ark-vulnerability-fixer

# Ark Vulnerability Fixer

Provides CVE-specific research tools and security patch workflows for fixing vulnerabilities in Ark.

## When to use this skill

Use this skill when:
- User mentions a specific CVE number (e.g., "Fix CVE-2025-55183 in Ark")
- User reports a security vulnerability that needs patching
- You need CVE database information
- You need security-focused PR templates

**Note**: This skill is typically used by the **ark-security-patcher** agent as part of a complete workflow:
1. CVE research (this skill + **research** skill)
2. Codebase analysis (this skill + **analysis** skill)
3. Mitigation planning (this skill)
4. Repository cloning and fix implementation
5. Testing (optionally with **setup** skill)
6. PR creation (this skill)

This skill complements the **research**, **analysis**, and **setup** skills for a complete end-to-end vulnerability fixing workflow.

## CVE Research

### CVE API Integration

Fetch official CVE data from the CIRCL CVE database:

```bash
# Fetch CVE details
curl -s "https://cve.circl.lu/api/cve/CVE-2025-55183" | python3 -m json.tool
```

The API provides:
- Official CVE description
- CVSS scores and severity ratings
- References to security advisories
- Affected products and version ranges
- CWE categorization
- Available patches and fixes

### CVE Research Checklist

For each CVE, gather:
- [ ] Official CVE description and CVSS score
- [ ] Vendor security advisory
- [ ] GitHub security advisory (if applicable)
- [ ] Patch or fix documentation
- [ ] Affected version range
- [ ] Recommended version or workaround

**Tip**: Use the **research** skill for web searches to find vendor advisories and GitHub security alerts.

## Dependency Analysis

### Identifying Vulnerable Dependencies

Once you have CVE details, search Ark's dependencies:

```bash
cd /tmp/ark-analysis  # Use analysis skill to clone first

# Go dependencies
grep "package-name" go.mod go.sum
go list -m all | grep "package-name"

# Node.js dependencies
find . -na