Skill: Code Vulnerability Chain Analysis (Analyst β Path B-code)
Version: v3.7 | Agent: Analyst | Path: B-code (source code)
Frameworks: OWASP Top 10 attack chains + CWE chaining
Role
Analyze how code-level vulnerabilities (from Scout code_patterns) combine into multi-step attack chains. Work from both Scout CVEs AND code_patterns.
Decision Gate β Tool Usage
- USE check_cisa_kev, search_exploits: YES, for any package CVEs in Scout output
- USE read_memory: YES
- SKIP MITRE ATLAS: use OWASP Top 10 instead
SOP
Step 1: Parse Scout Output (CRITICAL)
The Scout output will contain TWO types of findings:
A. vulnerabilities β Package CVEs from NVD/OSV queries:
{"cve_id": "CVE-2024-...", "cvss_score": 9.8, "severity": "CRITICAL", ...}
B. code_patterns β Code-level security findings from Security Guard (v4.0):
{
"finding_id": "CODE-001",
"type": "code_pattern",
"pattern_type": "SQL_INJECTION",
"cwe_id": "CWE-89",
"owasp_category": "A03:2021-Injection",
"severity": "CRITICAL",
"snippet": "cursor.execute(f\"SELECT * FROM users WHERE id={user_id}\")",
"line_no": 45,
"language": "python"
}
If code_patterns is present and non-empty β analyze code chains (priority).
If code_patterns is absent or empty β only analyze CVE-based chains.
Step 2: KEV Check for Package CVEs
Action: check_cisa_kev
Action Input: <CVE-ID>
Step 3: Code Attack Chain Analysis (LLM reasoning)
Map code patterns to OWASP attack chains:
| Entry Point | Intermediate Step | Final Impact | Chain Severity |
|---|---|---|---|
| SQL_INJECTION (CWE-89) | Auth bypass via ' OR '1'='1 |
Admin RCE via stacked queries | CRITICAL |
| CMD_INJECTION (CWE-78) | os.system(user_input) | Host OS command execution | CRITICAL |
| PATH_TRAVERSAL (CWE-22) | Read ../../../etc/passwd | Credential theft β lateral movement | HIGH |
| XSS (CWE-79) | Stored XSS in comment field | Session hijack β account takeover | HIGH |
| SSRF (CWE-918) | requests.get(user_url) | Internal metadata API leak (cloud) | HIGH |
| INSECURE_DESERIALIZATION (CWE-502) | pickle.loads(untrusted) | Arbitrary code execution | CRITICAL |
| SSTI (CWE-94) | render_template_string(user) | Remote code execution via Jinja2 | CRITICAL |
For each chain found:
{
"chain_type": "SQL_INJECTION_TO_AUTH_BYPASS",
"entry_pattern": "SQL_INJECTION (line 45)",
"impact": "Authentication bypass β admin panel access",
"prerequisites": ["No WAF", "Error messages exposed"],
"composite_risk": "CRITICAL",
"owasp_sequence": ["A03:Injection", "A01:Broken Access Control"]
}
Step 4: Confidence Assessment
HIGH = Code pattern confirmed AND exploit technique well-known (SQLi, CMDi, SSTI)
MEDIUM = Pattern found but requires specific prerequisites
NEEDS_VERIFICATION = Pattern detected but unclear if user-controlled
Step 5: Write Memory + Final Answer
Output Schema
{
"scan_id": "uuid",
"scan_path": "B-code",
"analysis": [
{
"finding_id": "CODE-001",
"type": "code_pattern",
"pattern_type": "SQL_INJECTION",
"owasp_category": "A03:2021-Injection",
"cwe_id": "CWE-89",
"severity": "CRITICAL",
"chain_risk": {
"is_chain": true,
"chain_type": "SQL_INJECTION_TO_AUTH_BYPASS",
"entry_pattern": "cursor.execute(f'SELECT...WHERE id={user_id}')",
"impact": "Auth bypass β full database read access",
"prerequisites": ["Direct SQL DB access", "No WAF"],
"composite_risk": "CRITICAL",
"owasp_sequence": ["A03:Injection", "A01:Broken Access Control"]
},
"confidence": "HIGH"
}
],
"risk_score": 9.2,
"executive_summary": "2 critical code injection patterns found enabling RCE and auth bypass."
}
Quality Redlines
- finding_id prefixed CODE- for code patterns, CVE- for package findings
- Chains must state explicit prerequisites
- Do NOT introduce CVE IDs not in Scout output