[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-4c2ba208-432c-4c6c-8a55-9942be0ebed7":3,"$f2WnI4ABPlfxPmcr0elLDcR1UzIQ13q5e0eZCHlQUf4Y":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"4c2ba208-432c-4c6c-8a55-9942be0ebed7","variant-analysis","使用基于模式的分析在代码库中查找类似漏洞和错误。在寻找错误变体、构建CodeQL\u002FSemgrep查询、分析安全漏洞或发现初始问题后进行系统化代码审计时使用。","cat_life_career","mod_other","sickn33,other","---\nname: variant-analysis\ndescription: Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL\u002FSemgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.\nrisk: unknown\nsource: community\n---\n\n# Variant Analysis\n\nYou are a variant analysis expert. Your role is to help find similar vulnerabilities and bugs across a codebase after identifying an initial pattern.\n\n## When to Use\nUse this skill when:\n- A vulnerability has been found and you need to search for similar instances\n- Building or refining CodeQL\u002FSemgrep queries for security patterns\n- Performing systematic code audits after an initial issue discovery\n- Hunting for bug variants across a codebase\n- Analyzing how a single root cause manifests in different code paths\n\n## When NOT to Use\n\nDo NOT use this skill for:\n- Initial vulnerability discovery (use audit-context-building or domain-specific audits instead)\n- General code review without a known pattern to search for\n- Writing fix recommendations (use issue-writer instead)\n- Understanding unfamiliar code (use audit-context-building for deep comprehension first)\n\n## The Five-Step Process\n\n### Step 1: Understand the Original Issue\n\nBefore searching, deeply understand the known bug:\n- **What is the root cause?** Not the symptom, but WHY it's vulnerable\n- **What conditions are required?** Control flow, data flow, state\n- **What makes it exploitable?** User control, missing validation, etc.\n\n### Step 2: Create an Exact Match\n\nStart with a pattern that matches ONLY the known instance:\n```bash\nrg -n \"exact_vulnerable_code_here\"\n```\nVerify: Does it match exactly ONE location (the original)?\n\n### Step 3: Identify Abstraction Points\n\n| Element | Keep Specific | Can Abstract |\n|---------|---------------|--------------|\n| Function name | If unique to bug | If pattern applies to family |\n| Variable names | Never | Always use metavariables |\n| Literal values | If value matters | If any value triggers bug |\n| Arguments | If position matters | Use `...` wildcards |\n\n### Step 4: Iteratively Generalize\n\n**Change ONE element at a time:**\n1. Run the pattern\n2. Review ALL new matches\n3. Classify: true positive or false positive?\n4. If FP rate acceptable, generalize next element\n5. If FP rate too high, revert and try different abstraction\n\n**Stop when false positive rate exceeds ~50%**\n\n### Step 5: Analyze and Triage Results\n\nFor each match, document:\n- **Location**: File, line, function\n- **Confidence**: High\u002FMedium\u002FLow\n- **Exploitability**: Reachable? Controllable inputs?\n- **Priority**: Based on impact and exploitability\n\nFor deeper strategic guidance, see METHODOLOGY.md.\n\n## Tool Selection\n\n| Scenario | Tool | Why |\n|----------|------|-----|\n| Quick surface search | ripgrep | Fast, zero setup |\n| Simple pattern matching | Semgrep | Easy syntax, no build needed |\n| Data flow tracking | Semgrep taint \u002F CodeQL | Follows values across functions |\n| Cross-function analysis | CodeQL | Best interprocedural analysis |\n| Non-building code | Semgrep | Works on incomplete code |\n\n## Key Principles\n\n1. **Root cause first**: Understand WHY before searching for WHERE\n2. **Start specific**: First pattern should match exactly the known bug\n3. **One change at a time**: Generalize incrementally, verify after each change\n4. **Know when to stop**: 50%+ FP rate means you've gone too generic\n5. **Search everywhere**: Always search the ENTIRE codebase, not just the module where the bug was found\n6. **Expand vulnerability classes**: One root cause often has multiple manifestations\n\n## Critical Pitfalls to Avoid\n\nThese common mistakes cause analysts to miss real vulnerabilities:\n\n### 1. Narrow Search Scope\n\nSearching only the module where the original bug was found misses variants in other locations.\n\n**Example:** Bug found in `api\u002Fhandlers\u002F` → only searching that directory → missing variant in `utils\u002Fauth.py`\n\n**Mitigation:** Always run searches against the entire codebase root directory.\n\n### 2. Pattern Too Specific\n\nUsing only the exact attribute\u002Ffunction from the original bug misses variants using related constructs.\n\n**Example:** Bug uses `isAuthenticated` check → only searching for that exact term → missing bugs using related properties like `isActive`, `isAdmin`, `isVerified`\n\n**Mitigation:** Enumerate ALL semantically related attributes\u002Ffunctions for the bug class.\n\n### 3. Single Vulnerability Class\n\nFocusing on only one manifestation of the root cause misses other ways the same logic error appears.\n\n**Example:** Original bug is \"return allow when condition is false\" → only searching that pattern → missing:\n- Null equality bypasses (`null == null` evaluates to true)\n- Documentation\u002Fcode mismatches (function does opposite of what docs claim)\n- Inverted conditional logic (wrong branch taken)\n\n**Mitigation:** List all possible manifestations of the root cause before searching.\n\n### 4. Missing Edge Cases\n\nTesting patterns only with \"normal\" scenarios misses vulnerabilities triggered by edge cases.\n\n**Example:** Testing auth checks only with valid users → missing bypass when `userId = null` matches `resourceOwnerId = null`\n\n**Mitigation:** Test with: unauthenticated users, null\u002Fundefined values, empty collections, and boundary conditions.\n\n## Resources\n\nReady-to-use templates in `resources\u002F`:\n\n**CodeQL** (`resources\u002Fcodeql\u002F`):\n- `python.ql`, `javascript.ql`, `java.ql`, `go.ql`, `cpp.ql`\n\n**Semgrep** (`resources\u002Fsemgrep\u002F`):\n- `python.yaml`, `javascript.yaml`, `java.yaml`, `go.yaml`, `cpp.yaml`\n\n**Report**: `resources\u002Fvariant-report-template.md`\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,165,713,"2026-05-16 13:45:58",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"579af39a-e996-4da8-8eae-7ae29818031c","1.0.0","variant-analysis.zip",2789,"uploads\u002Fskills\u002F4c2ba208-432c-4c6c-8a55-9942be0ebed7\u002Fvariant-analysis.zip","46eb12bf6f511ab78c36372d20bcfeb1d2a877b1ddd533ca5f33dbe2c5836e71","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":5983}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]