From 0dbbff8c32fbe3aae74e66f934c588b24faf2b09 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Fri, 15 May 2026 11:52:34 +0200 Subject: [PATCH 1/7] =?UTF-8?q?add=20rh-security-validation=20pack=20?= =?UTF-8?q?=E2=80=94=20CVE=20validation=20for=20container=20images=20and?= =?UTF-8?q?=20CoreOS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- marketplace/rh-agentic-collection.yml | 16 + .../.catalog/collection.json | 52 ++ .../.catalog/collection.yaml | 62 ++ .../.catalog/deploy_and_use.md | 38 ++ .../.catalog/documentation_section.md | 34 + .../.catalog/security_model.md | 10 + rh-security-validation/CLAUDE.md | 40 ++ rh-security-validation/README.md | 72 +++ rh-security-validation/mcps.json | 3 + .../scripts/download_sbom.py | 173 ++++++ .../scripts/fetch_coreos_metadata.py | 288 +++++++++ .../scripts/fetch_cve_metadata.py | 241 ++++++++ .../scripts/fetch_redhat_vex.py | 214 +++++++ .../scripts/fetch_rhsa_advisory.py | 160 +++++ .../scripts/generate_sbom_syft.py | 134 ++++ .../scripts/inspect_image.py | 111 ++++ .../scripts/scan_newer_images.py | 144 +++++ .../scripts/validate_input.py | 272 ++++++++ .../skills/container-cve-validator/SKILL.md | 584 ++++++++++++++++++ .../skills/coreos-cve-validator/SKILL.md | 247 ++++++++ .../skills/cve-recon/SKILL.md | 220 +++++++ .../skills/image-inspect/SKILL.md | 180 ++++++ 22 files changed, 3295 insertions(+) create mode 100644 rh-security-validation/.catalog/collection.json create mode 100644 rh-security-validation/.catalog/collection.yaml create mode 100644 rh-security-validation/.catalog/deploy_and_use.md create mode 100644 rh-security-validation/.catalog/documentation_section.md create mode 100644 rh-security-validation/.catalog/security_model.md create mode 100644 rh-security-validation/CLAUDE.md create mode 100644 rh-security-validation/README.md create mode 100644 rh-security-validation/mcps.json create mode 100644 rh-security-validation/scripts/download_sbom.py create mode 100644 rh-security-validation/scripts/fetch_coreos_metadata.py create mode 100644 rh-security-validation/scripts/fetch_cve_metadata.py create mode 100644 rh-security-validation/scripts/fetch_redhat_vex.py create mode 100644 rh-security-validation/scripts/fetch_rhsa_advisory.py create mode 100644 rh-security-validation/scripts/generate_sbom_syft.py create mode 100644 rh-security-validation/scripts/inspect_image.py create mode 100644 rh-security-validation/scripts/scan_newer_images.py create mode 100644 rh-security-validation/scripts/validate_input.py create mode 100644 rh-security-validation/skills/container-cve-validator/SKILL.md create mode 100644 rh-security-validation/skills/coreos-cve-validator/SKILL.md create mode 100644 rh-security-validation/skills/cve-recon/SKILL.md create mode 100644 rh-security-validation/skills/image-inspect/SKILL.md diff --git a/marketplace/rh-agentic-collection.yml b/marketplace/rh-agentic-collection.yml index 9d8ebdb9..b4320f17 100644 --- a/marketplace/rh-agentic-collection.yml +++ b/marketplace/rh-agentic-collection.yml @@ -97,3 +97,19 @@ modules: - "governance" - "troubleshooting" - "execution" + + - name: "rh-security-validation" + description: "Advanced CVE validation for Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data." + version: "0.1.0" + repository: "https://github.com/RHEcosystemAppEng/agentic-collections" + path: "rh-security-validation" + tags: + - "red-hat" + - "cve" + - "security" + - "sbom" + - "vex" + - "coreos" + - "openshift" + - "container-security" + - "vulnerability-management" diff --git a/rh-security-validation/.catalog/collection.json b/rh-security-validation/.catalog/collection.json new file mode 100644 index 00000000..d95230d5 --- /dev/null +++ b/rh-security-validation/.catalog/collection.json @@ -0,0 +1,52 @@ +{ + "id": "rh-security-validation", + "name": "Red Hat Security Validation", + "provider": "Red Hat", + "version": "0.1.0", + "categories": [ + "Security", + "Container Security", + "Vulnerability Management" + ], + "personas": [ + "Security Engineer", + "Platform Engineer", + "DevSecOps" + ], + "marketplaces": [ + "Claude Code" + ], + "support_level": "Unknown", + "maturity": "ORANGE", + "description": "Advanced CVE validation for Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data.", + "summary": "Validates CVEs against Red Hat container images and CoreOS nodes using official\nSBOM attestations, Red Hat VEX/CSAF data, and CVE metadata from MITRE/OSV.dev.\nEliminates false positives from security scanners and provides clear remediation\nguidance including layered product relationships and newer image availability.\n", + "contents": { + "description": "The pack provides 4 skills for Red Hat container security validation,\nsupported by 9 helper scripts for deterministic data fetching.\n", + "skills": [ + { + "name": "container-cve-validator", + "description": "Container Image CVE Validation", + "summary_markdown": "Full CVE validation pipeline for Red Hat container images. Extracts official\nSBOM attestations, checks Red Hat VEX data, performs version comparison,\nscans for newer patched images, and detects VEX data gaps. Supports CVE IDs\nand RHSA advisory IDs as input, with batch scanning via CSV files.\n" + }, + { + "name": "coreos-cve-validator", + "description": "CoreOS CVE Validation", + "summary_markdown": "CVE validation for Red Hat Enterprise Linux CoreOS (RHCOS) in specific OCP\nreleases. Extracts RPM packages from CoreOS images, classifies by source\n(RHEL/OCP/Fast Datapath), validates against VEX data with RHEL EUS stream\nawareness, and detects RHCOS VEX discrepancies.\n" + }, + { + "name": "cve-recon", + "description": "CVE Reconnaissance", + "summary_markdown": "Queries MITRE CVE API, OSV.dev, and Go vulnerability database to produce\na structured report of affected packages, ecosystems, and vulnerable\nversion ranges for a given CVE ID.\n" + }, + { + "name": "image-inspect", + "description": "Container Image Inspection", + "summary_markdown": "Fetches container image labels, validates registry ownership, resolves\ntag/digest via SBOM, and reports the SBOM artifact OCI reference.\n" + } + ] + }, + "deploy_and_use": "#deploy_and_use.md", + "documentation_section": "#documentation_section.md", + "mcp_section": "This pack does not use MCP servers. All data fetching is performed via\nlocal Python helper scripts that call public APIs directly.\n", + "security_model": "#security_model.md" +} diff --git a/rh-security-validation/.catalog/collection.yaml b/rh-security-validation/.catalog/collection.yaml new file mode 100644 index 00000000..ca137aa3 --- /dev/null +++ b/rh-security-validation/.catalog/collection.yaml @@ -0,0 +1,62 @@ +# Catalog: maintained via create-collection workflow (assistant + maintainer + PR review). +# Golden sources: skills/*/SKILL.md, README.md, CLAUDE.md, marketplace/rh-agentic-collection.yml +# Do not edit ad hoc — follow COLLECTION_SPEC.md and the create-collection skill. + +id: rh-security-validation +name: Red Hat Security Validation +provider: Red Hat +version: 0.1.0 +categories: +- Security +- Container Security +- Vulnerability Management +personas: +- Security Engineer +- Platform Engineer +- DevSecOps +marketplaces: +- Claude Code +support_level: Unknown +maturity: ORANGE +description: "Advanced CVE validation for Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data." +summary: | + Validates CVEs against Red Hat container images and CoreOS nodes using official + SBOM attestations, Red Hat VEX/CSAF data, and CVE metadata from MITRE/OSV.dev. + Eliminates false positives from security scanners and provides clear remediation + guidance including layered product relationships and newer image availability. +contents: + description: | + The pack provides 4 skills for Red Hat container security validation, + supported by 9 helper scripts for deterministic data fetching. + skills: + - name: container-cve-validator + description: Container Image CVE Validation + summary_markdown: | + Full CVE validation pipeline for Red Hat container images. Extracts official + SBOM attestations, checks Red Hat VEX data, performs version comparison, + scans for newer patched images, and detects VEX data gaps. Supports CVE IDs + and RHSA advisory IDs as input, with batch scanning via CSV files. + - name: coreos-cve-validator + description: CoreOS CVE Validation + summary_markdown: | + CVE validation for Red Hat Enterprise Linux CoreOS (RHCOS) in specific OCP + releases. Extracts RPM packages from CoreOS images, classifies by source + (RHEL/OCP/Fast Datapath), validates against VEX data with RHEL EUS stream + awareness, and detects RHCOS VEX discrepancies. + - name: cve-recon + description: CVE Reconnaissance + summary_markdown: | + Queries MITRE CVE API, OSV.dev, and Go vulnerability database to produce + a structured report of affected packages, ecosystems, and vulnerable + version ranges for a given CVE ID. + - name: image-inspect + description: Container Image Inspection + summary_markdown: | + Fetches container image labels, validates registry ownership, resolves + tag/digest via SBOM, and reports the SBOM artifact OCI reference. +deploy_and_use: '#deploy_and_use.md' +documentation_section: '#documentation_section.md' +mcp_section: | + This pack does not use MCP servers. All data fetching is performed via + local Python helper scripts that call public APIs directly. +security_model: '#security_model.md' diff --git a/rh-security-validation/.catalog/deploy_and_use.md b/rh-security-validation/.catalog/deploy_and_use.md new file mode 100644 index 00000000..e23484d1 --- /dev/null +++ b/rh-security-validation/.catalog/deploy_and_use.md @@ -0,0 +1,38 @@ + + +## Prerequisites + +- **Python 3** with `requests` package (`pip install requests`) +- **regctl** — remote image metadata inspection ([install](https://regclient.org/install/)) +- **cosign** — SBOM extraction from container attestations ([install](https://github.com/sigstore/cosign)) +- **oc** — OpenShift CLI, required for CoreOS validation only ([download](https://console.redhat.com/openshift/downloads)) +- **podman** — required for CoreOS validation only + +For CoreOS validation, save your pull secret from https://console.redhat.com/openshift/downloads to `~/.docker/config.json`. + +## Installation + +### Via Lola (recommended) + +```bash +lola install -f rh-security-validation +``` + +### From source (Claude Code) + +```bash +git clone https://github.com/RHEcosystemAppEng/agentic-collections +cd agentic-collections +# Open in Claude Code — skills load automatically from rh-security-validation/skills/ +``` + +## Usage + +Skills are invoked via Claude Code's skill system: + +``` +/container-cve-validator CVE-2024-45490 registry.redhat.io/ubi9/ubi:latest +/coreos-cve-validator CVE-2024-45490 4.20.17 +/cve-recon CVE-2024-45490 +/image-inspect registry.redhat.io/ubi9/ubi:latest +``` diff --git a/rh-security-validation/.catalog/documentation_section.md b/rh-security-validation/.catalog/documentation_section.md new file mode 100644 index 00000000..3a4de55b --- /dev/null +++ b/rh-security-validation/.catalog/documentation_section.md @@ -0,0 +1,34 @@ + + +## Skills Overview + +### container-cve-validator + +Full CVE validation pipeline for Red Hat container images: +1. Input validation (CVE ID or RHSA advisory, image reference) +2. CVE reconnaissance (MITRE, OSV.dev, Go vuln DB) +3. SBOM extraction from container attestations (attestation/build-time, image index handling) +4. Red Hat VEX validation (product_tree matching, status determination, parent RPM check) +5. Newer image availability scan (parallel registry check for patched images) +6. Report with VEX data gap assessment and remediation guidance + +### coreos-cve-validator + +CVE validation for RHCOS in specific OCP releases: +1. OCP release metadata extraction via `oc adm release info` +2. CoreOS RPM list extraction via `podman` +3. RPM classification (RHEL/OCP/Fast Datapath sources) +4. VEX validation with RHEL EUS stream awareness +5. RHCOS VEX discrepancy detection + +### cve-recon + +Lightweight CVE research — queries multiple databases and returns merged metadata without image/VEX analysis. + +### image-inspect + +Container image metadata extraction — labels, registry ownership, SBOM artifact reference resolution. + +## Helper Scripts + +9 Python scripts in `scripts/` handle all deterministic data fetching. Skills orchestrate these scripts and perform all interpretation logic. diff --git a/rh-security-validation/.catalog/security_model.md b/rh-security-validation/.catalog/security_model.md new file mode 100644 index 00000000..91ca1587 --- /dev/null +++ b/rh-security-validation/.catalog/security_model.md @@ -0,0 +1,10 @@ + + +## Security Model + +- All data fetched from official Red Hat sources and public official CVE metadata sources (security.access.redhat.com, cveawg.mitre.org, api.osv.dev) +- No credentials stored in skills or scripts +- No MCP servers — all data fetching via local Python scripts using public APIs +- Pull secrets for `quay.io/openshift-release-dev/` required only for CoreOS validation and must be configured by the user in `~/.docker/config.json` +- Scripts validate all user input (CVE ID format, image reference format) before processing +- No data is sent to third-party services beyond the public APIs listed above diff --git a/rh-security-validation/CLAUDE.md b/rh-security-validation/CLAUDE.md new file mode 100644 index 00000000..5c487650 --- /dev/null +++ b/rh-security-validation/CLAUDE.md @@ -0,0 +1,40 @@ +# rh-security-validation Plugin + +You are a Red Hat security validation assistant. You help users validate CVEs against Red Hat container images and OpenShift CoreOS, analyze SBOMs, interpret Red Hat VEX data, and provide clear remediation guidance. + +## Skill-First Rule + +ALWAYS use the appropriate skill for security validation workflows. Do NOT call helper scripts directly — skills enforce correct sequencing, error handling, and report generation. + +## Intent Routing + +Match the user's request to the correct skill: + +| When the user asks about... | Use skill | +|----|-----| +| Validate a CVE against a container image, check if image is affected, RHSA against an image | `/container-cve-validator` | +| Validate a CVE against CoreOS/RHCOS in a specific OCP version | `/coreos-cve-validator` | +| Look up CVE details, affected packages, version ranges, ecosystem info | `/cve-recon` | +| Inspect container image metadata, labels, SBOM reference, registry ownership | `/image-inspect` | + +If the request doesn't clearly match one skill, ask the user to clarify. + +## Helper Scripts + +Skills use Python helper scripts in `scripts/` for deterministic data fetching. Skills call these scripts via `python $SCRIPTS_DIR/