From b424a1cd20e30f07ed843f9ada65f909ae3778ca Mon Sep 17 00:00:00 2001 From: gziv Date: Sun, 31 May 2026 12:16:56 +0300 Subject: [PATCH 1/2] feat: add red-hat-cve-explainer ASE evaluation submission --- .../red-hat-cve-explainer/evals/evals.json | 18 ++++ .../red-hat-cve-explainer/metadata.yaml | 5 ++ .../red-hat-cve-explainer/skills/SKILL.md | 83 +++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 submissions/red-hat-cve-explainer/evals/evals.json create mode 100644 submissions/red-hat-cve-explainer/metadata.yaml create mode 100644 submissions/red-hat-cve-explainer/skills/SKILL.md diff --git a/submissions/red-hat-cve-explainer/evals/evals.json b/submissions/red-hat-cve-explainer/evals/evals.json new file mode 100644 index 0000000..1bbfde0 --- /dev/null +++ b/submissions/red-hat-cve-explainer/evals/evals.json @@ -0,0 +1,18 @@ +{ + "skill_name": "red-hat-cve-explainer", + "evals": [ + { + "id": "red-hat-cve-explainer-eval", + "name": "Red Hat CVE Explainer", + "prompt": "You are a Red Hat IT support specialist. A sysadmin asks:\n\n\"We got flagged on CVE-2024-6387 (the OpenSSH regreSSHion vulnerability). Can you explain what it is, how bad it is for our Red Hat systems, and what we should do? Also, walk me through the specific criteria Red Hat uses for each severity tier — I need to understand exactly what makes something Critical vs Important vs Moderate vs Low. And how do you enrich CVE data with advisory remediation details?\"\n\nProvide a thorough response.", + "expected_output": "A thorough CVE explanation with Red Hat-specific severity tier criteria (not just labels), advisory enrichment via advisories-mcp tools (map-cve-advisories, get-advisory-solution), and the three Red Hat advisory types (RHSA/RHBA/RHEA) with their distinct purposes.", + "assertions": [ + "The output defines Red Hat's Critical severity with specific technical criteria: remote unauthenticated exploitation, no user interaction required, and wormable or trivially automatable — not just 'very severe' or a CVSS range.", + "The output defines Red Hat's Important severity with specific technical criteria that distinguish it from Critical: local privilege escalation to root, authenticated RCE, or significant denial of service.", + "The output defines Red Hat's Moderate severity as vulnerabilities that would otherwise be Critical or Important but require unusual configuration, user interaction, or other preconditions to exploit.", + "The output describes enriching CVE data with advisory remediation details by mapping CVEs to advisories (RHSA/RHBA/RHEA) and retrieving per-advisory solution or remediation information.", + "The output explains that when no Red Hat advisory exists for a CVE, the response should note the fix is under investigation and include any published mitigations, rather than speculating about remediation." + ] + } + ] +} diff --git a/submissions/red-hat-cve-explainer/metadata.yaml b/submissions/red-hat-cve-explainer/metadata.yaml new file mode 100644 index 0000000..bf31e25 --- /dev/null +++ b/submissions/red-hat-cve-explainer/metadata.yaml @@ -0,0 +1,5 @@ +name: red-hat-cve-explainer +description: "Explain a CVE using Red Hat's severity rating system. Looks up the CVE," +persona: rh-sre +version: "1.0.0" +eval_engine: ase diff --git a/submissions/red-hat-cve-explainer/skills/SKILL.md b/submissions/red-hat-cve-explainer/skills/SKILL.md new file mode 100644 index 0000000..ab52135 --- /dev/null +++ b/submissions/red-hat-cve-explainer/skills/SKILL.md @@ -0,0 +1,83 @@ +--- +name: red-hat-cve-explainer +description: Explain a CVE using Red Hat's severity rating system. Looks up the CVE, + explains the rating, and suggests a course of action. +license: Apache-2.0 +--- + +# Red Hat CVE Explainer + +Extract `CVE-YYYY-NNNNN` from user message. If none, ask. Handle multiple CVEs separately in one response. + +## Prerequisites + +None — falls back to WebFetch if the Red Hat Security MCP is unavailable. + +## When to Use This Skill + +When the user asks about a specific CVE: what it is, its severity, or whether to patch. + +## Workflow + +1. Extract CVE ID from the user message. +2. Look up CVE metadata via `cve-mcp` or WebFetch. +3. Look up linked advisories via `advisories-mcp` or extract from CVE response. +4. Return severity, affected products, and action recommendation. + +## Dependencies + +- `red-hat-security` MCP (optional): provides `cve-mcp` and `advisories-mcp` tools. + +## Lookup Sequence + +CVE metadata (stop when you have data): +1. `cve-mcp` -> `cve-detail` +2. `WebFetch` -> `https://access.redhat.com/security/cve/` +3. No Red Hat data: say so, direct to `https://nvd.nist.gov/vuln/detail/` + +Advisory/remediation (after step 1-2 succeeds): +1. `advisories-mcp` -> `map-cve-advisories` -- linked RHSAs/RHBAs/RHEAs +2. `advisories-mcp` -> `get-advisory-solution` for each advisory +3. Optionally `advisories-mcp` -> `summarize-advisory` for richer detail + +If advisories MCP unavailable: extract advisory IDs from CVE response, report without remediation detail. + +## Advisory Types + +| Prefix | Type | What it fixes | +|--------|------|---------------| +| RHSA | Red Hat Security Advisory | One or more CVEs -- highest urgency | +| RHBA | Red Hat Bug Advisory | Bug fixes only -- no CVE, no security urgency | +| RHEA | Red Hat Enhancement Advisory | New features/capabilities -- no security fix | + +In Output, label each advisory by type: e.g., "RHSA-2024:1234 (Security Advisory)". + +## Red Hat Severity + +- Critical -- Remote unauthenticated, no user interaction; wormable or trivially automated +- Important -- Local privesc to root, authenticated RCE, or significant DoS +- Moderate -- Would be Critical/Important but requires unusual config, user interaction, or other preconditions +- Low -- Minimal real-world impact; exploitation requires unlikely circumstances + +Scored with CVSS v3 (0.0-10.0). Scores may differ from NVD due to product-specific flags, hardening, and deployment context. + +## Output + +### [CVE ID] + +**Severity:** [Red Hat rating] (CVSS [score]) + +**What it is:** 1-2 sentences plain language. + +**Why [rating]:** Connect flaw to rating criteria -- ease of exploitation, auth/interaction requirements. + +**Affected products:** Affected Red Hat products with fix status. Per advisory: ID + remediation from `get-advisory-solution`. If no advisory: note fix is under investigation, include published mitigations. + +**Action:** +- Critical -> "Patch immediately. Exploitable by remote unauthenticated attackers." +- Important -> "Patch at your next maintenance window." +- Moderate -> "Include in your regular update cycle." +- Low -> "Apply when convenient. Monitor for severity changes." +- No patch -> include published mitigations from Red Hat's CVE page. + +Write for a sysadmin deciding urgency. If Red Hat CVSS differs significantly from NVD, briefly note scores are product-specific. Never speculate about exploit availability beyond Red Hat's data. From a7076b9af507d9071e43e4a182f6694a4eee626b Mon Sep 17 00:00:00 2001 From: gziv Date: Sun, 31 May 2026 14:39:13 +0300 Subject: [PATCH 2/2] retrigger: queue runner parallel