CRA Tool

Vulnerability Triage

Enable users to assess, classify, and track vulnerabilities found in their projects.

StatusOpen
TypeClosed-Source Collaborative
Eligible CoursesSEMI, PRAK/PROJ
Scope5 ECTS - 10 ECTS
Use of Artificial IntelligenceAllowed
CLA Required?Yes

Summary

CRA Tool can already detect known vulnerabilities by cross-referencing project dependencies against the OSV database. However, not every reported vulnerability is actually relevant. A dependency may be affected by a CVE, yet the vulnerable code path is never reached, the severity may not apply in context, or the finding may simply be a false positive. Without a way to record these decisions, users are left with a static, noisy list that does not reflect the true risk of their project.

This contribution will add a vulnerability triage workflow, inspired by tools like Dependency-Track. For each finding, users should be able to set an analysis state (e.g. "Not Affected", "Exploitable", "False Positive", "In Triage") along with a justification and optional comment. Every state change should be recorded in an audit trail so that decisions are transparent and traceable. Findings that have been resolved or classified as not relevant should be suppressible, so that dashboards and metrics reflect the actual risk posture rather than raw vulnerability counts.

The implementation should also consider how triage decisions interact with the existing vulnerability monitoring feature. For example, when a new advisory is published for an already-triaged dependency, the previous assessment should be surfaced for review rather than silently carried over.

For reference, the CycloneDX VEX specification defines a standardized format for communicating vulnerability exploitability. Supporting VEX import and export would allow users to share triage decisions across tools.

Expected Tasks

  1. Go through the existing vulnerability detection and monitoring code
  2. Create detailed GitHub issues for this work
  3. Define an implementation timeline in the GitHub Project Roadmap
  4. Implement the solution and adapt your plan if necessary
  5. Write a brief project report (1-2 pages max)

Technologies

You should be familiar with the following programming languages:

  • TypeScript
  • Java

You should be familiar with the following frameworks/libraries:

  • Next.js
  • Spring Boot

Knowing the following concepts will be helpful:

  • CVE, CVSS, OSV-Schema
  • VEX (Vulnerability Exploitability eXchange)
  • Dependency-Track triage workflow

Vulnerability Monitoring

Add vulnerability monitoring capabilities to CRA Tool.

On this page

SummaryExpected TasksTechnologies