Skip to content

Update blueprint to version 3#174

Open
shawn-davis wants to merge 68 commits into
developfrom
aiq_integration
Open

Update blueprint to version 3#174
shawn-davis wants to merge 68 commits into
developfrom
aiq_integration

Conversation

@shawn-davis

Copy link
Copy Markdown
Collaborator

Summary

This PR brings the aiq_integration branch into upstream/main and updates the project around the current NAT-based vulnerability-analysis workflow.

Key changes include:

  • Migrates the pipeline to the cve_pipeline NAT workflow with structured PipelineInput / PipelineResult models.
  • Adds multi-CVE request support, staged orchestration, per-agent caching, concurrency controls, and rate-limit configuration.
  • Integrates the AIQ CVE researcher submodule and wires it into the CVE research flow.
  • Adds automatic container filesystem extraction via crane, including caching and a standalone extraction helper.
  • Replaces older SBOM/VDB-style components with agent implementations for CVE research, container analysis, exploitability analysis, and VEX categorization.
  • Adds deterministic pre-triage, report parsing/generation helpers, filesystem/package/binary tools, and relaxed VEX categorization support.
  • Updates Docker Compose deployment under deploy/, refreshes deployment notebooks, and adds containerized quick-start guidance.
  • Refreshes README installation/setup docs, adds .env.example, documents submodule initialization, crane setup, API key checks, and common troubleshooting.
  • Updates evaluation tooling and datasets, including the Morpheus benchmark and PB eval sampling helper with a configurable data root.
  • Clears notebook outputs and removes host-specific paths from committed notebook output.

Validation

Performed during this branch cleanup:

  • git diff --check
  • python3 -m py_compile src/vuln_analysis/eval/sample_pb_eval.py
  • Verified deploy notebooks parse as JSON after output cleanup.
  • Verified no /raid/... or /cyberpub/sdavis/vulnerability-analysis/... paths remain.

Notes

This is a large integration PR. Review is probably easiest by area: pipeline/data models, agent implementations, container extraction, deployment/docs, and eval tooling.

After checkout, run:

git submodule update --init --recursive

Local automatic image extraction also requires crane on PATH.

tzemicheal and others added 30 commits January 28, 2025 14:08
* Add first GitHub Actions workflow to test Deploy notebook (#169)

* feat: Add first GitHub Actions workflow

* Add pull request trigger

* fix: update from review commnets

---------

Co-authored-by: Eli Fajardo <efajardo@nvidia.com>

* Implement email notification for workflow results (#171)

Added email notification step to workflow with results.

* Add dask config options to config.yml

* Concurrency improvements

* Update to NAT 1.4 prerelease with async endpoint fix

* Update to nvidia-nat 1.4.0

* Update to import to use langchain_classic after NAT upgrade to langchain 1.2.8

* Remove note in README about server log visibility issue for async endpoint since it was fixed in NAT 1.4.

* Add explicit dependencies for langchain-classic and filelock

* Update the file locking cleanup code to use a non-blocking acquire to avoid the race condition

* Guard fetch/checkout when no origin remote exists

* Remove commented line from workspace file

* Add bokeh dependency for dask dashboard

* Add dask dashboard port mapping to docker compose

* Add .dockerignore

* Mention Dask dashboard in readme

---------

Co-authored-by: ryanzhang1230 <ryanzh@nvidia.com>
Made-with: Cursor
**Problem 1: Go binaries not scanned in containers (Dockerfile + package_tools.py)**

`find_go_binaries` relies on `strings` (from binutils) to detect Go binaries
and extract embedded module tables. `binutils` was not installed in the Docker
image, so the tool silently failed — any CVE affecting a Go module compiled
into a container binary (e.g., golang-jwt in etcd) was invisible to the agent.

Changes:
- Add `binutils` to the `apt-get install` block in the Dockerfile so `strings`
  and `readelf` are available at runtime.
- Add `_extract_go_modules_via_strings()` fallback in `package_tools.py`: when
  `go version -m` is unavailable or times out, parse the embedded Go buildinfo
  block directly from the binary using `strings -n 10`. Go statically compiles
  a module table with `dep\t<module>\t<version>` lines that are readable as
  plain ASCII without the Go toolchain.
- Raise `MAX_FILES` in `find_go_binaries` from 5,000 to 100,000 to handle
  large container filesystems (e.g., deepseek-r1 has ~80k files).

**Problem 2: VEX categorizer incorrectly assigning requires_configuration (vex_categorizer.py)**

When the exploitability analyzer returns CONDITIONALLY EXPLOITABLE with a
default-off feature flag as the only barrier, the VEX categorizer was assigning
`requires_configuration` even when: (a) the flag is a documented, user-facing
product feature, and (b) the CVE advisory explicitly marks the installed version
as affected.

Root cause: VEX Step 4 in the decision flowchart directed the agent straight to
`requires_configuration` for any default-off toggle. The override rule
("if the advisory considers the version affected, use `vulnerable`") existed in
the guidance section below but was consistently skipped.

Fix: Surface the override check inline at VEX Step 4 — the exact point where
the agent makes the call — so it cannot be bypassed. No new logic was added;
this duplicates an existing rule at the decision point for visibility.

Validated against CVE-2025-62164 / llm-nim_1.15.2: previously returned
`not_affected / requires_configuration`, now correctly returns
`affected / vulnerable`.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Separate Go binary walk limit from extraction limit (MAX_FILES → MAX_FILES_TO_WALK + MAX_GO_BINARIES)

See merge request morpheus/agent-morpheus/vulnerability-analysis!3
Docker Compose and README updates

See merge request morpheus/agent-morpheus/vulnerability-analysis!4
Concurrency improvements and remove deprecation warnings

See merge request morpheus/agent-morpheus/vulnerability-analysis!6
Update installation instructions in readme

See merge request morpheus/agent-morpheus/vulnerability-analysis!8
Update the morpheus labels to match what we think is the golden answer for the agent

See merge request morpheus/agent-morpheus/vulnerability-analysis!9
Add RH python eval dataset

See merge request morpheus/agent-morpheus/vulnerability-analysis!10
…tries overwrite it if desired. This primarily helps with allowing eval runs to specify the output_dir.
Co-authored-by: Greptile <service_account_group_7407_c52410dfdb7b9ece68d605d180dd8d6a@noreply.gitlab-master.nvidia.com>
…oes-not-work' into 'cve-agent-v3'

Made output_dir default come from the workflow while letting input entries...

Closes #6

See merge request morpheus/agent-morpheus/vulnerability-analysis!11
shawn-davis and others added 22 commits June 1, 2026 10:22
Move the CVE researcher user message builder into the AIQ researcher module
and expand the report template with affected version ranges, package coverage,
exploit intelligence, remediation guidance, and source selection notes.
# Conflicts:
#	README.md
#	quick_start/quick_start_guide.ipynb
Upgrade NeMo Agent Toolkit (NAT) from 1.5 to 1.7

See merge request morpheus/agent-morpheus/vulnerability-analysis!15
Update the deploy and customization notebooks to match the README-backed
cve_pipeline flow. Cover uv setup, Docker Compose, nat run/serve, sync and
async HTTP endpoints, PipelineInput examples, automatic rootfs extraction,
cache controls, config overrides, individual agents, and benchmarking.

Remove stale SBOM/source_info/input_messages guidance and old API references.
Point the aiq submodule at the fork with the dedicated CVE researcher and update the parent bridge to call the stateful AIQ agent.

Add CVE/GHSA prompt parsing for package and version hints, wire CVE report evaluation config, and register the report judge utilities.
# Conflicts:
#	pyproject.toml
#	src/vuln_analysis/eval/evaluators/accuracy.py
#	src/vuln_analysis/register.py
Drop the legacy cve_deepresearcher function/config and stop registering it.
Restore the main CVE researcher workflow type, simplify its input model to
explicit identifiers and hints, and stop forwarding prompt state to AIQ.

Point the AIQ submodule at develop and refresh the root uv lockfile.
Remove the legacy cve_aiq_researcher alias and generic prompt-driven CVE researcher. Register the AIQ-backed adapter as cve_researcher and update CVE researcher configs to use its runtime options.
Reorganize deploy tooling, slim Docker image, fix verify_ssl regression

See merge request morpheus/agent-morpheus/vulnerability-analysis!20
# Conflicts:
#	deploy/1_Deploy_CVE.ipynb
#	deploy/2_Customize_CVE.ipynb
# Conflicts:
#	quick_start/quick_start_guide.ipynb
@shawn-davis shawn-davis self-assigned this Jun 17, 2026
Update the quick-start notebook to use the canonical vulns/image_name/image_tag input shape, point setup checks at the shipped pipeline_input.json example, and adjust result parsing for the current PipelineResult structure.
@shawn-davis shawn-davis changed the base branch from main to develop July 7, 2026 21:00
Add a first-party vuln_analysis.plugins.cve_researcher plugin with the
agent, prompts, state models, NAT registration, and compatibility exports
from the previous AIQ bridge.

Handle AIQ runtime API drift and NAT 1.7 annotation resolution so the
cve_researcher function registers cleanly, then cover the plugin with
focused registration and model tests.

Update the aiq submodule to track NVIDIA-AI-Blueprints/aiq and refresh the
pinned revision.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants