cve-reachability-analyzer
Analyze CVE reachability in software repositories by examining how vulnerable dependencies are imported and used. Determines whether vulnerable components, classes, or functions are reachable from project code through call chain analysis, reflection detection, dynamic loading patterns, and configuration-gated behavior. Classifies each CVE as likely reachable, possibly reachable, or likely unreachable with supporting evidence. Use when analyzing security vulnerabilities in dependencies, performing post-disclosure CVE triage, assessing vulnerability impact, or when users ask to analyze CVE reachability, check if vulnerabilities are exploitable, or evaluate dependency security risks.
git clone --depth 1 https://github.com/ArabelaTso/Skills-4-SE /tmp/cve-reachability-analyzer && cp -r /tmp/cve-reachability-analyzer/skills/cve-reachability-analyzer ~/.claude/skills/cve-reachability-analyzerSKILL.md
# Post-Disclosure CVE Reachability Analyzer ## Overview This skill performs static analysis of software repositories to determine whether disclosed CVEs in dependencies are reachable from the project's code. It analyzes import patterns, call chains, dynamic invocation, and configuration to classify each CVE's reachability with evidence-based justification. ## Workflow ### Step 1: Gather Input Information Collect and validate the required information: 1. **Repository analysis**: - Identify programming language(s) - Locate dependency files (package.json, requirements.txt, pom.xml, etc.) - Understand project structure and entry points 2. **CVE information**: - CVE ID and description - Affected package name and version range - Vulnerable component (function/class/method) - Vulnerability type (injection, overflow, etc.) - Fixed version 3. **Configuration information** (optional): - Feature flags and their states - Build profiles (dev/staging/production) - Environment variables - Runtime configuration files ### Step 2: Verify Dependency Presence Check if the vulnerable dependency exists in the project: 1. **Parse dependency files**: - Read language-specific dependency files (see [language_guide.md](references/language_guide.md)) - Extract package names and version constraints - Build dependency tree (including transitive dependencies) 2. **Version matching**: - Compare installed version against vulnerable version range - Check if version falls within affected range - Identify if fixed version is available 3. **Early exit**: - If package not present → **Not Applicable** - If version not in vulnerable range → **Not Vulnerable** - Otherwise, proceed to Step 3 ### Step 3: Analyze Import Patterns Determine if vulnerable components are imported: 1. **Search for imports**: - Find all import/require/using statements for the vulnerable package - Check for direct imports of vulnerable function/class - Identify wildcard imports that may include vulnerable component - Look for aliased imports 2. **Language-specific patterns**: - Consult [language_guide.md](references/language_guide.md) for language-specific import syntax - Check for framework-specific import mechanisms (DI, auto-loading) 3. **Assessment**: - No imports found → Likely unreachable (but check dynamic loading in Step 5) - Imports found → Proceed to Step 4 ### Step 4: Trace Call Chains Identify if vulnerable code is invoked: 1. **Direct usage analysis**: - Search for call sites of vulnerable function/method - Find instantiations of vulnerable classes - Locate references to vulnerable symbols 2. **Indirect usage analysis**: - Trace calls through wrapper functions - Check for framework auto-invocation (middleware, event handlers, DI) - Identify callback registrations - Look for inheritance/interface implementations 3. **Build call graph**: - Map call chains from entry points to vulnerable code - Identify all paths that reach vulnerable component - Note the depth and complexity of call chains 4. **Use pattern library**: - Consult [reachability_patterns.md](references/reachability_patterns.md) for common patterns - Match observed patterns to known reachability scenarios ### Step 5: Analyze Dynamic Invocation Check for dynamic code execution that may reach vulnerable code: 1. **Reflection/metaprogramming**: - Search for reflection APIs (Java: `Class.forName()`, Python: `getattr()`, etc.) - Check if vulnerable component could be invoked dynamically - Assess likelihood based on how constrained the dynamic calls are 2. **Dynamic loading**: - Look for dynamic imports (Python: `importlib`, JS: `require(variable)`) - Check plugin systems or extension mechanisms - Evaluate if vulnerable package could be loaded dynamically 3. **Eval and code generation**: - Search for `eval()`, `exec()`, `Function()` constructor - Check if vulnerable code could be executed through eval - Assess risk based on input sources ### Step 6: Evaluate Configuration Gates Determine if vulnerable code is gated by configuration: 1. **Feature flags**: - Search for feature flag checks around vulnerable code - Determine flag states in production (if configuration provided) - Assess if flag could be enabled 2. **Environment-specific code**: - Check for environment conditionals (dev/staging/prod) - Determine which environments execute vulnerable code - Focus on production environment 3. **Build-time conditionals**: - Look for build profiles, compilation flags - Check if vulnerable code is included in production builds - Review preprocessor directives 4. **Runtime configuration**: - Check for configuration files that control code paths - Determine if vulnerable code path is enabled - Assess likelihood of configuration changes ### Step 7: Assess Code Path Reachability Determine if the code path is actually executed: 1. **Dead code detection**: - Check for commented-out code - Identify unreachable branches (if False, etc.) - Find deprecated/unused functions with no callers 2. **Test-only code**: - Identify if usage is only in test files - Check for test-specific imports or mocks - Distinguish production vs. test code paths 3. **Error handling paths**: - Determine if vulnerable code is in error handlers - Assess likelihood of error conditions - Consider if error paths are reachable in practice 4. **Entry point analysis**: - Trace from application entry points (main, HTTP handlers, etc.) - Verify vulnerable code is on reachable paths from entry points - Consider application flow and typical execution paths ### Step 8: Classify Reachability Apply classification criteria from [cve_analysis.md](references/cve_analysis.md): **Likely Reachable** - All of: - Vulnerable package is present in correct version range - Vulnerable component is
Applies abstract interpretation using different abstract domains (intervals, octagons, polyhedra, sign, congruence) to statically analyze program variables and infer invariants, value ranges, and relationships. Use when analyzing program properties, inferring loop invariants, detecting potential errors, or understanding variable relationships through static analysis.
Uses abstract interpretation to automatically infer loop invariants, function preconditions, and postconditions for formal verification. Generates invariants that capture program behavior and support correctness proofs in Dafny, Isabelle, Coq, and other verification systems. Use when adding formal specifications to code, generating verification conditions, inferring contracts for functions, or discovering loop invariants for proofs.
Performs abstract interpretation over source code to infer possible program states, variable ranges, and data properties without executing the program. Reports potential runtime errors including out-of-bounds accesses, null dereferences, type inconsistencies, division by zero, and integer overflows. Use when analyzing code for potential runtime errors, performing static analysis, checking safety properties, or verifying program behavior without execution.
Performs abstract interpretation to produce summarized execution traces and high-level program behavior representations. Highlights key control flow paths, variable relationships, loop invariants, function summaries, and potential runtime states using abstract domains (intervals, signs, nullness, etc.). Use when analyzing program behavior, understanding execution paths, computing loop invariants, tracking variable ranges, detecting potential runtime errors, or generating program summaries without concrete execution.
Create ACSL (ANSI/ISO C Specification Language) formal annotations for C/C++ programs. Use this skill when working with formal verification, adding function contracts (requires/ensures), loop invariants, assertions, memory safety annotations, or any ACSL specifications. Supports Frama-C verification and generates comprehensive formal specifications for C/C++ code.
CLI-based browser automation with persistent page state using ref-based element interaction. Use when users ask to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
Detects and analyzes ambiguous language in software requirements and user stories. Use when reviewing requirements documents, user stories, specifications, or any software requirement text to identify vague quantifiers, unclear scope, undefined terms, missing edge cases, subjective language, and incomplete specifications. Provides detailed analysis with clarifying questions and suggested improvements.
Design and review APIs with suggestions for endpoints, parameters, return types, and best practices. Use when designing new APIs from requirements, reviewing existing API designs, generating API documentation, or getting implementation guidance. Supports REST APIs with focus on endpoint structure, request/response schemas, authentication, pagination, filtering, versioning, and OpenAPI specifications. Triggers when users ask to design, review, document, or improve APIs.