This skill helps identify similar vulnerabilities and bugs using a five-step process. It is designed for developers and security professionals who need to enhance their code audits and vulnerability analysis.
$ npx skills add https://github.com/trailofbits/skills --skill variant-analysisVariant Analysis is a security skill that helps developers and security professionals identify similar vulnerabilities and bugs across codebases using pattern-based analysis. The skill applies a structured five-step process to detect vulnerability variants, enabling more thorough code audits and enhanced vulnerability analysis workflows. By automating the discovery of code patterns that match known security issues, it reduces manual review effort and helps teams catch similar vulnerabilities that might otherwise be missed. The skill integrates with Claude Code and Cursor to provide real-time vulnerability pattern matching during code review and security analysis tasks.
Install using npx with the provided command.
Search for similar instances of identified vulnerabilities.
Build or refine CodeQL/Semgrep queries.
Perform systematic code audits after discovering an issue.
Hunt for bug variants across a codebase.
$ npx skills add https://github.com/trailofbits/skills --skill variant-analysisgit clone https://github.com/trailofbits/skillsCopy the install command above and run it in your terminal.
Launch Claude Code, Cursor, or your preferred AI coding agent.
Use the prompt template or examples below to test the skill.
Adapt the skill to your specific use case and workflow.
Analyze the following codebase for potential security vulnerabilities and identify similar issues reported in public databases like CVE or NVD. Focus on [LANGUAGE/TECHNOLOGY] and provide a detailed report including: 1) Vulnerability type, 2) Severity score (CVSS), 3) Affected components, 4) Remediation steps, and 5) References to similar past incidents. Use [COMPANY]’s codebase in the [INDUSTRY] sector. Here is the relevant [DATA]: ```[CODE_SNIPPET_OR_FILE_PATH]```
# Variant Analysis Report: SQL Injection in User Authentication Module ## Executive Summary A high-severity SQL injection vulnerability was identified in the `UserAuthentication.java` module of [COMPANY]’s e-commerce platform, affecting version 2.4.1. This issue mirrors CVE-2023-45678, which impacted a similar authentication system in the retail sector. The flaw allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive customer data. ## Vulnerability Details - **Type**: SQL Injection (CWE-89) - **Severity**: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) - **Affected Component**: `login()` method in `com.company.auth.UserAuthentication` - **Affected Code Snippet**: ```java String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"; ``` ## Remediation Steps 1. **Immediate Fix**: Replace concatenated queries with parameterized statements: ```java String query = "SELECT * FROM users WHERE username = ? AND password = ?"; PreparedStatement stmt = connection.prepareStatement(query); stmt.setString(1, username); stmt.setString(2, password); ``` 2. **Validation**: Add input validation for `username` and `password` to reject suspicious characters. 3. **Testing**: Conduct regression testing to ensure no functionality is broken. 4. **Monitoring**: Deploy runtime application self-protection (RASP) to detect similar attacks in production. ## References - **Similar Incident**: CVE-2023-45678 (RetailCorp e-commerce platform breach) - **OWASP Reference**: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) - **Mitigation Guide**: [NIST SP 800-53 Rev.5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) (SI-4) ## Recommendation Apply the fix within 48 hours and schedule a code review with the security team. Patch this vulnerability before the next scheduled release to avoid exposure during peak shopping seasons.
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan