CNNVD/CVE Vulnerability Report Generator

Generate standardized vulnerability reports for CNNVD (中国国家信息安全漏洞库) and CVE from audit data, reproduction scripts, or code analysis.

When to Use This Skill

• User has security audit results (reports, findings, code review outputs) and needs to file them with CNNVD or CVE
• User mentions 漏洞填报, CVE, CNNVD, 安全公告, vulnerability report, security advisory
• User provides vulnerability analysis data and asks to generate structured reports
• User wants batch generation of reports for multiple findings from one audit

Workflow

Step 1: Detect Input Type

Determine what the user has provided:

Step 2: Confirm Scope

Ask the user (unless already clear):

1. Which vulnerability to report (single or batch from multi-vuln audit)
2. Output mode: CNNVD only, CVE only, or both
3. Language preference for CVE descriptions (English default, Chinese if requested)

Step 3: Extract Vulnerability Information

For each vulnerability, collect these fields from the input data:

Mandatory fields:

• Vulnerability title (漏洞名称)
• CWE type and number
• CVSS score (if available, otherwise estimate from description)
• Affected software: vendor, product name, version
• Vulnerable code location (file:line)
• Attack vector and scenario
• Impact description
• Reproduction/verification steps

Optional fields (fill if available):

• CVE number (if already assigned)
• Download link for affected software
• Network asset fingerprint
• Disclosure timeline

Step 4: Read Reference Templates

Before generating, read the appropriate reference file:

• For CNNVD: read references/cnnvd-template.md
• For CVE: read references/cve-template.md
• For both: read both files

Step 5: Generate Reports

CNNVD Report Generation

Follow the CNNVD template structure. Key rules:

1. 漏洞名称: Concise, includes product name and vulnerability type. Format: [产品名] [漏洞类型]漏洞
2. 漏洞类型: Use standard CWE mapping (CWE-xxx)
3. 漏洞自评级: Map CVSS to Chinese severity: HIGH(7.0-10.0)=高危, MEDIUM(4.0-6.9)=中危, LOW(0.1-3.9)=低危
4. 受影响实体: Include vendor, product, specific version range
5. 漏洞描述或简介: 2-4 sentences explaining what the vulnerability is and why it exists
6. 漏洞影响描述: Concrete impact scenarios — what an attacker can achieve
7. 漏洞定位: Exact file path and line numbers from the source code
8. 漏洞触发条件: Precise conditions needed to trigger (configuration, user action, prerequisites)
9. 验证过程: Step-by-step reproduction with commands (auto-generated from input data)

Verification Steps Generation

Auto-generate verification procedures based on:

1. From audit report: If the report already contains verification data (commands, outputs, screenshots), use those directly — adapt format but preserve the exact commands and expected outputs
2. From reproduction scripts: Extract the key commands, environment setup, and expected results
3. Inferred from vulnerability type: If no verification data exists, generate based on CWE class:

1. Format verification steps as:
• Prerequisites (环境要求)
• Step-by-step commands (验证步骤)
• Expected output (预期结果)
• Evidence of vulnerability (漏洞确认)

CVE Description Generation

Follow standard CVE format:

1. Title: Same as CNNVD or English equivalent
2. Description: Technical description of the vulnerability, including the specific flaw and its consequence
3. Affected Versions: Precise version range
4. Impact: What an attacker can achieve
5. References: Link to audit report or advisory
6. CWE Mapping: CWE-xxx

Step 6: Output

Save generated reports to the same directory as the input files, with naming:

• CNNVD: cnnvd-[vuln-id].md (e.g., cnnvd-VULN-001.md)
• CVE: cve-[vuln-id].md (e.g., cve-VULN-001.md)

For batch mode, save as:

• cnnvd-all.md (all vulnerabilities in one file)
• cve-all.md

Output Quality Guidelines

1. Accuracy over completeness — if a field cannot be reliably inferred from the input, mark it as [待补充] (to be filled) rather than guessing
2. Use source code evidence — always reference specific file paths and line numbers
3. Reproduction steps must be runnable — include exact commands, not descriptions of commands
4. Impact must be concrete — "attacker can read SSH passwords" not "security risk"
5. Chinese for CNNVD fields — the CNNVD form is in Chinese; fill all fields in Chinese
6. Language for CVE — default to English; if user requests Chinese, use Chinese

Handling Multiple Vulnerabilities

When processing an audit report with multiple findings:

1. List all findings first, let user select which to generate
2. For batch mode, generate a table of contents at the top of each output file
3. Each vulnerability gets its own section with consistent formatting
4. Cross-references between related vulnerabilities (e.g., attack chains) should be noted

Common Patterns in Input Data

These patterns appear frequently in security audit reports — recognize and extract them:

• CWE: CWE-xxx (Description) → extract CWE number and type
• CVSS: x.x → extract score
• Location: file:line → extract code location
• Attack: or Attack Scenario: → extract attack vector
• Impact: → extract impact description
• Fix: → extract recommended fix (useful for CVE references)
• Code blocks with ```typescript or ```python → extract vulnerable code snippets
• ps aux, cat /proc/, curl, ssh commands → extract as verification steps