Zeno-sole/cve-fixer
skills/local/deepin-cve-fixer/SKILL.md
CVE vulnerability fixing workflow for Debian packages. Searches CVE databases, generates patches with one-CVE-per-patch enforcement, validates with quilt, and submits to Gerrit/GitHub. Use when fixing CVEs in Debian packages, applying security patches, or managing Debian security updates.
testing
Updated Apr 23, 2026
$ install --global
skillsauthnpx skillsauth add Zeno-sole/zeno-skills cve-fixerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 9:53 PM162.0s1 file scanned
SKILL.md
- name:
- cve-fixer
- description:
- CVE vulnerability fixing workflow for Debian packages. Searches CVE databases, generates patches with one-CVE-per-patch enforcement, validates with quilt, and submits to Gerrit/GitHub. Use when fixing CVEs in Debian packages, applying security patches, or managing Debian security updates.
CVE Fixer
Complete workflow for identifying, fixing, and submitting CVE security patches.
Directory Structure
work_directory/
├── git-repos/ # Repository cache (auto-named by type: gerrit/github/other)
└── git-worktree/ # Per-CVE worktrees
└── pkg-CVE-ID/ # Single CVE, or pkg-CVE1-CVE2-CVE3 for multi-CVE
├── .cve-fixer/ # CVE data (gitignored)
│ └── workflow_state.json # Per-CVE state tracking
└── debian/ # Your fix
└── patches/
Core Concepts
Phase-Based Workflow (0→1→2→3→4→5): Setup → Research → Development → Packaging → Validation → Submission. Start with references/cve-workflow.md.
Multi-CVE Worktrees: Shared worktrees for sequential CVE fixes. Single: repo-name-CVE-ID. Multi: repo-name-CVE1-CVE2-CVE3 (sorted). State: .cve-fixer/CVE-ID/workflow_state.json.
One-CVE-Per-Patch (STRICT): Each CVE needs its own debian/patches/CVE-YYYY-XXXXX.patch. Multiple CVEs can be committed together with shared changelog. See references/phase-3-debian-packaging.md.
Quick Start
STRICT: Complete phases sequentially 0→1→2→3→4→5. See Workflow Enforcement.
Language Configuration (默认中文/Chinese by default):
# Set language (zh/en)
python3 scripts/config.py --set language=zh # 简体中文 (默认/default)
python3 scripts/config.py --set language=en # English
首次运行 (First Run): 运行任何脚本时,如果未配置工作目录,系统会通过交互式提示引导您设置工作目录路径。语言默认设为中文,所有输出信息将使用中文显示。
# Phase 0: Worktree Setup (MANDATORY)
python3 scripts/config.py --setup
python3 scripts/git_worktree_manager.py add-repo <url> # auto-named
python3 scripts/git_worktree_manager.py create <cache-name> CVE-2024-10041
# Multi-CVE: python3 scripts/git_worktree_manager.py create <cache-name> CVE-2024-10041,CVE-2024-10042
# Phase 1: CVE Research
python3 scripts/search_cve.py CVE-2024-10041 --format json --repo-name pkg
# Phase 2: Patch Development
# Step 0 (MANDATORY): Verify CVE is not already fixed
python3 scripts/discover_cve_patch.py CVE-2024-10041 --dir /path/to/package --status-only
# Phase 3: Debian Packaging (changelog MANDATORY for every fix)
# AUTOMATED: generate_patch.py will automatically run `dch -l deepin -D unstable`
python3 scripts/generate_patch.py \
--cve-id CVE-2024-10041 \
--patch-content patch_file.txt \
--repo /path/to/worktree
# See references/phase-3-debian-packaging.md for patch format & quilt workflow
# Phase 4: Validation
python3 scripts/validate_patch.py --repo /path/to/worktree
# Phase 5: Submission
python3 scripts/submit_patch.py --cve-id CVE-2024-10041 --description "Fix ..." --repo /path/to/worktree
Workflow Enforcement Summary
STRICT: Phases must be completed in sequence. Each phase validates prerequisite completion.
Key requirements:
- Phase 2, Step 0 CVE status check is MANDATORY before patch development
- Attempting to skip phases results in
Error: Phase X must be completed before Phase Y - Use
--forceONLY for recovery (not for skipping mandatory checks) - Enable
DEEPIN_CVE_AUDIT_MODE=1to audit force flag usage
State file: .cve-fixer/workflow_state.json (single-CVE) or .cve-fixer/CVE-ID/workflow_state.json (multi-CVE)
For detailed enforcement rules, state file format, force flag usage, and error recovery, see references/workflow-enforcement.md
Scripts
Core:
git_worktree_manager.py- Worktree lifecycle (validates Phase 0)config.py- Configuration management (includes language settings: zh/en)workflow_state.py- Workflow state tracking (--get-state, --set-phase, --validate, --reset)i18n.py- Internationalization module for multi-language support
Workflow scripts (auto-validate phases):
search_cve.py- CVE database search (validates Phase 0, updates Phase 1)discover_cve_patch.py- Patch discovery & CVE status check (validates Phase 1, updates Phase 2, Step 0 mandatory)generate_patch.py- Patch generation (validates Phase 2 Step 0)validate_patch.py- Patch validation (validates Phase 2, can update Phase 4)validate_cve_patch.py- CVE compliance (validates Phase 2)submit_patch.py- Patch submission (validates Phase 4, updates Phase 5)
Troubleshooting
Common issues:
- Workflow state errors → See references/workflow-enforcement.md
- Patch application/build/submission failures → See references/troubleshooting.md
- Emergency procedures → See references/emergency.md
Language support:
- Default language: Chinese/简体中文 (
zh) - 所有用户输出信息默认使用中文 - Switch language:
python3 scripts/config.py --set language=zh或--set language=en - All user messages: 已本地化为中文和英文
References
Start here:
references/cve-workflow.md(195 lines) - Workflow navigation and quick lookup
Phase guides (load when needed):
references/phase-0-worktree-setup.md(191 lines) - Worktree lifecycle & repo cachingreferences/phases-1-2-4-research-dev-validation.md(321 lines) - Research + Development + Validationreferences/phase-3-debian-packaging.md(222 lines) - Packaging, quilt, changelog, commitreferences/phase-5-submission.md(146 lines) - Gerrit + GitHub workflows
Support:
references/workflow-enforcement.md(232 lines) - Phase validation, state managementreferences/troubleshooting.md(48 lines) - Common issuesreferences/emergency.md(37 lines) - Emergency procedures
Templates (format reference):
assets/commit-msg-template- Git commit message formatassets/patch-template.patch- Patch file header format
Related Skills
Zeno-sole/self-improvement
tools
VerifiedTrustedCommunity
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.
SKILL.mdUpdated Apr 24, 2026
Zeno-sole/jenkins-crp-to-xlsx
development
VerifiedTrustedCommunity
Convert Jenkins v25-crp_info_collect job output to Excel (.xlsx) format. Use when the user needs to extract theme information from Jenkins CRP (Code Review Platform) info collection jobs and convert it to a structured Excel file with columns for 主题名称, 主题地址, 仓库, 源码名及版本, 责任人. Works with job URLs like https://jenkinswh.uniontech.com/view/ISO-Builder/job/v25-repo-iso-work/view/repo/job/v25-crp_info_collect/
SKILL.mdUpdated Apr 24, 2026
Zeno-sole/find-skills
data-ai
VerifiedTrustedCommunity
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
SKILL.mdUpdated Apr 24, 2026
Zeno-sole/xurl
tools
VerifiedTrustedCommunity
A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
SKILL.mdUpdated Apr 24, 2026