Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: cve-triage
Skill path: skills/vuln-management/cve-triage/SKILL.md

What Was Wrong

The CVE triage flow parsed CVE IDs and then moved directly into CVSS, KEV, EPSS, SSVC, and SLA assignment. It did not explicitly normalize advisory aliases or check source lifecycle status before scoring. That can create duplicate remediation tickets for the same vulnerability (CVE-*, GHSA-*, OSV, vendor advisory, distro advisory) or over-prioritize REJECTED, RESERVED, withdrawn, duplicate, or DISPUTED records.

Related review issue: #2057

What This PR Fixes

• Adds canonical vulnerability identity collection to prerequisites.
• Adds a pre-scoring alias/status normalization step across NVD, CNA, GHSA, OSV, vendor, distro, and scanner sources.
• Prevents REJECTED, RESERVED, withdrawn, or duplicate CVEs from receiving active CVSS/EPSS/SSVC priority as if they were live vulnerabilities.
• Requires human review for DISPUTED records and low-confidence alias mappings.
• Adds output fields for source status, identity confidence, advisory aliases, and source/alias evidence.
• Updates batch triage output so status and aliases are visible before prioritization.

Evidence

Before (skill could over-prioritize this):

findings:
  - id: CVE-2026-40404
    source_status: REJECTED
    aliases: [GHSA-abcd-1234-wxyz, OSV-2026-40404]
    scanner_severity: critical
  - id: GHSA-abcd-1234-wxyz
    aliases: [CVE-2026-40404]
triage_output:
  tickets_created:
    - CVE-2026-40404-critical
    - GHSA-abcd-1234-wxyz-high
  sla: immediate

After (now correctly handled):

source_evidence:
  canonical_id: CVE-2026-27777
  advisory_aliases: [GHSA-qwer-5678-asdf, OSV-2026-27777]
  nvd_status: DISPUTED
  identity_confidence: medium
triage_output:
  consolidated_ticket: CVE-2026-27777
  duplicate_tickets_created: false
  ssvc_decision: human_review_required

Test Cases Added/Updated

• Added vulnerable test case: tests/vulnerable/cve-triage-rejected-alias-duplicated-as-active.yaml
• Added benign test case: tests/benign/cve-triage-canonical-alias-status-reviewed.yaml
• Existing tests still pass / no executable test harness exists in this repository; validated with git diff --check, git diff --cached --check, and key-field checks for the new YAML evidence files.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors