cve-agent

Agentic AI hackathon project to automate security ticket triage and remediation research. Uses Claude Code as the orchestrator with a 6-stage Python pipeline for JIRA data fetching, CVE enrichment, codebase analysis, and actionable upgrade recommendations.

Goals

• Learn about agentic AI workflows (LLM in a loop with tools)
• Build a practical tool that saves time on CVE remediation

What it does

1. Fetch all open ACS_CVSS_CRITICAL tickets from JIRA
2. Parse ticket descriptions, extract CVEs, and group by application
3. Enrich CVEs via Red Hat and OSV APIs (severity, CVSS, affected packages, fix versions)
4. Resolve app names to upstream source code repositories via app-interface GraphQL
5. Analyze codebases — fetch dependency manifests, check which repos actually use vulnerable packages, collect usage snippets
6. Generate a markdown report with per-app CVE tables and codebase analysis
7. Claude Code spawns per-app sub-agents to reason about upgrade risk and recommend actions

Tech Stack

• Python (jira + requests) — 6-stage CLI pipeline, managed with uv
• Claude Code — orchestrator and analysis engine via /cve skill

Architecture

/cve ENGPROD (Claude Code skill)
  → cve-agent:   Fetch raw JIRA tickets (JSON)
  → cve-parse:   Extract alerts (CVEs, images, app names)
  → cve-enrich:  Red Hat + OSV APIs (severity, packages, fix versions)
  → cve-resolve: app-interface GraphQL (app → upstream repo URLs)
  → cve-analyze: GitHub/GitLab APIs (manifest fetching, package matching, usage search)
  → cve-report:  Markdown report grouped by app
  → Claude Code spawns per-app Agent sub-agents for upgrade risk reasoning

Setup

1. Clone the repo
2. Copy .env.example to .env and fill in your credentials:
   • JIRA_SERVER, JIRA_TOKEN — JIRA access
   • GITHUB_TOKEN — GitHub API (read-only, for codebase analysis)
   • GITLAB_TOKEN — GitLab API (read-only, for internal repos)
3. Run uv sync to install dependencies

Usage

Via Claude Code skill (recommended):

/cve ENGPROD

Direct pipeline (raw output):

uv run cve-agent ENGPROD | uv run cve-parse | uv run cve-enrich | uv run cve-resolve | uv run cve-analyze | uv run cve-report --team ENGPROD

Example Output

Below is an example of running /cve ENGPROD — showing the full pipeline execution, per-app report, and agent analysis:

> /cve ENGPROD

Enriching 20 unique CVEs...
  CVE-2021-23369: handlebars, org.webjars:handlebars, org.webjars.npm:handlebars, org.webjars.bowergithub.wycats:handlebars.js
  CVE-2021-23383: handlebars
  CVE-2021-25949: set-getter
  CVE-2021-3918: json-schema
  CVE-2021-44906: minimist, minimist
  CVE-2022-0686: url-parse
  CVE-2022-37601: loader-utils, loader-utils
  CVE-2023-45133: @babel/traverse, @babel/traverse, babel-traverse
  CVE-2024-45337: golang.org/x/crypto, golang.org/x/crypto
  CVE-2025-14009: nltk
  CVE-2025-44005: github.com/smallstep/certificates, github.com/smallstep/certificates
  CVE-2025-68121: stdlib
  CVE-2025-7783: form-data, form-data, form-data
  CVE-2026-1229: github.com/cloudflare/circl, github.com/cloudflare/circl
  CVE-2026-25896: fast-xml-parser, fast-xml-parser
  CVE-2026-27586: github.com/caddyserver/caddy/v2, github.com/caddyserver/caddy/v2
  CVE-2026-27587: github.com/caddyserver/caddy/v2, github.com/caddyserver/caddy/v2
  CVE-2026-27699: basic-ftp
  CVE-2026-33186: google.golang.org/grpc, google.golang.org/grpc
  CVE-2026-34520: no package info
Resolving codebases for 9 apps...
  backstage: 8 repo(s)
  clowder: 4 repo(s)
  firelink: 3 repo(s)
  frontend-operator: 5 repo(s)
  insights: 5 repo(s)
  kibana: 2 repo(s)
  status-board: 2 repo(s)
  strimzi: 3 repo(s)
  web-rca: 4 repo(s)
Analyzing codebases for 9 apps...
  backstage:
    scanning https://github.com/RedHatInsights/clementine...
    scanning https://github.com/RedHatInsights/tangerine-backend...
    scanning https://github.com/RedHatInsights/tangerine-frontend...
    scanning https://github.com/RedHatInsights/tangerine-proxy...
    ...
  clowder:
    scanning https://github.com/RedHatInsights/clowder...
      → 1 package(s) found
    ...
  firelink:
    scanning https://github.com/RedHatInsights/firelink-backend...
    scanning https://github.com/RedHatInsights/firelink-frontend...
    scanning https://github.com/RedHatInsights/firelink-proxy...
    ...
Report saved to reports/ENGPROD/2026-04-07.md

Report (per-app CVE tables with codebase analysis)

## backstage (ENGPROD-9662, ENGPROD-9664)

| CVE | Severity | Package | Ecosystem | Fix Version | Affected Images |
|-----|----------|---------|-----------|-------------|-----------------|
| CVE-2025-14009 | Important/8.8 | nltk | PyPI | 3.9.3 | tangerine-backend:63af18d |
| CVE-2026-25896 | Important/7.1 | fast-xml-parser | npm | 5.3.5 | rhdh-hub-rhel9:1.9-210 |
| CVE-2026-33186 | Important/8.1 | google.golang.org/grpc | Go | 1.79.3 | caddy-ubi, tangerine-proxy, rhdh-hub |

### Codebase Analysis
Not affected: backstage, clementine, inscope-resources, matomo, tangerine-backend, ...

## clowder (ENGPROD-9697, ENGPROD-9699, ENGPROD-9701)

| CVE | Severity | Package | Ecosystem | Fix Version | Affected Images |
|-----|----------|---------|-----------|-------------|-----------------|
| CVE-2026-33186 | Important/8.1 | google.golang.org/grpc | Go | 1.79.3 | clowder:6edea2c |

### Codebase Analysis
| Codebase | Package | Current | Fix | Manifest | Usage |
|----------|---------|---------|-----|----------|-------|
| clowder | google.golang.org/grpc | v1.79.3 | 1.79.3 | go.mod | go.mod |

Not affected: clowd-environments, clowder-envoy, clowder-plugin

Agent Analysis Summary

9 apps affected | 20 unique CVEs | 2 Critical, 8 Important/High severity

backstage — 6 CVEs, 5 packages identified

• nltk (Important/8.8): Direct dependency in tangerine-backend via Pipfile. Low upgrade risk — bump to 3.9.3.
• fast-xml-parser (Important/7.1): Transitive via AWS SDK packages in RHDH. Moderate risk.
• basic-ftp (Important/7.5): Deep transitive via mockttp testing utility. Low risk.
• grpc (Important/8.1): Transitive via Caddy base image. Update Caddy image version.

clowder — 1 CVE, already fixed

• grpc is at v1.79.3 which equals the fix version. False positive — ticket can be closed.

firelink — 6 CVEs, all transitive/container-level

• CVE-2025-44005 (Critical/10.0): smallstep/certificates not in source manifests — likely bundled with Caddy. Highest priority.
• Caddy CVEs: Update Caddy binary to 2.11.1 in Dockerfiles.

frontend-operator — 4 CVEs, no source-level matches

• All packages transitive/container-level. CVE-2025-44005 (Critical/10.0) is top priority.

kibana — 18 CVE rows, all in upstream kibana-oss:7.10.2 base image

• All vulnerabilities from 2021-2023 era npm packages. Requires Kibana 8.x upgrade.

insights, status-board, strimzi, web-rca — Go stdlib/grpc CVEs

• All transitive. Rebuild containers with Go 1.26 stable and updated deps.

Key Takeaways:

1. Most CVEs are transitive/container-level — only backstage/tangerine-backend has a confirmed direct dependency
2. clowder is already patched — ticket is a false positive
3. Top priority: CVE-2025-44005 (Critical/10.0) affecting firelink and frontend-operator
4. Go stdlib CVE appears across 5 apps — coordinated Go toolchain upgrade would address all