Evaluation#122
Merged
ashsong-nv merged 105 commits intoNov 3, 2025
Merged
Conversation
added 5 commits
September 3, 2025 15:15
…m input parsing for readability (see readme)
a0b5f88 to
a3a117f
Compare
…tition evaluation: response spread and consistency. based on VAPR logic
…dme updated to reflect this. All eval functions are in a new eval directory. Custom evaluator registrations are moved to a new eval_registry.py file.
ashsong-nv
reviewed
Sep 10, 2025
ashsong-nv
left a comment
Collaborator
There was a problem hiding this comment.
Nice work! Adding some initial feedback. Let's sync on custom dataset format.
hsin-c
approved these changes
Nov 3, 2025
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com>
efajardo-nv
added a commit
that referenced
this pull request
Dec 2, 2025
* Update to aiqtoolkit 1.2 pre-release for async endpoint (#106) * Update to aiqtoolkit 1.2 pre-release for async endpoint * Update uv sync in Dockerfile * Add info about async endpoint to readme * Fix port number in example job status curl command * Update workflow to allow disabling the vulnerability dependency checker (#109) * Add max_retries option to cve_fetch_intel (#113) * Add request_timeout option to cve_fetch_intel (#114) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Add `intel_source_timeout` config to `cve_fetch_intel` function (#118) * Update nat dependency to rc8 and up (#120) * migrating to nat 1.2.0 (#121) * Update completed items on roadmap (#129) * added automatic retries to configs (#119) * Add `missing_source_action` configuration and handling (#126) * Update `missing_source_action` option for backwards compatibility (#132) * Update to latest nvidia-nat 1.3 (#131) * Update ubuntu intel source data model to match new API schema Update data model to match new ubuntu API schema to fix validation error -- changed exploitabilityscore and impactScore fields to Optional * nvidia api key readme update (#135) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Update nvidia-nat version specifier (#141) * Update nvidia-nat version specifier * Disable prerelease install in Dockerfile * Document LLM retry options in README (#140) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> Co-authored-by: Katherine Huang <katherineh@nvidia.com> * Add NAT 1.3 async endpoints support (#143) * Install nvidia-nat[async_endpoints] * Fix async endpoint call * Majority Voting via Test Time Compute (#139) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Evaluation (#122) Co-authored-by: Katherine Huang <katherineh@katherineh-mlt.client.nvidia.com> Co-authored-by: hsin-c <109615347+hsin-c@users.noreply.github.com> Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Emphasize troubleshooting section of the README (#146) * Mac readme update (#145) * Update default timeout and retries for intel fetching (#147) * Remove broken image link from readme (#150) * Add `max concurrency` config option to checklist, summarize and justify (#148) * Added a 'max_concurrency' parameter to the ttc workflow to try and avoid 429's when running the pipeline multiple times. (#151) * Update to NAT 1.3.1 (#149) * Update to NAT 1.3.1 * Update README with info about async cli flags * Global `llm_max_rate` for cve_agent workflow (#152) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Enable default_llm configuration (#156) * README updates (#154) * Improvements to NAT error truncation, auth error logging, and API error logging (#155) * Clarify custom evaluators in README (#153) * Improvements to README and TTC logging (#158) * feat: make 1_Deploy_CVE.ipynb auto executable (#144) Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> * Update dependencies for security compliance (#159) * Update vuln_analysis version for docker build and compose (#160) * Fix syft install command in sboms readme (#164) * Fix syft install command in sboms readme * Update sboms readme to use recommended syft install command * Update README mac support and workarounds sections (#165) * Improve TTC output documentation (#166) * Update functions to log exceptions (#168) * Update functions to log exception name * Update to also include error message * Remove test code --------- Co-authored-by: Ashley Song <165685692+ashsong-nv@users.noreply.github.com> Co-authored-by: shawn-davis <12801620+shawn-davis@users.noreply.github.com> Co-authored-by: Katherine Huang <katherineh@nvidia.com> Co-authored-by: Katherine Huang <katherineh@katherineh-mlt.client.nvidia.com> Co-authored-by: hsin-c <109615347+hsin-c@users.noreply.github.com> Co-authored-by: ryanzhang1230 <ryanzh@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated Config files:
src/vuln_analysis/configs/config-eval.yml: separate eval-specific config that shows theaccuracyandconsistencycustom evaluators. Additionally, amax_concurrencyparameter was added to the cve_checklist, cve_summarize, and cve_justify pipeline stages to help avoid429 Too Many Requesterrors when running eval with a large test set, or with multiple repetitions (the modified code can be found incve_checklist.py,cve_justify.py, andcve_summarize.pyin in src/vuln_analysis/functions).src/vuln_analysis/configs/config-tracing.ymlandsrc/vuln_analysis/configs/config.yml: Renamed the profiler dataset fromeval_dataset.jsontoprofiler_dataset.jsonto not be misleading with the newly added evaluation workflow.Eval example test sets to show eval input format:
src/vuln_analysis/data/eval_datasets/common-test-set.json: shows how multiple containers can be in one test set json (as long as both containers test the same set of CVEs. Note that ground truth for the morpheus-24.03 container is dummy data.src/vuln_analysis/data/eval_datasets/morpheus-23.11-test-set.json: morpheus 23.11 specific test set -- ground truth is based on our hand-labeled datasetsrc/vuln_analysis/data/eval_datasets/morpheus-24.03-test-set.json: morpheus 24.03 specific test set -- ground truth is dummy data.Functions to handle eval input:
src/vuln_analysis/data_models/eval_input.py: data model for eval input. Borrows from the preexisting image input data model to validate container metadata. Then it also verifies that for all containers listed in a test set json, the containers share the same CVE test set.src/vuln_analysis/eval/parse_eval_input.py: parse the custom eval input json so that it is digestible by NAT's eval harness (aka transform the human readable json into an EvalInputItem format). NAT is told to use this parsing script via the config option eval.general.dataset.functionCustom evaluators:
src/vuln_analysis/eval/evaluators/accuracy.py: configurable accuracy evaluator. Config options:field: run accuracy on label or status fieldmultiple_reps: True/False. If True, change the eval output file to output multiple metrics used to construct a box and whiskers plot that captures the distribution of runs instead of a single average.src/vuln_analysis/eval/visualizations/box_and_whisker_plot.pyis a script to consume this output (not part of the main nat eval run).src/vuln_analysis/eval/visualizations/example_plot.pngshows an example of the output of this script using dummy data.conflict_policy: Defines how to handle CVEs in the eval test set that have duplicate/conflicting ground truth labels. Options includelenient,keep_first, andstrict.lenientmeans if CVE agent picks any of the duplicate answers in the test set, mark as accurate.keep_firstmeans use the first CVE ground truth encountered in the test set as the truth for that CVE.strictmeans drop all CVEs that have conflicting labels (makes the test set smaller).src/vuln_analysis/eval/evaluators/consistency.py: configurable evaluator for measuring consistency of answers per-CVE across multiple repetitions. Config options:field: run consistency on label or status fieldsrc/vuln_analysis/register.py: added registration imports for the two custom evaluators.Misc:
src/vuln_analysis/utils/checklist_prompt_generator.py: When I was testing eval runs, I was running into parsing errors that crashed the pipeline. Making the parsing of the generated checklist more robust fixed these errors.WIP:
response_similarityevaluator (Shawn's VAPR response spread metric for the summary field)