--- name: cve-validation description: | **CRITICAL**: This skill must be used for CVE validation queries. DO NOT use raw MCP tools like get_cve directly. Validate CVE identifiers and check remediation availability in Red Hat Lightspeed. Use when: - "Is CVE-2024-1234 valid and remediable?" - "Check if CVE-X has automated remediation available" - "Verify these CVEs before creating a playbook" - "Validate CVE list for batch remediation" **DO NOT use this skill when** user requests full remediation - use `/remediation` skill instead: - "Create a remediation playbook for CVE-X" → `/remediation` skill - "Create playbook and execute it" → `/remediation` skill - "Remediate CVE-X" / "Patch CVE-X" → `/remediation` skill This skill orchestrates MCP tools (get_cve) for CVE validation. The `/remediation` skill invokes this skill as Step 2 of its workflow. --- # CVE Validation Skill This skill validates CVE identifiers and checks remediation availability in Red Hat Lightspeed, ensuring CVEs are valid and remediable before investing effort in remediation planning. **Integration with Remediation Skill**: The `/remediation` skill orchestrates this skill as part of its Step 2 (Validate CVE) workflow. For standalone CVE validation, you can invoke this skill directly. ## Invocation Note (Host-Specific) When invoked by another skill (e.g. remediation), use the Skill tool—do NOT use "Task Output" with the skill name as task ID. That causes "No task found with ID: cve-validation". See [skill-invocation.md](../../../docs/references/skill-invocation.md). ## Prerequisites **Required MCP Servers**: `lightspeed-mcp` ([setup guide](https://console.redhat.com/)) **Required MCP Tools**: - `get_cve` (from lightspeed-mcp) - Get CVE metadata and validation **Required Environment Variables**: - `LIGHTSPEED_CLIENT_ID` - Red Hat Lightspeed service account client ID - `LIGHTSPEED_CLIENT_SECRET` - Red Hat Lightspeed service account secret ### Prerequisite Validation **CRITICAL**: Before executing any operations, execute the `/mcp-lightspeed-validator` skill to verify MCP server availability. **Validation freshness**: Can skip if already validated in this session. See [Validation Freshness Policy](../mcp-lightspeed-validator/SKILL.md#validation-freshness-policy). **How to invoke**: Execute the `/mcp-lightspeed-validator` skill **Handle validation result**: - **If validation PASSED**: Continue with CVE validation - **If validation PARTIAL**: Warn user and ask to proceed - **If validation FAILED**: Stop execution, provide setup instructions ## When to Use This Skill **Use this skill directly when you need**: - Quick validation of CVE identifier format and existence (standalone query) - Check if automated remediation is available - Verify CVE metadata before analysis - Validate CVE lists for batch operations **DO NOT use this skill when** - use `/remediation` skill instead: - User says "create a remediation playbook" or "remediate CVE-X" or "patch CVE-X" - User says "create playbook and execute it" - agent orchestrates full workflow - Any request that implies playbook generation or execution **Use the `/remediation` skill when you need**: - Full remediation workflow (validation + analysis + playbook + execution) - Integrated CVE validation as part of remediation planning **How they work together**: The `/remediation` skill invokes this skill early in the workflow to fail fast if a CVE is invalid or has no automated remediation, saving time and effort. **When invoked by remediation**: Return remediatable status prominently so the orchestrator can gate. Include `remediation_status.automated_remediation_available` (boolean) and `validation_status` ("valid" | "not_remediable" | "invalid" | "not_found") in the output. ## Workflow ### Step 0: Validate Lightspeed MCP Prerequisites **Action**: Execute the `/mcp-lightspeed-validator` skill **Note**: Can skip if validation was performed earlier in this session and succeeded. See [Validation Freshness Policy](../mcp-lightspeed-validator/SKILL.md#validation-freshness-policy). **How to invoke**: Execute the `/mcp-lightspeed-validator` skill **Handle validation result**: - **If validation PASSED**: Continue to Step 1 - **If validation PARTIAL**: Warn user and ask to proceed - **If validation FAILED**: Stop execution, user must set up MCP server ### Step 1: CVE Format Validation Validate CVE identifier format before calling MCP tools. **Format only**—do NOT reject based on year or sequence magnitude. ```python CVE Format: CVE-YYYY-NNNNN Where: - YYYY = 4-digit year (1999-2030; current and recent years are valid) - NNNNN = 4-7 digit sequence number (e.g. 1234, 24882, 1234567) Valid Examples: - CVE-2024-1234 - CVE-2026-24882 # 2026 CVEs exist; 24882 is 5 digits (valid) - CVE-2023-12345 - CVE-2021-1234567 Invalid Examples (format only): - CVE-24-1234 (year must be 4 digits) - CVE-2024-ABC (sequence must be numeric) - 2024-1234 (missing CVE- prefix) - CVE-2024-123 (sequence must be 4-7 digits) ``` **Quick Regex Check**: ``` Pattern: ^CVE-\d{4}-\d{4,7}$ If invalid format: → Return error immediately → Suggest format correction → Do not proceed to MCP tool calls ``` **CRITICAL - Do NOT add extra checks**: If the format matches the regex, you MUST call `get_cve`. Do NOT reject based on: - "Future" or "current year" assumptions (e.g. "2026 CVE might not exist yet") - Sequence number magnitude (e.g. "24882 seems high")—5 digits is valid - Your training data about typical CVE ranges Let the API determine existence. A 404 from get_cve means "not found"; format validation only catches malformed IDs. ### Step 2: CVE Metadata Retrieval **CRITICAL**: Document consultation MUST happen BEFORE tool invocation. **Document Consultation** (REQUIRED - Execute FIRST): 1. **Action**: Read [vulnerability-logic.md](../../docs/insights/vulnerability-logic.md) using the Read tool to understand CVE validation criteria 2. **Action**: Read [references/01-remediation-indicators.md](references/01-remediation-indicators.md) to interpret get_cve response—**CRITICAL** to avoid misinterpreting remediation availability 3. **Output to user**: "I consulted [vulnerability-logic.md](../../docs/insights/vulnerability-logic.md) and [01-remediation-indicators.md](references/01-remediation-indicators.md) for CVE validation and remediation indicator interpretation." **MCP Tool**: `get_cve` or `vulnerability__get_cve` (from lightspeed-mcp) **Do NOT use** `vulnerability__explain_cves` for validation. That tool requires `system_uuid` from inventory; at validation you may not have it. `get_cve` provides remediation availability. Never pass `system_uuid: "undefined"` or placeholders. **Parameters**: - `cve`: Exact CVE identifier from user query (format: `"CVE-YYYY-NNNNN"`) - Example: `"CVE-2024-1234"` - `advisory_available`: `"true"` (retrieve CVE with advisory/remediation info) **Expected Output**: CVE metadata including CVSS score, severity, affected packages, remediation availability Retrieve CVE metadata from Red Hat Lightspeed: ```json { "cve_id": "CVE-2024-1234", "cvss_score": 7.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "severity": "Important", # Red Hat severity rating "description": "A vulnerability in Apache HTTPD...", "published_date": "2024-01-15", "modified_date": "2024-01-20", "affected_packages": [ { "name": "httpd", "version": "2.4.37-1.el8", "fixed_version": "2.4.37-2.el8" } ], "references": [ "https://access.redhat.com/errata/RHSA-2024:1234", "https://nvd.nist.gov/vuln/detail/CVE-2024-1234" ], "cwe": "CWE-400: Uncontrolled Resource Consumption", "exploitability": "Proof of concept available", "remediation_available": true, # KEY FIELD "reboot_required": false } ``` ### Step 3: Validation Checks **CRITICAL**: Document consultation MUST happen BEFORE validation logic. **Document Consultation** (REQUIRED - Execute FIRST): 1. **Action**: Read [cvss-scoring.md](../../docs/references/cvss-scoring.md) using the Read tool to understand Red Hat severity classification and CVSS score ranges 2. **Output to user**: "I consulted [cvss-scoring.md](../../docs/references/cvss-scoring.md) to understand Red Hat severity classification and CVSS score ranges." Perform comprehensive validation: **A. Existence Check**: ``` ✓ CVE exists in Red Hat CVE database ✗ CVE not found → Return error with suggestions ``` **B. Red Hat Relevance Check**: ``` ✓ CVE affects RHEL systems ✗ CVE is Windows/macOS specific → Not applicable to RHEL ``` **C. Severity Classification**: ``` Red Hat Severity Levels: - Critical (CVSS 9.0-10.0): Immediate action required - Important (CVSS 7.0-8.9): Urgent remediation needed - Moderate (CVSS 4.0-6.9): Plan remediation - Low (CVSS 0.1-3.9): Low priority ``` **D. Remediation Availability Check** (READ [references/01-remediation-indicators.md](references/01-remediation-indicators.md)): ``` Key Question: Can Red Hat Lightspeed generate an automated playbook? ✅ USE these fields: - advisory_available === true → Remediation available - remediation === 2 → Automated remediation available - advisories_list non-empty → RHSA exists, remediation available ❌ DO NOT use rules[] for remediation decision: - rules: [] (empty) does NOT mean "no remediation" - Advisor rules are separate from vulnerability remediation - Remediation comes from Security Advisories (RHSA), not Advisor rules ✓ If advisory_available=true OR remediation=2 OR advisories_list has entries → Proceed with automated remediation → Use create_vulnerability_playbook tool ✗ If advisory_available=false AND (remediation=0 or advisories_list empty) → Manual remediation required → Provide manual steps based on affected packages ``` **E. Package Information Validation**: ``` Check affected_packages array: ✓ Packages identified: httpd-2.4.37-1.el8 ✓ Fixed version available: httpd-2.4.37-2.el8 ✓ Package exists in RHEL repositories This information will be used by playbook-generator skill. ``` ### Step 4: Return Validation Result Return structured validation result. **When invoked by remediation skill**: Ensure `validation_status` and `remediation_status.automated_remediation_available` are explicit—the orchestrator gates on these. ```json { "validation_status": "valid", # or "invalid", "not_found", "not_remediable" "cve_metadata": { "cve_id": "CVE-2024-1234", "cvss_score": 7.5, "severity": "Important", "description": "Brief description...", "published_date": "2024-01-15" }, "remediation_status": { "automated_remediation_available": true, "reboot_required": false, "affected_packages": [ { "name": "httpd", "current_version": "2.4.37-1.el8", "fixed_version": "2.4.37-2.el8" } ] }, "recommendations": [ "Automated remediation available via Red Hat Lightspeed", "No reboot required for this CVE", "Severity: Important - Urgent remediation recommended", "Test in staging environment before production deployment" ], "next_steps": [ "Analyze CVE impact (use cve-impact skill)", "Gather system context (use system-context skill)", "Generate remediation playbook (use playbook-generator skill)" ] } ``` ## Output, Examples, Error Handling **Read [references/03-output-template.md](references/03-output-template.md)** for report format. **Read [references/04-examples.md](references/04-examples.md)** for validation examples. **Read [references/05-error-handling.md](references/05-error-handling.md)** for format, not-found, no-remediation, and API errors. ## Best Practices Validate format first; if regex matches, ALWAYS call get_cve (do not reject on year/sequence). Check remediation availability; fail fast if none. Provide clear next steps and manual guidance when automated unavailable. Link to NVD and Red Hat Security. Cache results to avoid redundant calls. ## Dependencies ### Required MCP Servers - `lightspeed-mcp` - Red Hat Lightspeed platform access ### Required MCP Tools - `get_cve` (from lightspeed-mcp) - Get CVE metadata and validation - Parameters: cve_id (string, format CVE-YYYY-NNNNN), include_details (boolean), validate_format (boolean) - Returns: CVE metadata with CVSS score, severity, affected packages, remediation availability ### Related Skills - `mcp-lightspeed-validator` - **PREREQUISITE** - Validates Lightspeed MCP server before operations - Use before: ALL cve-validation operations (Step 0 in workflow) - Purpose: Ensures MCP server is available before attempting tool calls - `cve-impact` - Analyze CVE impact after validation - Use after: Step 4 when CVE is validated and user wants impact analysis - Purpose: Assess risk and affected systems for validated CVE - `system-context` - Get system details after validating CVE affects systems - Use after: Validation confirms CVE has affected systems - Purpose: Understand deployment context before remediation - `playbook-generator` - Generate remediation playbooks for validated CVEs - Use after: Validation confirms remediation_available = true - Purpose: Create automated remediation for valid, remediable CVEs ### Reference Documentation - [vulnerability-logic.md](../../docs/insights/vulnerability-logic.md) - CVE validation criteria - [references/01-remediation-indicators.md](references/01-remediation-indicators.md) - **REQUIRED** - Correct interpretation of get_cve response (advisory_available, remediation, advisories_list). Do NOT use rules[] for remediation decision. - [cvss-scoring.md](../../docs/references/cvss-scoring.md) - Red Hat severity classification and CVSS score ranges - [cve-remediation-templates.md](../../docs/ansible/cve-remediation-templates.md) - Manual remediation templates for CVEs without automated playbooks ## Tools Reference This skill uses: - `get_cve` (vulnerability toolset) - Get CVE metadata and remediation availability from Red Hat Lightspeed **Do NOT use** `vulnerability__explain_cves` in this skill—it requires `system_uuid` which may not be available at validation time. Use `get_cve` only. All tools are provided by the lightspeed-mcp MCP server configured in `.mcp.json`. ## Integration with Other Skills cve-impact, playbook-generator, system-context, remediation-verifier all depend on validation first. The `/remediation` skill invokes cve-validation as Step 2. Validate → proceed if valid; stop and return error if invalid.