Sans review n validate

lola-module/skills/secdevai-review/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: secdevai-review
-description: Perform AI-powered security code review using OWASP Top 10 and WSTG patterns. Use when reviewing source code, specific files, git commits, or entire codebases for security vulnerabilities. Supports multi-language analysis and severity classification.
+description: Perform AI-powered security code review using OWASP Top 10, CWE/SANS Top 25, and WSTG patterns. Use when reviewing source code, specific files, git commits, or entire codebases for security vulnerabilities. Supports web and non-web code (C/C++, Go, Rust, etc.), multi-language analysis, severity classification, and automated finding validation via subagent.
 ---
 
 # SecDevAI Review Command
@@ -65,6 +65,12 @@ Tip: To review an excluded file, remove its pattern from .secdevaiignore.
 
 - **Always read**: `secdevai-review/context/security-review.context` for OWASP Top 10 patterns
 
+- **Auto-detect CWE/SANS Top 25 native code context** (additionally read `secdevai-review/context/cwe-top25-native.context` if ANY condition applies):
+  - Source code includes C (`.c`, `.h`), C++ (`.cpp`, `.cc`, `.cxx`, `.hpp`), or Rust (`.rs`) files
+  - `Makefile`, `CMakeLists.txt`, `meson.build`, `Cargo.toml`, or `*.sln`/`*.vcxproj` build files are present
+  - User explicitly mentions: "CWE", "SANS Top 25", "buffer overflow", "memory safety", "native code", "systems code"
+  - Assembly (`.s`, `.asm`) files or FFI/JNI bindings are detected
+
 - **Auto-detect WSTG context** (additionally read `secdevai-review/context/wstg-testing.context` if ANY condition applies):
   - Source code is for a web application, web service, or web site
   - User explicitly mentions: "WSTG", "Web Security Testing Guide", or category numbers (4.1-4.12)
@@ -78,7 +84,7 @@ Tip: To review an excluded file, remove its pattern from .secdevaiignore.
   - OpenShift deployment configs or templates are present
   - `docker-compose.yml` or `compose.yaml` exists
 
-- **Note**: WSTG patterns enhance web application security analysis; golang-security.context provides Go-specific vulnerability and weakness patterns; OCI image security references provide container supply chain, configuration, hardening, and EOL detection patterns
+- **Note**: CWE/SANS Top 25 patterns cover memory safety, integer overflow, race conditions, and privilege management for native/systems code; WSTG patterns enhance web application security analysis; golang-security.context provides Go-specific vulnerability and weakness patterns; OCI image security references provide container supply chain, configuration, hardening, and EOL detection patterns
 
 ### Step 4: Optional Tool Integration
 
@@ -88,69 +94,85 @@ Tip: To review an excluded file, remove its pattern from .secdevaiignore.
 
 ### Step 5: Perform Analysis
 
-- Scan code for security patterns from loaded context
+- Scan code for security patterns from loaded context (OWASP Top 10 and/or CWE/SANS Top 25 depending on loaded contexts)
 - Classify findings by severity (Critical/High/Medium/Low/Info)
-- Reference OWASP categories
+- Reference OWASP categories and/or CWE IDs
 - Provide context-aware explanations
 
+### Step 5.5: Validate Findings — Delegate to `secdevai-validate`
+
+**Purpose**: Reduce false positives and calibrate severity by dispatching findings to the `secdevai-validate` skill.
+
+**Delegate to the `secdevai-validate` skill.** Pass all findings from Step 5 to the validation skill, which independently:
+1. Reads the actual source code at each reported location
+2. Checks exploitability — whether a realistic attack path exists
+3. Calibrates severity against [Red Hat's classification](https://access.redhat.com/security/updates/classification) (Critical / Important / Moderate / Low)
+4. Produces a CVSS v3.1 base score analysis for each finding
+
+Dispatch via subagent when the platform supports parallel task execution. Pass findings using this prompt template:
+
+```
+Use the secdevai-validate skill to validate the following security findings.
+Read the actual source code for each finding. Check exploitability, calibrate severity per Red Hat classification, and produce CVSS v3.1 analysis.
+
+Findings:
+[paste the structured findings list from Step 5]
+```
+
+**Processing validation results** (returned by `secdevai-validate`):
+
+| Verdict | Action |
+|---------|--------|
+| **CONFIRMED** | Keep finding with original severity. Add CVSS vector and score. |
+| **ADJUSTED** | Update severity to the validated level. Add CVSS vector, score, and adjustment reason. |
+| **DISPUTED** | Keep finding, add "[Needs Manual Review]" tag and the dispute reasoning. |
+| **REJECTED** | Remove from results. Log to skipped findings with rejection reason. |
+
+For all retained findings, enrich the output with: CVSS vector string, CVSS numeric score, Severity, and exploitability verdict.
+
+**Report only valid, exploitable findings** in the final output. Non-exploitable findings that are still valid issues should be listed in a separate "Informational / Not Exploitable" section with the explanation from the validation skill.
+
+**If subagent dispatch is unavailable** (e.g., platform does not support parallel task execution): perform the validation inline by reading the `secdevai-validate` skill and applying its steps directly. Still annotate uncertain findings with "[Needs Manual Review]".
+
 ### Step 6: Present Findings
 
+Present only validated, exploitable findings. Group by Severity:
+
 ```
 ## 🔒 **Security Review Results**
 
-### 🔴 **Critical Findings** (2)
-- [Finding 1 with code reference]
-- [Finding 2 with code reference]
+### 🔴 **Critical** (2)
+- [Finding with code reference, CVSS vector/score, exploitability summary]
 
-### 🟠 **High Severity** (3)
-- [Finding details]
+### 🟠 **Important** (3)
+- [Finding details with CVSS]
 
-### 🟡 **Medium Severity** (5)
-- [Finding details]
+### 🟡 **Moderate** (5)
+- [Finding details with CVSS]
 
-**Total**: 10 findings across [file/codebase]
-```
+### 🔵 **Low** (1)
+- [Finding details with CVSS]
+
+### ℹ️ **Informational / Not Exploitable** (2)
+- [Valid pattern but not exploitable — with explanation]
 
-### Step 7: Save Results
-
-After presenting findings, collect all findings into structured JSON and export:
-
-```python
-import importlib.util
-from pathlib import Path
-
-# Load the exporter from secdevai-export skill scripts
-script_path = Path("secdevai-export/scripts/results_exporter.py")
-spec = importlib.util.spec_from_file_location("results_exporter", script_path)
-mod = importlib.util.module_from_spec(spec)
-spec.loader.exec_module(mod)
-
-# Collect findings into data structure
-data = {
-    "metadata": {
-        "tool": "secdevai-ai-analysis",
-        "version": "1.0.0",
-        "timestamp": datetime.now().isoformat(),
-        "target_file": "[file path or 'codebase']",
-        "analyzer": "AI Security Review",
-    },
-    "summary": {
-        "total_findings": [count],
-        "critical": [count],
-        "high": [count],
-        "medium": [count],
-        "low": [count],
-        "info": [count],
-    },
-    "findings": [list of finding objects],
-}
-
-# Export to markdown and SARIF
-markdown_path, sarif_path = mod.export_results(data, command_type="review")
+**Total**: 11 validated findings across [file/codebase] (2 false positives rejected)
 ```
 
-- The exporter will prompt the user to confirm the result directory (default: `secdevai-results`)
-- Results are saved with timestamp: `secdevai-review-YYYYMMDD_HHMMSS.md` and `.sarif`
+Each finding should include:
+- `Severity`: Critical / Important / Moderate / Low
+- `CVSS Vector`: CVSS:3.1/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X
+- `CVSS Score`: numeric score
+- `Exploitability`: Exploitable / Conditionally exploitable / Not exploitable
+- `Validation`: CONFIRMED / ADJUSTED (with reason) / DISPUTED
+
+### Step 7: Save Results (Optional)
+
+After presenting findings, ask the user:
+
+> **Would you like to export these findings to Markdown and SARIF report files?**
+
+If the user confirms, **delegate to the `secdevai-export` skill**. Collect all findings into the structured data format documented in that skill and invoke export with `command_type="review"`. If the user declines, skip export and proceed.
 
 ### Step 8: Offer Remediation (if `fix` also specified)
 
@@ -165,9 +187,12 @@ If `fix` is specified alongside review:
 ## Security Context Sources
 
 - `secdevai-review/context/security-review.context` - OWASP Top 10 patterns (always loaded)
+- `secdevai-review/context/cwe-top25-native.context` - CWE/SANS Top 25 patterns for native/systems code (auto-loaded for C/C++/Rust)
 - `secdevai-review/context/wstg-testing.context` - OWASP WSTG v4.2 web app testing patterns (auto-loaded for web code)
 - `secdevai-review/context/golang-security.context` - Go-specific vulnerabilities and weaknesses (auto-loaded for Go code)
 
+**CWE/SANS Top 25 Auto-Detection**: The native code context automatically loads when reviewing C, C++, Rust, or other compiled/systems code, or when the user mentions CWE, SANS Top 25, buffer overflows, or memory safety.
+
 **WSTG Auto-Detection**: The WSTG context automatically loads when reviewing web application code or when explicitly requested.
 
 **Golang Auto-Detection**: The Golang context automatically loads when reviewing Go source (e.g. `.go` files, `go.mod`) or when the user mentions Go/Golang.
@@ -181,14 +206,16 @@ If `fix` is specified alongside review:
 ### Language Detection and Adaptation
 
 1. **Detect the Language**: Identify the programming language from file extension, syntax, or imports
+   - C: `.c`, `.h`, `#include <stdio.h>`, `malloc`, `free`
+   - C++: `.cpp`, `.cc`, `.cxx`, `.hpp`, `.hxx`, `#include <iostream>`, `std::`, `class`, `template`
+   - Rust: `.rs`, `use`, `fn`, `impl`, `unsafe`, `Cargo.toml`
    - Python: `.py`, imports like `import flask`, `from django`
    - JavaScript/TypeScript: `.js`, `.ts`, `.jsx`, `.tsx`, `require()`, `import from`
    - Java: `.java`, `import`, `class`, `public static void`
    - Go: `.go`, `package`, `import`, `func`
    - Ruby: `.rb`, `require`, `def`, `class`
    - PHP: `.php`, `<?php`, `namespace`
    - C#: `.cs`, `using`, `namespace`
-   - Rust: `.rs`, `use`, `fn`, `impl`
 
 2. **Translate Security Patterns**: Apply the same security principle but with language-specific syntax
 
@@ -228,6 +255,9 @@ If `fix` is specified alongside review:
    ```
 
 3. **Use Language-Specific Frameworks and Idioms**:
+   - C: POSIX APIs, OpenSSL, safe string functions (`strlcpy`/`snprintf`), SEI CERT C patterns
+   - C++: STL containers, smart pointers (`std::unique_ptr`, `std::shared_ptr`), RAII, C++ Core Guidelines
+   - Rust: Ownership/borrowing (safe Rust), `unsafe` blocks, `std::fs`, `tokio` patterns
    - Python: Django ORM, Flask, FastAPI patterns
    - JavaScript: Express.js, Next.js, React patterns
    - Java: Spring Security, Jakarta EE patterns
@@ -248,6 +278,21 @@ If `fix` is specified alongside review:
 
 ### Example Language Adaptations
 
+**Buffer Overflow Prevention** (CWE-787, native code):
+- C: Use `snprintf` instead of `sprintf`, `strncpy`/`strlcpy` instead of `strcpy`, `fgets` instead of `gets`
+- C++: Prefer `std::string`, `std::vector`, `std::array` over raw buffers; use `.at()` for bounds-checked access
+- Rust: Safe Rust prevents buffer overflows at compile time; audit `unsafe` blocks
+
+**Memory Management** (CWE-416, CWE-415, native code):
+- C: Nullify pointers after `free()`, use static analysis (Coverity, cppcheck)
+- C++: Use smart pointers (`std::unique_ptr`, `std::shared_ptr`), RAII for resource management
+- Rust: Ownership system prevents use-after-free; audit `unsafe` blocks and raw pointer usage
+
+**Integer Overflow** (CWE-190, native code):
+- C: Check before arithmetic: `if (a > SIZE_MAX - b)`, use safe integer libraries
+- C++: Use `<limits>`, `std::numeric_limits`, or safe integer libraries like SafeInt
+- Rust: Debug builds panic on overflow; use `checked_add()`, `saturating_add()` in release
+
 **XSS Prevention**:
 - Python/Flask: Use Jinja2 auto-escaping, `escape()`, `Markup()`
 - JavaScript/React: Use `textContent`, DOMPurify, React auto-escaping
@@ -268,14 +313,17 @@ If `fix` is specified alongside review:
 
 ### Response Format for Non-Python Code
 
-When reviewing non-Python code, structure your findings exactly the same way but with appropriate language examples:
+When reviewing non-Python code, structure your findings exactly the same way but with appropriate language examples.
+
+**Web/managed language example (OWASP)**:
 
 ```
 ## 🔴 **Critical: SQL Injection**
 
 **Location**: `UserController.java:42-45`
 **Language**: Java
 **OWASP Category**: A03: Injection
+**CWE**: CWE-89
 
 **Vulnerable Code**:
 ```java
@@ -288,7 +336,6 @@ ResultSet rs = stmt.executeQuery(query);
 
 **Remediation**:
 ```java
-// Use PreparedStatement with parameterized queries
 String query = "SELECT * FROM users WHERE username = ?";
 PreparedStatement stmt = connection.prepareStatement(query);
 stmt.setString(1, username);
@@ -297,7 +344,42 @@ ResultSet rs = stmt.executeQuery();
 
 **References**:
 - OWASP: https://owasp.org/www-community/attacks/SQL_Injection
-- Java: https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
+- CWE-89: https://cwe.mitre.org/data/definitions/89.html
+```
+
+**Native/systems code example (CWE/SANS Top 25)**:
+
+```
+## 🔴 **Critical: Buffer Overflow (CWE-787)**
+
+**Location**: `network.c:87-89`
+**Language**: C
+**CWE**: CWE-787 (Out-of-bounds Write)
+**Severity**: Critical
+**CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+**CVSS Score**: 9.8
+**Exploitability**: Exploitable — network-reachable parser with no bounds checking
+**Validation**: ✅ CONFIRMED
+
+**Vulnerable Code**:
+```c
+char buf[64];
+strcpy(buf, packet->payload);  // No bounds checking
+```
+
+**Risk**: Stack-based buffer overflow allows arbitrary code execution via crafted network packet
+
+**Remediation**:
+```c
+char buf[64];
+strncpy(buf, packet->payload, sizeof(buf) - 1);
+buf[sizeof(buf) - 1] = '\0';
+```
+
+**References**:
+- CWE-787: https://cwe.mitre.org/data/definitions/787.html
+- SANS Top 25: https://www.sans.org/top25-software-errors
+- SEI CERT C: https://wiki.sei.cmu.edu/confluence/display/c/STR31-C
 ```
 
 ## Verification Requirements