AI-Powered Vulnerability Impact Analyzer 🔍

🤖 Where AI meets Security to tell you if you really need to panic about that CVE

🌟 Introduction

Traditional Software Composition Analysis (SCA) tools often generate excessive false positives by solely relying on Software Bill of Materials (SBOM) for vulnerability detection. This tool supercharges the SCA process by performing intelligent impact analysis on reported vulnerabilities.

Using agentic AI powered by the open-source Mistral model, it:

• 📚 Analyzes CVE descriptions of vulnerable packages to pinpoint the components that cause vulnerability.
• 👮 Human-in-the-loop model to ensure accuracy and control
• 🔍 Searches your codebase for these components
• 🎯 Performs deep code analysis to verify actual vulnerability impact
• 💡 Reduces false positives by understanding context
• 🔒 Keeps your code secure with a fully on-premises AI solution—no data leaves your premises.

🧠 How It Works

The tool implements a multi-agent AI system where specialized agents work together:

1. GithubAdvisoryTool: Fetches and parses CVE information
2. SecurityAnalystAgent: Uses Mistral to identify vulnerable components from the CVE description
3. ComponentSearcherTool: Scans codebase for identified components
4. CodeReviewerAgent: Analyzes code patterns for actual vulnerability impact

🏗️ Architecture

📦 Prerequisites

• Python 3.12.3

• GitHub API token

• Ollama installed and running locally with Mistral 7B model

  ollama pull mistral
  

• GPU with CUDA installed

🛠️ Installation & Setup

1. Clone the repository

2. Create a .env file in the project root:

   GITHUB_TOKEN=your_github_token_here
   

3. Ensure Ollama is running with the Mistral model:

4. Install the required packages:

   pip install -r requirements.txt
   

🚀 Usage

Run the tool by providing a GitHub Advisory ID (GHSA ID) and the path to your codebase:

python3 cve_analyzer.py <GHSA ID> <path_to_codebase>

🎥 Demo

The demo showcases vulnerabilities (GHSA ID) from SBOM / Github Dependabot alerts are analyzed by the tool and the impact is studied. The code repo used in the demo for analysis and SBOM generation is Dolos AI CTF Challenge.

⚠️ Limitations

• Currently tested on Python codebases
• Vector DB is not used for now but will be used in the future to store and retrieve codebase and CVE information
• Only CVE description is used for now, but it will be extended to use more sources of information in the future such as CVE exploit POCs

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.