leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

module metadata: CWE + ATT&CK + CISA KEV triage from federal sources

Browse Source 
Adds per-CVE triage annotations that turn SKELETONKEY's JSON output
into something a SIEM/CTI/threat-intel pipeline can route on, and a
KEV badge in --list so operators see at-a-glance which modules
cover actively-exploited bugs.

New tool — tools/refresh-cve-metadata.py:

  - Discovers CVEs by scanning modules/<dir>/ (no hardcoded list).
  - Fetches CISA's Known Exploited Vulnerabilities catalog
    (https://www.cisa.gov/.../known_exploited_vulnerabilities.csv).
  - Fetches CWE classifications from NVD's CVE API 2.0
    (services.nvd.nist.gov), throttled to the anonymous
    5-req/30s limit (~3 minutes for 26 CVEs).
  - Hand-curated ATT&CK technique mapping (T1068 default; T1611 for
    container escapes, T1082 for kernel info leaks — MITRE doesn't
    publish a clean CVE→technique feed).
  - Generates three outputs:
      docs/CVE_METADATA.json   machine-readable, drift-checkable
      docs/KEV_CROSSREF.md     human-readable table
      core/cve_metadata.c      auto-generated lookup table
  - --check mode diffs the committed JSON against a fresh fetch for
    CI drift detection.

New core API — core/cve_metadata.{h,c}:

  struct cve_metadata { cve, cwe, attack_technique, attack_subtechnique,
                        in_kev, kev_date_added };
  const struct cve_metadata *cve_metadata_lookup(const char *cve);

Lookup keyed by CVE id, not module name — the metadata is properties
of the CVE (two modules covering the same bug see the same metadata).
The opsec_notes field stays on the module struct because exploit
technique varies per-module (different footprints).

Output surfacing:
  - --list: new KEV column shows ★ for KEV-listed CVEs.
  - --module-info (text): prints cwe / att&ck / 'in CISA KEV: YES (added
    YYYY-MM-DD)' between summary and operations.
  - --module-info / --scan (JSON): emits a 'triage' subobject with the
    full record, plus an 'opsec_notes' field at top level when set.

Initial snapshot:
  - 10 of 26 modules cover KEV-listed CVEs (dirty_cow, dirty_pipe,
    pwnkit, sudo_samedit, ptrace_traceme, fuse_legacy, nf_tables,
    overlayfs, overlayfs_setuid, netfilter_xtcompat).
  - 24 of 26 have NVD CWE mappings; 2 unmapped (NVD has no weakness
    record for CVE-2019-13272 and CVE-2026-46300 yet).
  - All 26 mapped to an ATT&CK technique.

Verification:
  - macOS local: 33 kernel_range + clean build, --module-info shows
    'in CISA KEV: YES (added 2024-05-30)' for nf_tables, --list KEV
    column renders.
  - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails.

Follow-up commits will add per-module OPSEC notes and --explain mode.
This commit is contained in:
KaraZajac
2026-05-23 10:38:01 -04:00
parent 60d22eb4f6
commit e4a600fef2
8 changed files with 942 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/cve_metadata.c
+236
View File
@@ -0,0 +1,236 @@
/*
* SKELETONKEY — CVE metadata table
*
* AUTO-GENERATED by tools/refresh-cve-metadata.py from
* docs/CVE_METADATA.json. Do not hand-edit; rerun the script.
* Sources: CISA KEV catalog + NVD CVE API 2.0.
*/
#include "cve_metadata.h"
#include <stddef.h>
#include <string.h>
const struct cve_metadata cve_metadata_table[] = {
{
.cve = "CVE-2016-5195",
.cwe = "CWE-362",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2022-03-03",
},
{
.cve = "CVE-2017-7308",
.cwe = "CWE-681",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2019-13272",
.cwe = NULL,
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2021-12-10",
},
{
.cve = "CVE-2020-14386",
.cwe = "CWE-250",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2021-22555",
.cwe = "CWE-787",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2025-10-06",
},
{
.cve = "CVE-2021-3156",
.cwe = "CWE-193",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2022-04-06",
},
{
.cve = "CVE-2021-33909",
.cwe = "CWE-190",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2021-3493",
.cwe = "CWE-270",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2022-10-20",
},
{
.cve = "CVE-2021-4034",
.cwe = "CWE-787",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2022-06-27",
},
{
.cve = "CVE-2022-0185",
.cwe = "CWE-190",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2024-08-21",
},
{
.cve = "CVE-2022-0492",
.cwe = "CWE-287",
.attack_technique = "T1611",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2022-0847",
.cwe = "CWE-665",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2022-04-25",
},
{
.cve = "CVE-2022-25636",
.cwe = "CWE-269",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2022-2588",
.cwe = "CWE-416",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-0179",
.cwe = "CWE-190",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-0386",
.cwe = "CWE-282",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2025-06-17",
},
{
.cve = "CVE-2023-0458",
.cwe = "CWE-476",
.attack_technique = "T1082",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-2008",
.cwe = "CWE-129",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-22809",
.cwe = "CWE-269",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-32233",
.cwe = "CWE-416",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-3269",
.cwe = "CWE-416",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2023-4622",
.cwe = "CWE-416",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2024-1086",
.cwe = "CWE-416",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = true,
.kev_date_added = "2024-05-30",
},
{
.cve = "CVE-2026-31635",
.cwe = "CWE-130",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2026-41651",
.cwe = "CWE-367",
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
{
.cve = "CVE-2026-46300",
.cwe = NULL,
.attack_technique = "T1068",
.attack_subtechnique = NULL,
.in_kev = false,
.kev_date_added = "",
},
};
const size_t cve_metadata_table_len =
sizeof(cve_metadata_table) / sizeof(cve_metadata_table[0]);
const struct cve_metadata *cve_metadata_lookup(const char *cve)
{
if (!cve) return NULL;
for (size_t i = 0; i < cve_metadata_table_len; i++) {
if (strcmp(cve_metadata_table[i].cve, cve) == 0)
return &cve_metadata_table[i];
}
return NULL;
}
core/cve_metadata.h
+43
View File
@@ -0,0 +1,43 @@
/*
* SKELETONKEY — CVE metadata lookup
*
* Per-CVE annotations sourced from authoritative federal databases:
* - CISA Known Exploited Vulnerabilities catalog (in_kev, date_added)
* - NVD CVE API (cwe)
* - Hand-curated MITRE ATT&CK technique mapping
*
* Kept separate from struct skeletonkey_module because these are
* properties of the CVE (one CVE -> one set of values), not the
* exploit module. Two modules covering the same CVE see the same
* metadata. The OPSEC notes — which vary by exploit technique —
* stay on the module struct.
*
* The table is auto-generated from docs/CVE_METADATA.json by
* tools/refresh-cve-metadata.py. Do not hand-edit cve_metadata.c —
* re-run the refresh tool.
*/
#ifndef SKELETONKEY_CVE_METADATA_H
#define SKELETONKEY_CVE_METADATA_H
#include <stdbool.h>
#include <stddef.h>
struct cve_metadata {
const char *cve; /* "CVE-YYYY-NNNNN" */
const char *cwe; /* "CWE-NNN" or NULL if NVD has no mapping */
const char *attack_technique; /* "T1068" etc. */
const char *attack_subtechnique; /* "T1068.001" or NULL */
bool in_kev; /* true iff in CISA's KEV catalog */
const char *kev_date_added; /* "YYYY-MM-DD" or "" */
};
/* The full table. Length is `cve_metadata_table_len`. */
extern const struct cve_metadata cve_metadata_table[];
extern const size_t cve_metadata_table_len;
/* Lookup by CVE id (e.g. "CVE-2024-1086"). Returns NULL if the CVE
* isn't in the table. Cheap linear scan; we have <100 entries. */
const struct cve_metadata *cve_metadata_lookup(const char *cve);
#endif /* SKELETONKEY_CVE_METADATA_H */
core/module.h
+15
View File
@@ -104,6 +104,21 @@ struct skeletonkey_module {
const char *detect_sigma; /* sigma YAML content */
const char *detect_yara; /* yara rules content */
const char *detect_falco; /* falco rules content */
/* Operational-security notes — telemetry footprint THIS specific
* exploit leaves behind. The inverse of detect_auditd/yara/falco
* above (the rules catch what these notes describe). Free-form
* prose, conventionally listing: dmesg lines triggered, auditd
* events, file artifacts created/modified, persistence side-
* effects, recommended cleanup. Per-module (not per-CVE) because
* different exploits for the same bug can leave different
* footprints. NULL if no analysis written yet.
*
* NB: ATT&CK / CWE / KEV metadata is properties of the CVE itself
* (independent of exploit technique) and lives in
* core/cve_metadata.{h,c} — looked up by CVE id, refreshed via
* tools/refresh-cve-metadata.py. */
const char *opsec_notes;
};
#endif /* SKELETONKEY_MODULE_H */