cve-triage

# cve-triage Skill

## When to Use

Use this skill when the user wants to:
- Prioritize which CVEs to fix from a scan result
- Understand what a finding means (CRITICAL vs HIGH vs MEDIUM)
- Decide whether a CVE affects their specific deployment
- Know the remediation steps for common CVE types
- Understand CVSS scores

## CVE Triage Framework

### Step 1: Filter by severity

Start with CRITICAL. Then HIGH. Do not spend time on MEDIUM or LOW until critical and high are resolved.

```
CRITICAL (4) -> fix before next deployment
HIGH (3)     -> fix within current sprint
MEDIUM (2)   -> schedule for next quarter
LOW (1)      -> backlog item; fix when upgrading anyway
UNKNOWN (0)  -> investigate: check NVD manually
```

### Step 2: Check if fixable

Every finding shows `installed_version` and `fixed_version`. If `fixed_version` is present, the fix is to upgrade that package. If there is no fix, options are:

1. Update to a different base image that has a patched version
2. Assess exploitability and accept the risk
3. Add a compensating control (network restriction, no-root execution)

### Step 3: Assess actual exploitability

CVSS scores are worst-case. Many CVEs are theoretical in typical deployments. Questions to ask:

| Question | If Yes | If No |
|---|---|---|
| Is the affected package used at runtime? | Prioritize | May not be exploitable |
| Does the vulnerability require network access? | Higher priority | Lower if container is internal-only |
| Does the container run as root? | Higher risk | Lower risk for many CVEs |
| Is the affected feature used by your app? | Prioritize | May be safe to defer |

### Step 4: Fix strategy

**Update OS packages** (most common Alpine/Debian CVEs):

```dockerfile
# Dockerfile
FROM nginx:1.25-alpine
# Upgrade all packages to pick up security fixes
RUN apk upgrade --no-cache
```

**Pin to a specific fixed version**:

```dockerfile
RUN apk add --no-cache "openssl>=3.1.5-r0"
```

**Update base image** (when the base image has a newer tag with patches):

```dockerfile
# Before
FROM nginx:1.25-alpine

# After (if a newer patch exists)
FROM nginx:1.25.5-alpine
```

## Understanding CVSS Scores

CVSS v3 scores range from 0.0 to 10.0:

| Score | Severity |
|---|---|
| 9.0 - 10.0 | CRITICAL |
| 7.0 - 8.9 | HIGH |
| 4.0 - 6.9 | MEDIUM |
| 0.1 - 3.9 | LOW |
| 0.0 | NONE |

Key CVSS metrics that affect severity:
- **Attack Vector** - Network (worst) vs Local vs Physical (best)
- **Privileges Required** - None (worst) vs Low vs High (best)
- **User Interaction** - None (worst) vs Required (better)
- **Confidentiality/Integrity/Availability Impact** - High vs Low vs None

## Common CVE Types in Container Images

### OpenSSL vulnerabilities

Package: `openssl`, `libssl`, `libcrypto`
Fix: `apk upgrade --no-cache openssl` or rebuild with newer base image
Risk: High if the container serves TLS traffic or uses openssl functions directly

### curl/libcurl vulnerabilities

Package: `curl`, `libcurl`
Fix: `apk upgrade --no-cache curl`
Risk: High if the container makes HTTP requests using curl; often zero risk if curl is unused

### libc / musl vulnerabilities

Package: `musl`, `glibc`
Fix: Rebuild with a newer base image (the base image maintainer must release a patch)
Risk: Often high severity but frequently requires local access to exploit

### Kernel vulnerabilities

Package: `linux-kernel`, `linux-headers`
Fix: Usually not fixable via Dockerfile; requires host OS patch or kernel version change
Risk: Usually only exploitable from within the container; mitigated by seccomp and AppArmor

## Querying Findings for Triage

```bash
# Show all critical findings with a fix available
container-image-scanner findings scan_a1b2c3 --severity CRITICAL

# Check if a specific CVE affects you
container-image-scanner cve CVE-2024-5535

# Export findings to CSV for a spreadsheet
curl http://localhost:3000/api/findings?scanId=scan_a1b2c3&severity=CRITICAL \
  -H "Accept: text/csv" > critical-findings.csv
```

## Accepting Risk (marking as won't fix)

In container-image-scanner, create a `.trivyignore` file in your repository to suppress specific CVEs:

```
# .trivyignore
# Accepted: CVE-2023-52425 - libexpat recursion, no fix available, mitigated by input validation
CVE-2023-52425

# Accepted: CVE-2023-45853 - zlib, integer overflow in inflate, no network-reachable path in our usage
CVE-2023-45853
```

Pass this file to the scanner via the YAML config or CLI flag. Document each accepted CVE with a justification comment.

## Useful External Resources

- NVD (National Vulnerability Database): https://nvd.nist.gov/vuln/search
- GHSA (GitHub Security Advisories): https://github.com/advisories
- Alpine Security Tracker: https://security.alpinelinux.org/
- Debian Security Tracker: https://security-tracker.debian.org/
- Trivy documentation: https://aquasecurity.github.io/trivy/