Skill Being Reviewed
Skill name: cve-triage
Skill path: skills/vuln-management/cve-triage/
False Positive Analysis
Benign or misleading case that can be over-credited:
scanner_finding:
cve: CVE-2025-99999
package: openssl
detected_version: 3.0.8-1ubuntu1.12
scanner_severity: critical
nvd_status: DISPUTED
vendor_advisory:
ubuntu: not_affected
reason: vulnerable code path not built; fix backported under distro revision
Why this is a false positive:
The skill validates CVE format and enriches with CVSS, EPSS, KEV, and SSVC signals, but it does not require a status/applicability gate for rejected, disputed, vendor-not-affected, or backported package cases. That can assign emergency SLAs to assets that are not actually vulnerable.
Coverage Gaps
Missed variant 1: rejected, disputed, or modified CVE records
NVD status is Rejected/Disputed, or vendor says the product branch is not affected, while scanner CPE mapping still reports the issue.
Missed variant 2: distro backports and package epoch mismatch
Upstream fixed version is 3.0.12, but installed distro version 3.0.8-1ubuntu1.12 includes a backported fix. Upstream version comparison is wrong without vendor advisory proof.
Edge Cases
- Container images can inherit fixed packages while the base tag still looks vulnerable.
- A CVE can affect only optional modules or compile-time flags.
- Scanner CPE matching can map a product family to an unrelated edition.
- Vendor
under investigation should be not-evaluable rather than not-affected.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| NVD |
Partial |
Provides CVE status and CPEs, but vendor applicability often needs separate proof. |
| OSV |
Partial |
Strong ecosystem mapping, but not complete for enterprise backports. |
| Grype/Trivy/Tenable/Qualys |
Partial |
May expose vendor status or fixed version, but false CPE matches remain common. |
Overall Assessment
Strengths: Strong CVSS 4.0, KEV, EPSS, SSVC, and conservative assumptions when context is missing.
Needs improvement: Avoid turning every scanner CVE match into an SLA before verifying CVE status and product applicability.
Priority recommendations:
- Add CVE record status gate: Published, Modified, Rejected, Disputed, Reserved.
- Require vendor affected/not-affected evidence.
- Add package epoch/backport handling.
- Track CPE confidence and vulnerable-code-path evidence.
Related Reviews Checked
Existing reviews #77, #96, #273, and #1226 cover source freshness and package status broadly. This review focuses on disputed/rejected CVEs, vendor applicability, and distro backport evidence before SLA assignment.
Bounty Info
Skill Being Reviewed
Skill name:
cve-triageSkill path:
skills/vuln-management/cve-triage/False Positive Analysis
Benign or misleading case that can be over-credited:
Why this is a false positive:
The skill validates CVE format and enriches with CVSS, EPSS, KEV, and SSVC signals, but it does not require a status/applicability gate for rejected, disputed, vendor-not-affected, or backported package cases. That can assign emergency SLAs to assets that are not actually vulnerable.
Coverage Gaps
Missed variant 1: rejected, disputed, or modified CVE records
NVD status is Rejected/Disputed, or vendor says the product branch is not affected, while scanner CPE mapping still reports the issue.
Missed variant 2: distro backports and package epoch mismatch
Upstream fixed version is 3.0.12, but installed distro version 3.0.8-1ubuntu1.12 includes a backported fix. Upstream version comparison is wrong without vendor advisory proof.
Edge Cases
under investigationshould be not-evaluable rather than not-affected.Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths: Strong CVSS 4.0, KEV, EPSS, SSVC, and conservative assumptions when context is missing.
Needs improvement: Avoid turning every scanner CVE match into an SLA before verifying CVE status and product applicability.
Priority recommendations:
Related Reviews Checked
Existing reviews #77, #96, #273, and #1226 cover source freshness and package status broadly. This review focuses on disputed/rejected CVEs, vendor applicability, and distro backport evidence before SLA assignment.
Bounty Info