Do not replicate the Markdown's full reasoning; the Markdown is the canonical human-readable artifact, the VEX is for tooling. Both files share the same CVE/GHSA ID, the same verdict, and the same analysis date.
The first time the skill writes to vex/ for a project (i.e. when vex/README.md does not already exist), also write a README from assets/VEX_README_TEMPLATE.md. The README explains to whoever operates the SCA pipeline how to consume the .vex.json files (VEX endpoint, not BOM endpoint), the foot-gun (naive ingest can wipe the inventory), the Fortify-specific fcli path, and how to validate. If vex/README.md already exists, leave it alone — don't overwrite an operator's edits.
Markdown report:
vex/IMPACT_CVE_<id>.md (or vex/IMPACT_GHSA_…) exists (directory created if it didn't already)✓) and the OpenVEX keyword on the OpenVEX status linenot_affected, using prose label + VEX keyword in parenthesesThe vulnerability section captures vulnerable code, trigger, required configuration, impact, CVSS, and sourcesFindings → Exploitable surfaces has a code excerpt and reasoningFindings → Other dependency paths (or explicitly omitted because there are none)Recommended actions names an upgrade target, mitigations, defense-in-depth, and verification (or, for under_investigation, "Open questions")Method names tools, sink density, scope, reachability confidence (with the observation that would change it), and limitationsCycloneDX VEX JSON:
vex/IMPACT_CVE_<id>.vex.json exists alongside the Markdown report and parses as valid JSONvex/README.md exists (written on first run from assets/VEX_README_TEMPLATE.md; left alone on subsequent runs)bomFormat, specVersion (1.5 or later), serialNumber (fresh UUID), version, and metadata.timestamp are populatedmetadata.component identifies the project being analyzedanalysis.state is the translated CycloneDX keyword (not the OpenVEX verdict verbatim — see the template's vocabulary table)analysis.justification is present only when state is not_affected, and is the translated CycloneDX keywordaffects[].ref is a valid purl pinning the resolved vulnerable package versionanalysis.detail is a tight 1–3 sentence summary, not a copy of the Markdown's reasoning| File | When to load |
|---|---|
references/cve-research.md | Step 1: extracting exploit conditions from CVE/GHSA/commit data |
references/eco-<ecosystem>.md (e.g. eco-maven.md, eco-npm.md, eco-python.md, eco-cpp.md, eco-bazel.md, eco-buildroot.md) | Steps 2 and 4: package-manager-specific commands. Load only the file matching the ecosystem detected in Step 0 — not the whole catalogue. The full mapping is in Step 0. |
references/non-manifest-projects.md | Steps 2 and 4 fallback when no manifest is present (bundled jars, .NET Framework lib/ DLLs, prebuilt native libs, frameworks, embedded firmware / rootfs images) |
references/cyclonedx-sbom.md | Steps 2 and 4 fallback when working from a CycloneDX SBOM |
references/reachability-analysis.md | Steps 3–5: direct-usage analysis, path enumeration, transitive walk — load only after Step 2 confirms a vulnerable version is present |
references/transitive-analysis.md | Step 5 deep-dive: walking intermediate libraries, fetching their source, deciding when to stop (loaded from within reachability-analysis.md) |
assets/IMPACT_CVE_TEMPLATE.md | Step 6: the Markdown report template |
assets/IMPACT_VEX_TEMPLATE.md | Step 6: the CycloneDX VEX JSON template, including OpenVEX → CycloneDX vocabulary translation |
assets/VEX_README_TEMPLATE.md | Step 6: the vex/README.md written on first run for operators who'll consume the .vex.json files |
pom.xml /
package.json / etc. are not what actually ships. Always go through the
package manager's resolution.under_investigation and name what's missing.under_investigation marker; never both, never neither. Stop walking when the next path would cost more than the previous several combined, and put the unwalked paths under Method → Limitations. Coverage is a limitation to be named, not a threshold to be hit.spring.cloud.function.routing-expression) is not
exploitable on a default deployment. Always check Step 1's "required
configuration" against the project's actual config.npx claudepluginhub fortify/skills --plugin fortify-skillsResearches a CVE or vulnerability disclosure end-to-end: affected versions, reachability in your code, public PoC availability, patch status, exposure window, and mitigation guidance. Use for CVE, zero-day, EPSS, or patch triage.
Orchestrates CVE vulnerability testing: identifies tech stacks, researches known CVEs, adapts PoCs, and validates exploits against applications. Use for assessing dependencies, frameworks, and libraries.
Researches CVEs and security advisories for project dependencies using NVD, OSV.dev, GitHub Advisory Database, and Exa. Useful when checking a specific package version for known vulnerabilities.