Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/alexdevassy/AI-Powered-Vulnerability-Impact-Analyzer

Vulnerability impact analyzer that reduces false positives in SCA tools by performing intelligent code analysis. Uses agentic AI with open source models to understand CVEs and verify actual vulnerability impact in your codebase. Keeps your code secure with on-premises execution and human-in-the-loop verification.
https://github.com/alexdevassy/AI-Powered-Vulnerability-Impact-Analyzer

Last synced: about 1 month ago
JSON representation

Vulnerability impact analyzer that reduces false positives in SCA tools by performing intelligent code analysis. Uses agentic AI with open source models to understand CVEs and verify actual vulnerability impact in your codebase. Keeps your code secure with on-premises execution and human-in-the-loop verification.

Awesome Lists containing this project

README 

        
# AI-Powered Vulnerability Impact Analyzer ๐Ÿ”



> ๐Ÿค– Where AI meets Security to tell you if you *really* need to panic about that CVE



## ๐ŸŒŸ Introduction

Traditional Software Composition Analysis (SCA) tools often generate excessive false positives by solely relying on Software Bill of Materials (SBOM) for vulnerability detection. This tool supercharges the SCA process by performing intelligent impact analysis on reported vulnerabilities.



Using agentic AI powered by the open-source Mistral model, it:

- ๐Ÿ“š Analyzes CVE descriptions of vulnerable packages to pinpoint the components that cause vulnerability.

- ๐Ÿ‘ฎ Human-in-the-loop model to ensure  accuracy and control

- ๐Ÿ” Searches your codebase for these components

- ๐ŸŽฏ Performs deep code analysis to verify actual vulnerability impact

- ๐Ÿ’ก Reduces false positives by understanding context

- ๐Ÿ”’ Keeps your code secure with a fully on-premises AI solutionโ€”no data leaves your premises.



### ๐Ÿง  How It Works

The tool implements a multi-agent AI system where specialized agents work together:

1. `GithubAdvisoryTool`: Fetches and parses CVE information

2. `SecurityAnalystAgent`: Uses Mistral to identify vulnerable components from the CVE description

3. `ComponentSearcherTool`: Scans codebase for identified components

4. `CodeReviewerAgent`: Analyzes code patterns for actual vulnerability impact



### ๐Ÿ—๏ธ Architecture



![Alt text](images/arch_diagram.png?raw=true "architecture_diagram")



### ๐Ÿ“ฆ Prerequisites

- Python 3.12.3

- GitHub API token

- Ollama installed and running locally with Mistral 7B model



   ```bash

   ollama pull mistral

   ```

- GPU with CUDA installed



### ๐Ÿ› ๏ธ Installation & Setup

1. Clone the repository

2. Create a `.env` file in the project root:



   ```

   GITHUB_TOKEN=your_github_token_here

   ```

3. Ensure Ollama is running with the Mistral model:

4. Install the required packages:

   ```bash

   pip install -r requirements.txt

   ```  



### ๐Ÿš€ Usage



Run the tool by providing a GitHub Advisory ID (GHSA ID) and the path to your codebase:

   ```bash

   python3 cve_analyzer.py  

   ``` 

### ๐ŸŽฅ Demo



The demo showcases vulnerabilities (GHSA ID) from SBOM / Github Dependabot alerts are analyzed by the tool and the impact is studied. The code repo used in the demo for analysis and SBOM generation is [Dolos AI CTF Challenge](https://github.com/alexdevassy/Machine_Learning_CTF_Challenges/tree/master/Dolos_ML_CTF_Challenge).



![Alt text](images/cve_analyzer.gif?raw=true "demo")



### โš ๏ธ Limitations

- Currently tested on Python codebases

- Vector DB is not used for now but will be used in the future to store and retrieve codebase and CVE information 

- Only CVE description is used for now, but it will be extended to use more sources of information in the future such as CVE exploit POCs



### ๐Ÿค Contributing

Contributions are welcome! Please feel free to submit a Pull Request.