Vulnetix Remediation Plan Skill

This skill generates a comprehensive, context-aware remediation plan for a specific vulnerability using the VDB V2 remediation API. It auto-detects your repository's ecosystem, package manager, installed versions, container images, and OS to provide targeted fix guidance including registry upgrades, source patches, distribution advisories, workarounds, CWE-specific remediation strategies, and verification commands.

How this differs from /vulnetix:fix: The existing /vulnetix:fix skill fetches V1 fix data and proposes manual manifest edits. This skill uses the V2 remediation plan endpoint which provides context-aware guidance (ecosystem, version, OS, container), CWE remediation strategies, CrowdSec threat intelligence (live exploitation data), workaround effectiveness scoring, SSVC decision support, and verification commands per package manager.

Vulnerability Memory (.vulnetix/memory.yaml)

This skill reads and updates the .vulnetix/memory.yaml file in the repository root. This file is shared with /vulnetix:fix, /vulnetix:exploits, /vulnetix:package-search, /vulnetix:vuln, and /vulnetix:exploits-search.

Schema

The canonical schema is defined in /vulnetix:fix. This skill updates base fields and appends remediation plan events to the history log.

Reading Prior State

At the start of every invocation:

• Use Glob to check if .vulnetix/memory.yaml exists in the repo root
• If it exists, use Read to load it and check for the vuln ID or aliases
• Use Glob for .vulnetix/scans/.cdx.json -- cross-reference for component data
• If a prior entry exists, display:

   Previously seen: <vulnId> -- <developer-friendly status> (as of <date>)
   Priority: <P1/P2/P3/P4> (<score>) (if cwss data exists)
   Last decision: <developer-friendly decision> -- "<reason>"

   vulnetix vdb vuln "$ARGUMENTS" -o json

| Flag | Source | How to detect |
|------|--------|---------------|
| --ecosystem | Manifest files | From Step 1 ecosystem detection |
| --package-name | VDB response or memory | Affected package name matching repo |
| --current-version | Lockfile/manifest | Installed version from Step 1 |
| --package-manager | Manifest file type | package-lock.json --> npm, yarn.lock --> yarn, poetry.lock --> pip/poetry, etc. |
| --purl | Constructed | If ecosystem + name + version are known, construct pkg:<eco>/<name>@<version> |
| --container-image | Containerfile/Dockerfile | Use Glob for Containerfile, Dockerfile, .dockerfile. If found, Read and extract FROM image reference (e.g., node:18-alpine) |
| --os | OS detection | Check for /etc/os-release or infer from container base image |
| --vendor | VDB response | From affected products vendor field |
| --product | VDB response | From affected products product field |

Always set:

• --include-guidance -- includes CWE-specific remediation strategies


• --include-verification-steps -- includes per-package-manager verification commands

Step 3: Execute Remediation Plan Query

vulnetix vdb remediation plan "$ARGUMENTS" -V v2 --include-guidance --include-verification-steps -o json [context flags]

CLI Reference (from vulnetix vdb remediation plan docs):

| Flag | Type | Description |
|------|------|-------------|
| --ecosystem | string | Package ecosystem (npm, pypi, maven, go, cargo, etc.) |
| --package-name | string | Package name |
| --current-version | string | Currently installed version (enables version-specific guidance) |
| --package-manager | string | Package manager (npm, pip, cargo, maven, etc.) |
| --purl | string | Package URL (overrides ecosystem + package-name) |
| --container-image | string | Container image reference (e.g., node:18-alpine) |
| --os | string | OS identifier (e.g., ubuntu:22.04, debian-11) |
| --vendor | string | Vendor name for CPE matching |
| --product | string | Product name for CPE matching |
| --registry | string | Registry filter (npm, pypi, maven-central) |
| --include-guidance | bool | Include CWE-specific markdown guidance |
| --include-verification-steps | bool | Include verification commands per package manager |
| -V | string | API version -- must be v2 |
| -o, --output | string | Output format: json or pretty |

Examples:

# Basic remediation plan
vulnetix vdb remediation plan CVE-2021-44228 -V v2 --include-guidance --include-verification-steps -o json
# With full package context
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
  --ecosystem maven --package-name log4j-core --current-version 2.14.1 \
  --package-manager maven --include-guidance --include-verification-steps -o json
# Using PURL
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
  --purl "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1" \
  --include-guidance --include-verification-steps -o json
# With container context
vulnetix vdb remediation plan CVE-2024-XXXXX -V v2 \
  --ecosystem npm --package-name express --current-version 4.17.1 \
  --container-image "node:18-alpine" --include-guidance --include-verification-steps -o json

Response structure (from V2 OAS):

The response includes:

• cveId, state, title, aliases, description


• descriptions[] -- multi-source descriptions with language and source attribution


• crowdSecSummary -- live threat intelligence:

• cvssDetails -- parsed CVSS vector components (attackVector, attackComplexity, privilegesRequired, userInteraction, scope, impact metrics)


• agent_prompt -- AI-optimized remediation context string


• Registry fixes, source fixes, distribution patches, workarounds, CWE guidance, verification steps (context-dependent based on flags provided)

Step 4: Present the Remediation Plan

Render a structured remediation report with the following sections:

Vulnerability Summary:

<CVE ID> -- <title>
<description -- first 2-3 sentences>
Severity: <CVSS score> (<level>)  |  EPSS: <score>

Threat Activity (from CrowdSec data, if present):

Live Exploitation: <Active/Inactive>
Sightings: <totalSightings> from <uniqueIPs> unique IPs
Last seen: <lastSeen>
Source countries: <top 3>
MITRE techniques: <techniques in developer language>

If no CrowdSec data, skip this section.

Registry Fixes (version upgrades per ecosystem):

| Ecosystem | Package | Current | Fix Version | Verified | Confidence | Registry |
|-----------|---------|---------|-------------|----------|------------|----------|
| maven | log4j-core | 2.14.1 | 2.17.1 | Yes | High | Maven Central |

For each fix, report Safe Harbour confidence:

• High (> 0.90): patch-level bump, official registry release


• Reasonable (0.35-0.90): minor version bump, backward-compatible


• Low (< 0.35): major version bump, significant API changes

Upstream fix: <commit URL>
  SHA: <sha>
  Author: <author>
  Message: <commit message>
  Repository health: <commit frequency, contributor count>

Distribution Patches (if --os or --container-image was set):

| Distro | Patch ID | Affected Packages | Priority |
|--------|----------|-------------------|----------|
| Ubuntu 22.04 | USN-XXXX-X | liblog4j2-java | High |

Workarounds (interim mitigations, if no immediate fix):

Workaround: <description>
  Effectiveness: <score>/100
  Applicable versions: <range>
  Requires restart: <Yes/No>
  Verification: <steps>

CWE Guidance (weakness-specific remediation strategies):

CWE-<id>: <title>
Remediation strategy:
<markdown guidance from API>
Verification guidance:
<markdown from API>

Verification Steps (per package manager):

Verify the fix:
  npm: npm audit --json | jq '.vulnerabilities["<package>"]'
  maven: mvn dependency:tree | grep <package>
  pip: pip show <package> | grep Version

Step 5: Cross-Reference with Dependabot and Memory

• If Dependabot PR exists for this upgrade, note: "Dependabot PR #N already proposes this upgrade -- consider reviewing and merging"
• If a prior /vulnetix:exploits analysis exists in memory (threat_model, cwss), surface the priority: "Prior exploit analysis: P1 (87.5) -- Act now"
• If a prior /vulnetix:fix analysis exists, note what was previously proposed

Step 6: Present Actionable Next Steps

Based on the remediation plan, present concrete actions:

• If registry fix available: Show exact manifest edit (same diff format as /vulnetix:fix) with the fix version from the remediation plan. Offer to apply it.
• If source fix only (no registry release): Note that the fix requires building from source or waiting for a release. Link to the commit/PR.
• If workaround only: Present the workaround steps with effectiveness score. Note: "No patch available yet -- workaround is interim mitigation."
• If distribution patch: Provide the package manager command (e.g., apt-get update && apt-get install --only-upgrade <package>)
• Test commands: Suggest running tests after applying the fix
• Re-scan: Suggest vulnetix vdb vuln <vuln-id> to verify the fix resolved the vulnerability
• Rollback guidance: If the fix introduces breaking changes, note the backup/rollback approach

• "Run /vulnetix:exploits $ARGUMENTS for exploit intelligence and threat modeling"
• "Run /vulnetix:vuln $ARGUMENTS for full vulnerability details"
• "Run /vulnetix:exploits-search --ecosystem <eco> to discover related exploited vulnerabilities"

Step 7: Update Vulnerability Memory

• Use Read to load the current memory file
• Create or update the entry:

• Append to history: event: remediation-plan, detail: summary of fix options (e.g., "Registry fix: 2.17.1 (Maven Central, High confidence). 2 workarounds available. CWE-502 guidance provided.")
• Use Write to save
• Confirm to the user

• Record using the risk treatment categories from /vulnetix:exploits
• Set status: fixed and decision.choice: fix-applied if they apply the fix
• Append event: fix-applied with detail including the version change

Error Handling

• If vulnetix vdb remediation plan returns an error, fall back to vulnetix vdb fixes "$ARGUMENTS" -o json (V1 endpoint) and present basic fix data. Note that V2 enrichment (workarounds, CWE guidance, verification steps) is unavailable.
• If the vuln ID is not found, suggest checking the format and provide examples
• If no package context can be determined from the repo, run without context flags and note that guidance is generic rather than repo-specific
• If no fixes, workarounds, or patches are available, state clearly: "No remediation options are currently available for this vulnerability. Consider risk acceptance or component removal."
• If .vulnetix/memory.yaml cannot be written, warn but do not block

Important Reminders

• This skill proposes code changes (manifest edits) but always asks before applying -- same guardrail as /vulnetix:fix
• Auto-populate context flags from the repo -- the V2 API returns better results with more context. Always detect ecosystem, package name, current version, and package manager.
• Container detection is important -- if a Containerfile/Dockerfile exists, extract the base image for OS-specific distribution patches
• Safe Harbour scores: compute from fix confidence tiers, display as 0.00-1.00
• Version source transparency is mandatory -- always disclose how the current version was determined
• CrowdSec data is live threat intelligence -- if sightings are active, flag prominently
• The agent_prompt field in the response contains AI-optimized context -- use it to inform your analysis but do not display it raw to the user
• Always update .vulnetix/memory.yaml after generating the plan
• If Dependabot already has a PR for this fix, prefer merging that PR over manual edits
• The V2 remediation endpoint is the most comprehensive single endpoint -- it aggregates data from registry fixes, source fixes, distribution patches, workarounds, CWE guidance, and KEV data into one response