From 408a2b298a18516a506622efd628d94bf75cb0ec Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Sun, 21 Jun 2026 03:59:29 +0300 Subject: [PATCH 1/8] Rename ExploitIQ/Agent morpheus to Exploit Intelligence --- .gitignore | 2 + .tekton/on-cm-runner.yaml | 2 +- .tekton/on-pull-request.yaml | 2 +- .tekton/on-push.yaml | 2 +- .tekton/on-tag.yaml | 2 +- README.md | 2 +- kustomize/README.md | 38 +++++++++---------- kustomize/base/argilla/argilla-service.yaml | 2 +- .../argilla/argilla-user-feedback-pvc.yaml | 2 +- kustomize/base/argilla/deployment.yaml | 8 ++-- kustomize/base/argilla/service.yaml | 6 +-- kustomize/base/exploit_iq_client.yaml | 10 ++--- kustomize/base/exploit_iq_service.yaml | 4 +- kustomize/base/kustomization.yaml | 4 +- kustomize/network-policy.yaml | 6 +-- .../batch-processing/kustomization.yaml | 4 +- kustomize/overlays/tests/kustomization.yaml | 2 +- .../utils/chain_of_calls_retriever.py | 2 +- .../utils/chain_of_calls_retriever_base.py | 2 +- src/exploit_iq_commons/utils/dep_tree.py | 2 +- .../java_functions_parsers.py | 2 +- .../utils/java_chain_of_calls_retriever.py | 2 +- .../utils/transitive_code_searcher_tool.py | 2 +- src/vuln_analysis/register.py | 12 +++--- .../utils/function_name_extractor.py | 2 +- .../utils/function_name_locator.py | 2 +- src/vuln_analysis/utils/llm_engine_utils.py | 4 +- .../vex/implementations/csaf_generator.py | 8 ++-- 28 files changed, 70 insertions(+), 68 deletions(-) diff --git a/.gitignore b/.gitignore index 3ef4a4930..92f47346b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ ###### Place new entries directly below this line! ###### +CLAUDE.md + # Ignore anything in the ./.tmp directory .tmp/ diff --git a/.tekton/on-cm-runner.yaml b/.tekton/on-cm-runner.yaml index 17c42105d..fc4003022 100644 --- a/.tekton/on-cm-runner.yaml +++ b/.tekton/on-cm-runner.yaml @@ -26,7 +26,7 @@ spec: value: "{{ trigger_comment }}" # Point to the image ALREADY built by the PR pipeline - name: target-image - value: quay.io/ecosystem-appeng/agent-morpheus-rh:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:on-pr-{{revision}} pipelineSpec: params: diff --git a/.tekton/on-pull-request.yaml b/.tekton/on-pull-request.yaml index 34c219807..8e1823663 100644 --- a/.tekton/on-pull-request.yaml +++ b/.tekton/on-pull-request.yaml @@ -31,7 +31,7 @@ spec: - name: image-expires-after value: 5d - name: output-image - value: quay.io/ecosystem-appeng/agent-morpheus-rh:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:on-pr-{{revision}} - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-push.yaml b/.tekton/on-push.yaml index 5da2cc106..93e96a5d3 100644 --- a/.tekton/on-push.yaml +++ b/.tekton/on-push.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: quay.io/ecosystem-appeng/agent-morpheus-rh:latest + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:latest - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-tag.yaml b/.tekton/on-tag.yaml index 08718fd32..cb479c761 100644 --- a/.tekton/on-tag.yaml +++ b/.tekton/on-tag.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: 'quay.io/ecosystem-appeng/agent-morpheus-rh' + value: 'quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service' - name: tag-name value: "{{ target_branch }}" - name: path-context diff --git a/README.md b/README.md index f4fab8a9f..692d72f8f 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The detailed architecture consists of the following components: - **Vector database**: Various vector databases can be used for the embedding. We currently utilize FAISS for the VDB because it does not require an external service and is simple to use. Any vector store can be used, such as NVIDIA cuVS, which would provide accelerated indexing and search. - **Lexical search**: As an alternative, a lexical search is available for use cases where creating an embedding is impractical due to a large number of source files in the target container. - **Software Bill of Materials (SBOM)**: A Software Bill of Materials (SBOM) is a machine-readable manifest of all the dependencies of a software package or container. The blueprint cross-references every entry in the SBOM for known vulnerabilities and looks at the code implementation to see whether the implementation puts users at risk—just as a security analyst would do. For this reason, starting with an accurate SBOM is an important first step. SBOMs can be generated for any container using the open-source tool [Syft](https://github.com/anchore/syft). For more information on generating SBOMs for your containers, see the [SBOM documentation](./src/vuln_analysis/data/sboms/README.md). - - **Web vulnerability intel**: The system collects detailed information about each CVE through web scraping and data retrieval from various public security databases, including GHSA, Redhat, Ubuntu, and NIST CVE records, as well as tailored threat intelligence feeds. + - **Web vulnerability intel**: The system collects detailed information about each CVE through web scraping and data retrieval from various public security databases, including GHSA, Redhat, Ubuntu, and NIST CVE records, as well as RHTPA exploit intelligence feeds. - **Core LLM engine**: The below actions comprise the core LLM engine and are each implemented as NeMo Agent toolkit functions within the workflow. - **Checklist generation**: Leveraging the gathered information about each vulnerability, the checklist generation node creates a tailored, context-sensitive task checklist designed to guide the impact analysis. (See [`src/vuln_analysis/functions/cve_checklist.py`](./src/vuln_analysis/functions/cve_checklist.py).) diff --git a/kustomize/README.md b/kustomize/README.md index 1f9be713b..490128731 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -19,7 +19,7 @@ limitations under the License. ## Install and Run Locally -One can run ExploitIQ on his local machine ( No GPU dependency is required!), for the purpose of testing, debugging and troubleshooting problems: +One can run the RHTPA exploit intelligence workflow on his local machine ( No GPU dependency is required!), for the purpose of testing, debugging and troubleshooting problems: 1. Install the lightweight [uv package manager](https://docs.astral.sh/uv/getting-started/installation). 2. Ensure Python 3.12 is installed for your operating system. @@ -98,7 +98,7 @@ export USE_CONTAINER_SOURCES=true ## Deploy And Run On OCP -1. Create a `base/secrets.env` file containing the API keys for external services `ExploitIQ` might use. Not all keys are mandatory. Refer to the main [README](../README.md#obtain-api-keys) for details on how to create the Red Hat credentials and other API keys. +1. Create a `base/secrets.env` file containing the API keys for external services the exploit intelligence workflow might use. Not all keys are mandatory. Refer to the main [README](../README.md#obtain-api-keys) for details on how to create the Red Hat credentials and other API keys. ```shell cat > base/secrets.env << EOF @@ -128,7 +128,7 @@ argilla_api_key=your_argilla_api_key EOF ``` -4. Create an image pull secret to authorize pulling the `ExploitIQ` and `Argilla` container images: +4. Create an image pull secret to authorize pulling the `exploit-intelligence` and `Argilla` container images: ```shell oc create secret generic exploit-iq-pull-secret --from-file=.dockerconfigjson= --type=kubernetes.io/dockerconfigjson @@ -152,7 +152,7 @@ EOF >[!IMPORTANT] >This secret is essential for product scanning to authenticate and pull component images. If you skip this step, kustomize will still deploy, but authenticated pulls will not work until you provide real credentials. -6. Create the `oauth-secret.env` file containing the `client-secret` and `openshift-domain` values required by the [ExploitIQ Client](./base/exploit_iq_client.yaml) configuration. +6. Create the `oauth-secret.env` file containing the `client-secret` and `openshift-domain` values required by the [exploit-intelligence-client](./base/exploit_iq_client.yaml) configuration. If openshift resource of kind `OAuthClient` named `exploit-iq-client` exists, just get the secret from there: ```shell @@ -187,7 +187,7 @@ exploit-iq-password=$(openssl rand -base64 24 | tr -d '/+=' | head -c 32) EOF ``` -8. Update `ExploitIQ` configuration file with the correct callback URL for the client service. +8. Update exploit intelligence configuration file with the correct callback URL for the client service. ```shell export CALLBACK_URL="https://exploit-iq-client.$(oc project -q).svc:8443" @@ -196,7 +196,7 @@ find . -type f -name 'exploit-iq-config.yml' -exec sed -i "s|CALLBACK_URL_PLACEH ### Configuring Git SSL Certificate Authority for Custom CAs -If your Git server uses a certificate that is signed by a custom Certificate Authority (CA), you must provide the CA certificate bundle to enable ExploitIQ to verify the Git server identity. +If your Git server uses a certificate that is signed by a custom Certificate Authority (CA), you must provide the CA certificate bundle to enable the exploit intelligence workflow to verify the Git server identity. > [!IMPORTANT] > If you need to access Red Hat internal Git repositories such as `gitlab.cee.redhat.com`, you must complete this procedure. @@ -245,15 +245,15 @@ openssl crl2pkcs7 -nocrl -certfile kustomize/base/ca-certs/ca-bundle.crt | \ >[!IMPORTANT] You should only run one of the steps 9,10 or 11, depending on if you want to run the service with a self hosted LLM, self hosted LLM with MLOps or Nvidia remote NIM. -9. To deploy `ExploitIQ` with a self-hosted LLM , run: +9. To deploy the exploit intelligence service with a self-hosted LLM , run: ```shell -# Deploy ExploitIQ with self hosted llama3.1-70b-4bit LLM +# Deploy exploit intelligence with self hosted llama3.1-70b-4bit LLM oc kustomize overlays/self-hosted-llama3.1-70b-4bit | oc apply -f - -n $YOUR_NAMESPACE_NAME ``` -10. To deploy `ExploitIQ` with a self-hosted LLM and MLOps, run: +10. To deploy the exploit intelligence service with a self-hosted LLM and MLOps, run: ```shell # Patch overlay kustomization yaml with deployment namespace value (Grafana and Tempo) @@ -262,12 +262,12 @@ sed -i "s/REPLACE_NAMESPACE/$YOUR_NAMESPACE_NAME/" overlays/mlops/tempo/kustomiz ``` ```shell -# replace EXPLOIT_IQ_GRAFANA_SA_TOKEN with ExploitIQ Grafana SA Token from bitwarden vault (1 year expiration date) +# replace EXPLOIT_IQ_GRAFANA_SA_TOKEN with exploit intelligence Grafana SA Token from bitwarden vault (1 year expiration date) oc create secret generic grafana-bearer-token --from-literal=token='EXPLOIT_IQ_GRAFANA_SA_TOKEN' ``` ```shell -# Deploy ExploitIQ with self hosted llama3.1-70b-4bit LLM and MLOps +# Deploy exploit intelligence with self hosted llama3.1-70b-4bit LLM and MLOps oc kustomize overlays/mlops | oc apply -f - -n $YOUR_NAMESPACE_NAME ``` @@ -299,9 +299,9 @@ oc kustomize overlays/mlops \ ``` -10. Alternatively, to deploy `ExploitIQ` with a fully remote nim LLM, run: +10. Alternatively, to deploy the exploit intelligence service with a fully remote nim LLM, run: ```shell -# Deploy ExploitIQ with remote nim llama-3.1-70b-16bit LLM +# Deploy exploit intelligence with remote nim llama-3.1-70b-16bit LLM oc kustomize overlays/remote-nim-all | oc apply -f - -n $YOUR_NAMESPACE_NAME ``` >[!WARNING] @@ -335,7 +335,7 @@ openshift-domain=$(oc get dns cluster -o jsonpath='{.spec.baseDomain}') EOF ``` -12. **(Optional) Enable OAuth for the ExploitIQ MCP Server.** If you want MCP clients (Claude Code, Cursor, etc.) to authenticate via OpenShift OAuth, create an `OAuthClient` CR for the MCP server: +12. **(Optional) Enable OAuth for the exploit intelligence MCP Server.** If you want MCP clients (Claude Code, Cursor, etc.) to authenticate via OpenShift OAuth, create an `OAuthClient` CR for the MCP server: ```bash oc create -f - < str: return f"{function_file_name};{function_name_to_search}" diff --git a/src/exploit_iq_commons/utils/dep_tree.py b/src/exploit_iq_commons/utils/dep_tree.py index 09b91789e..acb65c133 100644 --- a/src/exploit_iq_commons/utils/dep_tree.py +++ b/src/exploit_iq_commons/utils/dep_tree.py @@ -58,7 +58,7 @@ logger = LoggingFactory.get_agent_logger(__name__) -ROOT_LEVEL_SENTINEL = 'root-top-level-agent-morpheus' +ROOT_LEVEL_SENTINEL = 'root-top-level-exploit-intelligence' TRANSITIVE_ENV_NAME = 'transitive_env' diff --git a/src/exploit_iq_commons/utils/functions_parsers/java_functions_parsers.py b/src/exploit_iq_commons/utils/functions_parsers/java_functions_parsers.py index 1a442c634..1323f49c1 100644 --- a/src/exploit_iq_commons/utils/functions_parsers/java_functions_parsers.py +++ b/src/exploit_iq_commons/utils/functions_parsers/java_functions_parsers.py @@ -28,7 +28,7 @@ strip_java_generics, JAVA_ANNOTATION_SYMBOL, extract_fqcn from exploit_iq_commons.logging.loggers_factory import LoggingFactory -logger = LoggingFactory.get_agent_logger(f"morpheus.{__name__}") +logger = LoggingFactory.get_agent_logger(f"exploit-intelligence.{__name__}") PARAMETER = "parameter" diff --git a/src/exploit_iq_commons/utils/java_chain_of_calls_retriever.py b/src/exploit_iq_commons/utils/java_chain_of_calls_retriever.py index e624fa99b..146c022c9 100644 --- a/src/exploit_iq_commons/utils/java_chain_of_calls_retriever.py +++ b/src/exploit_iq_commons/utils/java_chain_of_calls_retriever.py @@ -36,7 +36,7 @@ create_inheritance_map, get_target_class_names, dummy_package_name from exploit_iq_commons.data_models.input import SourceDocumentsInfo -logger = LoggingFactory.get_agent_logger(f"morpheus.{__name__}") +logger = LoggingFactory.get_agent_logger(f"exploit-intelligence.{__name__}") # Lowercase package segments; class segments start with uppercase; allow dots or $ for inners _FQCN_STRICT_RE = re.compile( diff --git a/src/exploit_iq_commons/utils/transitive_code_searcher_tool.py b/src/exploit_iq_commons/utils/transitive_code_searcher_tool.py index 12c3455a3..09956c637 100644 --- a/src/exploit_iq_commons/utils/transitive_code_searcher_tool.py +++ b/src/exploit_iq_commons/utils/transitive_code_searcher_tool.py @@ -25,7 +25,7 @@ from exploit_iq_commons.logging.loggers_factory import LoggingFactory, MULTI_LINE_MESSAGE_TRUE -logger = LoggingFactory.get_agent_logger(f"morpheus.{__name__}") +logger = LoggingFactory.get_agent_logger(f"exploit-intelligence.{__name__}") class TransitiveCodeSearcher: diff --git a/src/vuln_analysis/register.py b/src/vuln_analysis/register.py index 03ca69448..008279031 100644 --- a/src/vuln_analysis/register.py +++ b/src/vuln_analysis/register.py @@ -502,7 +502,7 @@ async def call_llm_engine_subgraph_node(message: AgentMorpheusEngineInput): graph = graph_builder.compile() #graph.get_graph().draw_mermaid_png(output_file_path="checker_flow.png") - def convert_str_to_agent_morpheus_input(input: str) -> AgentMorpheusInput: + def convert_str_to_exploit_intelligence_input(input: str) -> AgentMorpheusInput: logger.debug("Converting JSON string input to AgentMorpheusInput (length: %d)", len(input)) try: return AgentMorpheusInput.model_validate_json(input) @@ -510,7 +510,7 @@ def convert_str_to_agent_morpheus_input(input: str) -> AgentMorpheusInput: logger.error("Failed to convert input to AgentMorpheusInput: %s. Your input needs to be a json string.", e) raise e - def convert_textio_to_agent_morpheus_input(input: TextIOWrapper) -> AgentMorpheusInput: + def convert_textio_to_exploit_intelligence_input(input: TextIOWrapper) -> AgentMorpheusInput: logger.debug("Converting TextIOWrapper input to AgentMorpheusInput") try: data = input.read() @@ -520,7 +520,7 @@ def convert_textio_to_agent_morpheus_input(input: TextIOWrapper) -> AgentMorpheu "Failed to convert input to AgentMorpheusInput: %s. Your input needs to be a TextIOWrapper object.", e) raise e - def convert_agent_morpheus_output_to_str(output: AgentMorpheusOutput) -> str: + def convert_exploit_intelligence_output_to_str(output: AgentMorpheusOutput) -> str: logger.debug("Converting AgentMorpheusOutput to JSON string") try: return output.model_dump_json() @@ -539,9 +539,9 @@ async def _response_fn(input_message: AgentMorpheusInput) -> AgentMorpheusOutput description=config.description, input_schema=AgentMorpheusInput, converters=[ - convert_str_to_agent_morpheus_input, - convert_textio_to_agent_morpheus_input, - convert_agent_morpheus_output_to_str + convert_str_to_exploit_intelligence_input, + convert_textio_to_exploit_intelligence_input, + convert_exploit_intelligence_output_to_str ]) except GeneratorExit: logger.info("Workflow exited early!") diff --git a/src/vuln_analysis/utils/function_name_extractor.py b/src/vuln_analysis/utils/function_name_extractor.py index 6d789561a..45b4107be 100644 --- a/src/vuln_analysis/utils/function_name_extractor.py +++ b/src/vuln_analysis/utils/function_name_extractor.py @@ -20,7 +20,7 @@ from exploit_iq_commons.logging.loggers_factory import LoggingFactory -logger = LoggingFactory.get_agent_logger(f"morpheus.{__name__}") +logger = LoggingFactory.get_agent_logger(f"exploit-intelligence.{__name__}") def traverse_all_parameters(function_ending_index_end, function_prefix_index_end, function_string): diff --git a/src/vuln_analysis/utils/function_name_locator.py b/src/vuln_analysis/utils/function_name_locator.py index a7f43260e..60e776579 100644 --- a/src/vuln_analysis/utils/function_name_locator.py +++ b/src/vuln_analysis/utils/function_name_locator.py @@ -25,7 +25,7 @@ from exploit_iq_commons.utils.source_rpm_downloader import RPMDependencyManager from vuln_analysis.utils.prompt_factory import FL_EXAMPLES -logger = LoggingFactory.get_agent_logger(f"morpheus.{__name__}") +logger = LoggingFactory.get_agent_logger(f"exploit-intelligence.{__name__}") class FunctionNameLocator: diff --git a/src/vuln_analysis/utils/llm_engine_utils.py b/src/vuln_analysis/utils/llm_engine_utils.py index 727830212..8b2268cc7 100644 --- a/src/vuln_analysis/utils/llm_engine_utils.py +++ b/src/vuln_analysis/utils/llm_engine_utils.py @@ -93,7 +93,7 @@ def preprocess_engine_input(message: AgentMorpheusEngineInput) -> AgentMorpheusE original_input=message) -def parse_agent_morpheus_engine_output(vuln_id: str, +def parse_exploit_intelligence_engine_output(vuln_id: str, checklist_results: list[dict[str, typing.Any]], summary: str, justification: dict[str, str], @@ -244,7 +244,7 @@ def postprocess_engine_output(message: AgentMorpheusEngineInput, for vuln_id in input_vuln_ids: if vuln_id in output_vuln_ids: output.append( - parse_agent_morpheus_engine_output(vuln_id=vuln_id, + parse_exploit_intelligence_engine_output(vuln_id=vuln_id, checklist_results=result.checklist_results[vuln_id], summary=result.final_summaries[vuln_id], justification=result.justifications[vuln_id], diff --git a/src/vuln_analysis/utils/vex/implementations/csaf_generator.py b/src/vuln_analysis/utils/vex/implementations/csaf_generator.py index 605c37192..3d556e618 100644 --- a/src/vuln_analysis/utils/vex/implementations/csaf_generator.py +++ b/src/vuln_analysis/utils/vex/implementations/csaf_generator.py @@ -47,9 +47,9 @@ NOTE_TITLE_VULNERABILITY_DESCRIPTION = "Vulnerability description" NOTE_TITLE_VULNERABILITY_SUMMARY = "Vulnerability summary" NOTE_TITLE_RHSA_STATEMENT = "Red Hat Security Advisory Statement" -NOTE_TITLE_EXPLOITIQ_SUMMARY = "ExploitIQ Analysis Summary" -NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_REASONING = "ExploitIQ Analysis Justification Reasoning" -NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_LABEL = "ExploitIQ Analysis Justification Label" +NOTE_TITLE_EXPLOITIQ_SUMMARY = "RHTPA exploit intelligence Analysis Summary" +NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_REASONING = "RHTPA exploit intelligence Analysis Justification Reasoning" +NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_LABEL = "RHTPA exploit intelligence Analysis Justification Label" NOTE_TITLE_UNOFFICIAL_CONTENT = "Unofficial Content Notice" # Disclaimer text @@ -176,7 +176,7 @@ def generate(self, state: AgentMorpheusEngineState) -> Dict[str, Any]: product_name = message.input.image.name product_tag = message.input.image.tag - csaf_gen.set_header_title(f"ExploitIQ VEX Document - {product_name}{"@" if OCI_DIGEST_RE.fullmatch(product_tag) else ":"}{product_tag}") + csaf_gen.set_header_title(f"RHTPA exploit intelligence VEX Document - {product_name}{"@" if OCI_DIGEST_RE.fullmatch(product_tag) else ":"}{product_tag}") csaf_gen.set_value("notes",[ { From ee80d0093c407eae20f7576253d50fe8c4be346d Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Sun, 21 Jun 2026 04:07:51 +0300 Subject: [PATCH 2/8] Rename ExploitIQ/Agent morpheus to Exploit Intelligence --- README.md | 2 +- kustomize/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 692d72f8f..f4fab8a9f 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The detailed architecture consists of the following components: - **Vector database**: Various vector databases can be used for the embedding. We currently utilize FAISS for the VDB because it does not require an external service and is simple to use. Any vector store can be used, such as NVIDIA cuVS, which would provide accelerated indexing and search. - **Lexical search**: As an alternative, a lexical search is available for use cases where creating an embedding is impractical due to a large number of source files in the target container. - **Software Bill of Materials (SBOM)**: A Software Bill of Materials (SBOM) is a machine-readable manifest of all the dependencies of a software package or container. The blueprint cross-references every entry in the SBOM for known vulnerabilities and looks at the code implementation to see whether the implementation puts users at risk—just as a security analyst would do. For this reason, starting with an accurate SBOM is an important first step. SBOMs can be generated for any container using the open-source tool [Syft](https://github.com/anchore/syft). For more information on generating SBOMs for your containers, see the [SBOM documentation](./src/vuln_analysis/data/sboms/README.md). - - **Web vulnerability intel**: The system collects detailed information about each CVE through web scraping and data retrieval from various public security databases, including GHSA, Redhat, Ubuntu, and NIST CVE records, as well as RHTPA exploit intelligence feeds. + - **Web vulnerability intel**: The system collects detailed information about each CVE through web scraping and data retrieval from various public security databases, including GHSA, Redhat, Ubuntu, and NIST CVE records, as well as tailored threat intelligence feeds. - **Core LLM engine**: The below actions comprise the core LLM engine and are each implemented as NeMo Agent toolkit functions within the workflow. - **Checklist generation**: Leveraging the gathered information about each vulnerability, the checklist generation node creates a tailored, context-sensitive task checklist designed to guide the impact analysis. (See [`src/vuln_analysis/functions/cve_checklist.py`](./src/vuln_analysis/functions/cve_checklist.py).) diff --git a/kustomize/README.md b/kustomize/README.md index 490128731..b63230d94 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -98,7 +98,7 @@ export USE_CONTAINER_SOURCES=true ## Deploy And Run On OCP -1. Create a `base/secrets.env` file containing the API keys for external services the exploit intelligence workflow might use. Not all keys are mandatory. Refer to the main [README](../README.md#obtain-api-keys) for details on how to create the Red Hat credentials and other API keys. +1. Create a `base/secrets.env` file containing the API keys for external services `RHTPA exploit intelligence` might use. Not all keys are mandatory. Refer to the main [README](../README.md#obtain-api-keys) for details on how to create the Red Hat credentials and other API keys. ```shell cat > base/secrets.env << EOF From b62a4bdda980745902912cfbe95b862f1da45869 Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Mon, 22 Jun 2026 09:49:16 +0300 Subject: [PATCH 3/8] Align tests according to the last changes --- .../utils/vex/implementations/csaf_generator.py | 2 +- .../utils/vex/tests/test_csaf_generator_integration.py | 4 ++-- tests/test_vex_csaf_helpers.py | 9 +++++---- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/vuln_analysis/utils/vex/implementations/csaf_generator.py b/src/vuln_analysis/utils/vex/implementations/csaf_generator.py index 3d556e618..cd2cf42b2 100644 --- a/src/vuln_analysis/utils/vex/implementations/csaf_generator.py +++ b/src/vuln_analysis/utils/vex/implementations/csaf_generator.py @@ -138,7 +138,7 @@ def _enrich_vulnerabilities_with_notes( "title": NOTE_TITLE_RHSA_STATEMENT }) - # Add ExploitIQ analysis summary + # Add RHTPA exploit intelligence Analysis Summary summary = final_summaries.get(vuln_id) notes.append({ "category": NOTE_CATEGORY_OTHER, diff --git a/src/vuln_analysis/utils/vex/tests/test_csaf_generator_integration.py b/src/vuln_analysis/utils/vex/tests/test_csaf_generator_integration.py index 5bca102d3..53f0dfe37 100644 --- a/src/vuln_analysis/utils/vex/tests/test_csaf_generator_integration.py +++ b/src/vuln_analysis/utils/vex/tests/test_csaf_generator_integration.py @@ -119,7 +119,7 @@ def test_document_has_correct_title(self, mock_state): result = generator.generate(mock_state) title = result["document"].get("title") - assert "ExploitIQ VEX Document - " + _DEFAULT_PRODUCT_NAME + ":" + _DEFAULT_PRODUCT_TAG in title + assert "RHTPA exploit intelligence VEX Document - " + _DEFAULT_PRODUCT_NAME + ":" + _DEFAULT_PRODUCT_TAG in title def test_oci_digest_tag_uses_at_separator(self): """Test that OCI digest tags use @ separator instead of : in title.""" @@ -132,7 +132,7 @@ def test_oci_digest_tag_uses_at_separator(self): result = generator.generate(state) title = result["document"].get("title") - assert "ExploitIQ VEX Document - " + _DEFAULT_PRODUCT_NAME + "@" + oci_digest in title + assert "RHTPA exploit intelligence VEX Document - " + _DEFAULT_PRODUCT_NAME + "@" + oci_digest in title def test_document_has_disclaimer_note(self, mock_state): """Test that document includes the disclaimer note.""" diff --git a/tests/test_vex_csaf_helpers.py b/tests/test_vex_csaf_helpers.py index 687e52473..84a2ade9a 100644 --- a/tests/test_vex_csaf_helpers.py +++ b/tests/test_vex_csaf_helpers.py @@ -21,7 +21,8 @@ from exploit_iq_commons.data_models.cve_intel import CveIntel, CveIntelGhsa, CveIntelRhsa from vuln_analysis.utils.vex.implementations.csaf_generator import ( - _enrich_vulnerabilities_with_notes, + _enrich_vulnerabilities_with_notes, NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_REASONING, NOTE_TITLE_EXPLOITIQ_SUMMARY, + NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_LABEL, ) @@ -94,7 +95,7 @@ def test_adds_analysis_summary_note(self, base_csaf_json, base_intel_map, base_j _enrich_vulnerabilities_with_notes(base_csaf_json, base_intel_map, final_summaries, base_justifications) notes = base_csaf_json["vulnerabilities"][0]["notes"] - analysis_notes = [n for n in notes if n.get("title") == "ExploitIQ Analysis Summary"] + analysis_notes = [n for n in notes if n.get("title") == NOTE_TITLE_EXPLOITIQ_SUMMARY] assert len(analysis_notes) == 1 assert analysis_notes[0]["text"] == "This is the analysis summary" assert analysis_notes[0]["category"] == "other" @@ -112,11 +113,11 @@ def test_adds_justification_notes(self, base_csaf_json, base_intel_map, base_fin notes = base_csaf_json["vulnerabilities"][0]["notes"] - reasoning_notes = [n for n in notes if n.get("title") == "ExploitIQ Analysis Justification Reasoning"] + reasoning_notes = [n for n in notes if n.get("title") == NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_REASONING] assert len(reasoning_notes) == 1 assert reasoning_notes[0]["text"] == "The vulnerable code path is reachable" - label_notes = [n for n in notes if n.get("title") == "ExploitIQ Analysis Justification Label"] + label_notes = [n for n in notes if n.get("title") == NOTE_TITLE_EXPLOITIQ_JUSTIFICATION_LABEL] assert len(label_notes) == 1 assert label_notes[0]["text"] == "vulnerable" From 49e0d184519792865c0c29115a681002992e8111 Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Tue, 23 Jun 2026 21:27:39 +0300 Subject: [PATCH 4/8] Update agent image name --- .tekton/on-cm-runner.yaml | 2 +- .tekton/on-pull-request.yaml | 2 +- .tekton/on-push.yaml | 2 +- .tekton/on-tag.yaml | 2 +- kustomize/base/exploit_iq_service.yaml | 4 ++-- kustomize/base/kustomization.yaml | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.tekton/on-cm-runner.yaml b/.tekton/on-cm-runner.yaml index fc4003022..e4265c5b6 100644 --- a/.tekton/on-cm-runner.yaml +++ b/.tekton/on-cm-runner.yaml @@ -26,7 +26,7 @@ spec: value: "{{ trigger_comment }}" # Point to the image ALREADY built by the PR pipeline - name: target-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:on-pr-{{revision}} pipelineSpec: params: diff --git a/.tekton/on-pull-request.yaml b/.tekton/on-pull-request.yaml index 8e1823663..2769cf6fc 100644 --- a/.tekton/on-pull-request.yaml +++ b/.tekton/on-pull-request.yaml @@ -31,7 +31,7 @@ spec: - name: image-expires-after value: 5d - name: output-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:on-pr-{{revision}} - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-push.yaml b/.tekton/on-push.yaml index 93e96a5d3..09887328c 100644 --- a/.tekton/on-push.yaml +++ b/.tekton/on-push.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service:latest + value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:latest - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-tag.yaml b/.tekton/on-tag.yaml index cb479c761..af5bc73a4 100644 --- a/.tekton/on-tag.yaml +++ b/.tekton/on-tag.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: 'quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-service' + value: 'quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent' - name: tag-name value: "{{ target_branch }}" - name: path-context diff --git a/kustomize/base/exploit_iq_service.yaml b/kustomize/base/exploit_iq_service.yaml index 3344ca69e..7e239e208 100644 --- a/kustomize/base/exploit_iq_service.yaml +++ b/kustomize/base/exploit_iq_service.yaml @@ -25,7 +25,7 @@ spec: serviceAccountName: exploit-iq-sa containers: - name: exploit-iq-phoenix-tracing - image: quay.io/ecosystem-appeng/agent-exploit-intelligence-rh:nat + image: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:nat imagePullPolicy: Always workingDir: /workspace/ args: @@ -45,7 +45,7 @@ spec: memory: "1Gi" cpu: "100m" - name: exploit-iq - image: quay.io/ecosystem-appeng/agent-exploit-intelligence-rh:nat + image: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:nat imagePullPolicy: Always workingDir: /workspace/ args: diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index f6fdf8efd..211fa85a1 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -94,10 +94,10 @@ patches: kind: Deployment images: - - name: quay.io/ecosystem-appeng/agent-exploit-intelligence-rh + - name: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent newTag: latest - - name: quay.io/ecosystem-appeng/agent-exploit-intelligence-client + - name: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent newTag: latest - name: quay.io/exploit-iq/exploitiq-mcp-server From 1abea07be6938064d29c3b2f040890188bfafe99 Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Wed, 24 Jun 2026 00:38:43 +0300 Subject: [PATCH 5/8] Update agent image name --- kustomize/base/exploit_iq_client.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize/base/exploit_iq_client.yaml b/kustomize/base/exploit_iq_client.yaml index 69f0d8539..b4cd58564 100644 --- a/kustomize/base/exploit_iq_client.yaml +++ b/kustomize/base/exploit_iq_client.yaml @@ -27,7 +27,7 @@ spec: - ./application - -Dquarkus.http.host=0.0.0.0 - -Dquarkus.log.category."com.redhat.ecosystemappeng.exploitintelligence".level=DEBUG - image: quay.io/ecosystem-appeng/agent-exploit-intelligence-client:latest + image: quay.io/ecosystem-appeng/exploit-intelligence-client:latest imagePullPolicy: Always ports: - name: http From 2e55b5fdd4ffe5cd0133220111af6325f9981066 Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Wed, 24 Jun 2026 01:54:24 +0300 Subject: [PATCH 6/8] Revert agent image name change --- .tekton/on-pull-request.yaml | 2 +- .tekton/on-push.yaml | 2 +- .tekton/on-tag.yaml | 2 +- kustomize/base/exploit_iq_service.yaml | 4 ++-- kustomize/base/kustomization.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.tekton/on-pull-request.yaml b/.tekton/on-pull-request.yaml index 276466631..e72258311 100644 --- a/.tekton/on-pull-request.yaml +++ b/.tekton/on-pull-request.yaml @@ -33,7 +33,7 @@ spec: - name: image-expires-after value: 5d - name: output-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/agent-morpheus-rh:on-pr-{{revision}} - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-push.yaml b/.tekton/on-push.yaml index 09887328c..5da2cc106 100644 --- a/.tekton/on-push.yaml +++ b/.tekton/on-push.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:latest + value: quay.io/ecosystem-appeng/agent-morpheus-rh:latest - name: path-context value: . - name: dockerfile diff --git a/.tekton/on-tag.yaml b/.tekton/on-tag.yaml index af5bc73a4..08718fd32 100644 --- a/.tekton/on-tag.yaml +++ b/.tekton/on-tag.yaml @@ -26,7 +26,7 @@ spec: - name: revision value: "{{ revision }}" - name: output-image - value: 'quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent' + value: 'quay.io/ecosystem-appeng/agent-morpheus-rh' - name: tag-name value: "{{ target_branch }}" - name: path-context diff --git a/kustomize/base/exploit_iq_service.yaml b/kustomize/base/exploit_iq_service.yaml index a7514e654..2f99c7411 100644 --- a/kustomize/base/exploit_iq_service.yaml +++ b/kustomize/base/exploit_iq_service.yaml @@ -25,7 +25,7 @@ spec: serviceAccountName: exploit-iq-sa containers: - name: exploit-iq-phoenix-tracing - image: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:nat + image: quay.io/ecosystem-appeng/agent-morpheus-rh:nat imagePullPolicy: Always workingDir: /workspace/ args: @@ -45,7 +45,7 @@ spec: memory: "1Gi" cpu: "100m" - name: exploit-iq - image: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:nat + image: quay.io/ecosystem-appeng/agent-morpheus-rh:nat imagePullPolicy: Always workingDir: /workspace/ args: diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index e971c34ee..ef7608241 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -94,10 +94,10 @@ patches: kind: Deployment images: - - name: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent + - name: quay.io/ecosystem-appeng/agent-morpheus-rh newTag: latest - - name: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent + - name: quay.io/ecosystem-appeng/agent-morpheus-rh newTag: latest - name: quay.io/ecosystem-appeng/exploitiq-mcp-server From 1fdc29c1cfff5901c75db84e54c1daaf51a05c37 Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Wed, 24 Jun 2026 16:02:23 +0300 Subject: [PATCH 7/8] Remove unrelated changes --- .tekton/on-cm-runner.yaml | 2 +- kustomize/base/argilla/argilla-service.yaml | 2 +- .../argilla/argilla-user-feedback-pvc.yaml | 2 +- kustomize/base/argilla/deployment.yaml | 8 +- kustomize/base/argilla/service.yaml | 6 +- kustomize/base/exploit-iq-config.yml.bak | 314 ++++++++++++++++++ kustomize/base/exploit_iq_client.yaml | 4 +- 7 files changed, 326 insertions(+), 12 deletions(-) create mode 100644 kustomize/base/exploit-iq-config.yml.bak diff --git a/.tekton/on-cm-runner.yaml b/.tekton/on-cm-runner.yaml index 1b227d63c..439d6114e 100644 --- a/.tekton/on-cm-runner.yaml +++ b/.tekton/on-cm-runner.yaml @@ -26,7 +26,7 @@ spec: value: "{{ trigger_comment }}" # Point to the image ALREADY built by the PR pipeline - name: target-image - value: quay.io/ecosystem-appeng/rhtpa-exploit-intelligence-agent:on-pr-{{revision}} + value: quay.io/ecosystem-appeng/agent-morpheus-rh:on-pr-{{revision}} pipelineSpec: params: diff --git a/kustomize/base/argilla/argilla-service.yaml b/kustomize/base/argilla/argilla-service.yaml index 65a1ea6f3..cc9f2840b 100644 --- a/kustomize/base/argilla/argilla-service.yaml +++ b/kustomize/base/argilla/argilla-service.yaml @@ -6,7 +6,7 @@ metadata: app: argilla spec: selector: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api ports: - protocol: TCP port: 6900 diff --git a/kustomize/base/argilla/argilla-user-feedback-pvc.yaml b/kustomize/base/argilla/argilla-user-feedback-pvc.yaml index bdcbc7b52..8a730ef7c 100644 --- a/kustomize/base/argilla/argilla-user-feedback-pvc.yaml +++ b/kustomize/base/argilla/argilla-user-feedback-pvc.yaml @@ -4,7 +4,7 @@ kind: PersistentVolumeClaim metadata: name: argilla-user-feedback-pvc labels: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api spec: accessModes: - ReadWriteOnce diff --git a/kustomize/base/argilla/deployment.yaml b/kustomize/base/argilla/deployment.yaml index 7f898faa4..0e1c6601d 100644 --- a/kustomize/base/argilla/deployment.yaml +++ b/kustomize/base/argilla/deployment.yaml @@ -1,20 +1,20 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: exploit-intelligence-feedback-api + name: morpheus-feedback-api labels: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api spec: replicas: 1 selector: matchLabels: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api strategy: type: Recreate template: metadata: labels: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api spec: restartPolicy: Always imagePullSecrets: diff --git a/kustomize/base/argilla/service.yaml b/kustomize/base/argilla/service.yaml index 5ad95328f..545316330 100644 --- a/kustomize/base/argilla/service.yaml +++ b/kustomize/base/argilla/service.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Service metadata: - name: exploit-intelligence-feedback-api + name: morpheus-feedback-api labels: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api spec: selector: - app: exploit-intelligence-feedback-api + app: morpheus-feedback-api ports: - protocol: TCP port: 5001 diff --git a/kustomize/base/exploit-iq-config.yml.bak b/kustomize/base/exploit-iq-config.yml.bak new file mode 100644 index 000000000..abfa7d15b --- /dev/null +++ b/kustomize/base/exploit-iq-config.yml.bak @@ -0,0 +1,314 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +general: + front_end: + _type: fastapi + endpoints: + - path: /health + method: GET + description: Perform a health check. + function_name: health_check + use_uvloop: true + telemetry: + tracing: + phoenix: + _type: phoenix + endpoint: ${OTEL_TRACES_ENDPOINT:-http://localhost:6006/v1/traces} + project: cve_agent + +functions: + cve_generate_vdbs: + _type: cve_generate_vdbs + agent_name: cve_agent_executor # Used to determine which tools are enabled + embedder_name: nim_embedder + base_git_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}git + base_vdb_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}vdb + base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index + base_pickle_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}pickle + base_rpm_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}rpms + ignore_code_embedding: true + cve_fetch_intel: + _type: cve_fetch_intel + retry_on_client_errors: false + intel_plugin_config: + plugin_name: vuln_analysis.data_models.plugins.intel_plugin.SimpleHttpIntelPlugin + plugin_config: + source: Product Security research + endpoint: CALLBACK_URL_PLACEHOLDER/api/v1/vulnerabilities/{vuln_id}/comments + token_path: /var/run/secrets/kubernetes.io/serviceaccount/token + verify_path: /app/certs/service-ca.crt + + cve_process_sbom: + _type: cve_process_sbom + cve_check_vuln_deps : + _type: cve_check_vuln_deps + skip: true + cve_checklist: + _type: cve_checklist + llm_name: checklist_llm + Call Chain Analyzer: + _type: transitive_code_search + enable_transitive_search: true + Function Caller Finder: + _type: calling_function_name_extractor + enable_functions_usage_search: true + Function Locator: + _type: package_and_function_locator + Function Library Version Finder: + _type: calling_function_library_version_finder + Code Semantic Search: + _type: local_vdb_retriever + embedder_name: nim_embedder + llm_name: code_vdb_retriever_llm + vdb_type: code + return_source_documents: false + Docs Semantic Search: + _type: local_vdb_retriever + embedder_name: nim_embedder + llm_name: doc_vdb_retriever_llm + vdb_type: doc + return_source_documents: false + Code Keyword Search: + _type: lexical_code_search + top_k: 5 + Source Grep: + _type: source_grep + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + max_results: 50 + context_lines: 2 + CVE Web Search: + _type: serp_wrapper + max_retries: 5 + Container Analysis Data: + _type: container_image_analysis_data + cve_agent_executor: + _type: cve_agent_executor + llm_name: cve_agent_executor_llm + tool_names: + - Code Semantic Search + - Docs Semantic Search + - Code Keyword Search + - CVE Web Search + - Call Chain Analyzer + - Function Caller Finder + - Function Locator + - Function Library Version Finder + max_concurrency: null + max_iterations: 10 + prompt_examples: false + replace_exceptions: true + replace_exceptions_value: "I do not have a definitive answer for this checklist item." + return_intermediate_steps: false +# transitive_search_tool_enabled: false + cve_web_search_enabled: true + verbose: false + cve_generate_cvss: + _type: cve_generate_cvss + skip: true + llm_name: generate_cvss_llm + tool_names: + - Code Semantic Search + - Docs Semantic Search + - Code Keyword Search + - Container Analysis Data + max_concurrency: null + max_iterations: 10 + prompt_examples: true + replace_exceptions: false + replace_exceptions_value: "Failed to generate CVSS for this analysis." + return_intermediate_steps: false + verbose: false + cve_summarize: + _type: cve_summarize + llm_name: summarize_llm + cve_justify: + _type: cve_justify + llm_name: justify_llm + cve_generate_vex: + _type: cve_generate_vex + skip: false + # vex_format: csaf + cve_http_output: + _type: cve_http_output + url: CALLBACK_URL_PLACEHOLDER + endpoint: /api/v1/reports + auth_type: bearer + token_path: /var/run/secrets/kubernetes.io/serviceaccount/token + verify_path: /app/certs/service-ca.crt + enable_mlops: ${ENABLE_MLOPS:-false} + mlops_config: + mlops_url: http://localhost:8080 + auth_type: "bearer" + token_path: "/var/run/secrets/kubernetes.io/serviceaccount/token" + verify_path: "/app/certs/service-ca.crt" + enable_verify: true + cve_calculate_intel_score: + _type: cve_calculate_intel_score + llm_name: intel_source_score_llm + generate_intel_score: true + intel_low_score: 51 + insist_analysis: false + cve_source_acquisition: + _type: cve_source_acquisition + base_git_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}git + base_pickle_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}pickle + base_rpm_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}rpms + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + rpm_user_type: ${RPM_USER_TYPE:-internal} + cve_checker_segmentation: + _type: cve_checker_segmentation + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index + cve_package_code_agent: + _type: cve_package_code_agent + llm_name: cve_agent_executor_llm + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index + rpm_user_type: ${RPM_USER_TYPE:-internal} + tool_names: + - Source Grep + - Code Keyword Search + cve_checker_report: + _type: cve_checker_report + llm_name: cve_agent_executor_llm + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + cve_build_agent: + _type: cve_build_agent + llm_name: cve_agent_executor_llm + base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker + max_iterations: 10 + tool_names: + - Source Grep + - Code Keyword Search + health_check: + _type: health_check + +llms: + checklist_llm: + _type: ${LLM_TYPE_CHECKLIST:-nim} + api_key: ${LLM_API_KEY_CHECKLIST:-"EMPTY"} + base_url: ${CHECKLIST_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${CHECKLIST_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 2000 + top_p: 0.01 + code_vdb_retriever_llm: + _type: ${LLM_TYPE_VDB_CODE_RETRIEVER:-nim} + api_key: ${LLM_API_KEY_CODE_VDB_RETRIEVER:-"EMPTY"} + base_url: ${CODE_VDB_RETRIEVER_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${CODE_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 2000 + top_p: 0.01 + doc_vdb_retriever_llm: + _type: ${LLM_TYPE_VDB_DOC_RETRIEVER:-nim} + api_key: ${LLM_API_KEY_DOC_VDB_RETRIEVER:-"EMPTY"} + base_url: ${DOC_VDB_RETRIEVER_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${DOC_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 2000 + top_p: 0.01 + cve_agent_executor_llm: + _type: ${LLM_TYPE_AGENT_EXECUTOR:-nim} + api_key: ${LLM_API_KEY_AGENT_EXECUTOR:-"EMPTY"} + base_url: ${AGENT_EXECUTOR_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${AGENT_EXECUTOR_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 2000 + top_p: 0.01 + generate_cvss_llm: + _type: ${LLM_TYPE_GENERATE_CVSS:-nim} + api_key: ${LLM_API_KEY_GENERATE_CVSS:-"EMPTY"} + base_url: ${GENERATE_CVSS_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${GENERATE_CVSS_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 1024 + top_p: 0.01 + summarize_llm: + _type: ${LLM_TYPE_SUMMARIZE:-nim} + api_key: ${LLM_API_KEY_SUMMARIZE:-"EMPTY"} + base_url: ${SUMMARIZE_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${SUMMARIZE_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 1024 + top_p: 0.01 + justify_llm: + _type: ${LLM_TYPE_JUSTIFY:-nim} + api_key: ${LLM_API_KEY_JUSTIFY:-"EMPTY"} + base_url: ${JUSTIFY_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${JUSTIFY_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 1024 + top_p: 0.01 + + intel_source_score_llm: + _type: ${LLM_TYPE_INTEL_SOURCE_SCORE:-nim} + api_key: ${LLM_API_KEY_INTEL_SOURCE_SCORE:-"EMPTY"} + base_url: ${INTEL_SOURCE_SCORE_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} + model_name: ${INTEL_SOURCE_SCORE_MODEL_NAME:-meta/llama-3.1-70b-instruct} + temperature: 0.0 + max_tokens: 1024 + top_p: 0.01 + +embedders: + nim_embedder: + _type: nim + base_url: ${NIM_EMBED_BASE_URL:-https://integrate.api.nvidia.com/v1} + model_name: ${EMBEDDER_MODEL_NAME:-nvidia/nv-embedqa-e5-v5} + truncate: END + max_batch_size: 128 + +workflow: + _type: cve_agent + cve_generate_vdbs_name: cve_generate_vdbs + cve_fetch_intel_name: cve_fetch_intel + cve_calculate_intel_score_name: cve_calculate_intel_score + cve_process_sbom_name: cve_process_sbom + cve_check_vuln_deps_name: cve_check_vuln_deps + cve_checklist_name: cve_checklist + cve_agent_executor_name: cve_agent_executor + cve_generate_cvss_name: cve_generate_cvss + cve_generate_vex_name: cve_generate_vex + cve_summarize_name: cve_summarize + cve_justify_name: cve_justify + cve_output_config_name: cve_http_output + cve_source_acquisition_name: cve_source_acquisition + cve_checker_segmentation_name: cve_checker_segmentation + cve_package_code_agent_name: cve_package_code_agent + cve_checker_report_name: cve_checker_report + cve_build_agent_name: cve_build_agent + +eval: + general: + output_dir: ./.tmp/eval/cve_agent + dataset: + _type: json + file_path: data/eval_datasets/eval_dataset.json + + profiler: + token_uniqueness_forecast: true + workflow_runtime_forecast: true + compute_llm_metrics: true + csv_exclude_io_text: true + prompt_caching_prefixes: + enable: true + min_frequency: 0.1 + bottleneck_analysis: + # Can also be simple_stack + enable_nested_stack: true + concurrency_spike_analysis: + enable: true + spike_threshold: 7 diff --git a/kustomize/base/exploit_iq_client.yaml b/kustomize/base/exploit_iq_client.yaml index b4cd58564..d9a582bdd 100644 --- a/kustomize/base/exploit_iq_client.yaml +++ b/kustomize/base/exploit_iq_client.yaml @@ -26,8 +26,8 @@ spec: args: - ./application - -Dquarkus.http.host=0.0.0.0 - - -Dquarkus.log.category."com.redhat.ecosystemappeng.exploitintelligence".level=DEBUG - image: quay.io/ecosystem-appeng/exploit-intelligence-client:latest + - -Dquarkus.log.category."com.redhat.ecosystemappeng.exploitiq".level=DEBUG + image: quay.io/ecosystem-appeng/agent-morpheus-client:latest imagePullPolicy: Always ports: - name: http From 1df818d27059d089f0048700309b435fa26e8b1f Mon Sep 17 00:00:00 2001 From: Tamar Weisskopf Date: Wed, 24 Jun 2026 16:15:58 +0300 Subject: [PATCH 8/8] Remove unrelated changes --- kustomize/base/exploit-iq-config.yml.bak | 314 ----------------------- 1 file changed, 314 deletions(-) delete mode 100644 kustomize/base/exploit-iq-config.yml.bak diff --git a/kustomize/base/exploit-iq-config.yml.bak b/kustomize/base/exploit-iq-config.yml.bak deleted file mode 100644 index abfa7d15b..000000000 --- a/kustomize/base/exploit-iq-config.yml.bak +++ /dev/null @@ -1,314 +0,0 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved. -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -general: - front_end: - _type: fastapi - endpoints: - - path: /health - method: GET - description: Perform a health check. - function_name: health_check - use_uvloop: true - telemetry: - tracing: - phoenix: - _type: phoenix - endpoint: ${OTEL_TRACES_ENDPOINT:-http://localhost:6006/v1/traces} - project: cve_agent - -functions: - cve_generate_vdbs: - _type: cve_generate_vdbs - agent_name: cve_agent_executor # Used to determine which tools are enabled - embedder_name: nim_embedder - base_git_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}git - base_vdb_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}vdb - base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index - base_pickle_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}pickle - base_rpm_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}rpms - ignore_code_embedding: true - cve_fetch_intel: - _type: cve_fetch_intel - retry_on_client_errors: false - intel_plugin_config: - plugin_name: vuln_analysis.data_models.plugins.intel_plugin.SimpleHttpIntelPlugin - plugin_config: - source: Product Security research - endpoint: CALLBACK_URL_PLACEHOLDER/api/v1/vulnerabilities/{vuln_id}/comments - token_path: /var/run/secrets/kubernetes.io/serviceaccount/token - verify_path: /app/certs/service-ca.crt - - cve_process_sbom: - _type: cve_process_sbom - cve_check_vuln_deps : - _type: cve_check_vuln_deps - skip: true - cve_checklist: - _type: cve_checklist - llm_name: checklist_llm - Call Chain Analyzer: - _type: transitive_code_search - enable_transitive_search: true - Function Caller Finder: - _type: calling_function_name_extractor - enable_functions_usage_search: true - Function Locator: - _type: package_and_function_locator - Function Library Version Finder: - _type: calling_function_library_version_finder - Code Semantic Search: - _type: local_vdb_retriever - embedder_name: nim_embedder - llm_name: code_vdb_retriever_llm - vdb_type: code - return_source_documents: false - Docs Semantic Search: - _type: local_vdb_retriever - embedder_name: nim_embedder - llm_name: doc_vdb_retriever_llm - vdb_type: doc - return_source_documents: false - Code Keyword Search: - _type: lexical_code_search - top_k: 5 - Source Grep: - _type: source_grep - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - max_results: 50 - context_lines: 2 - CVE Web Search: - _type: serp_wrapper - max_retries: 5 - Container Analysis Data: - _type: container_image_analysis_data - cve_agent_executor: - _type: cve_agent_executor - llm_name: cve_agent_executor_llm - tool_names: - - Code Semantic Search - - Docs Semantic Search - - Code Keyword Search - - CVE Web Search - - Call Chain Analyzer - - Function Caller Finder - - Function Locator - - Function Library Version Finder - max_concurrency: null - max_iterations: 10 - prompt_examples: false - replace_exceptions: true - replace_exceptions_value: "I do not have a definitive answer for this checklist item." - return_intermediate_steps: false -# transitive_search_tool_enabled: false - cve_web_search_enabled: true - verbose: false - cve_generate_cvss: - _type: cve_generate_cvss - skip: true - llm_name: generate_cvss_llm - tool_names: - - Code Semantic Search - - Docs Semantic Search - - Code Keyword Search - - Container Analysis Data - max_concurrency: null - max_iterations: 10 - prompt_examples: true - replace_exceptions: false - replace_exceptions_value: "Failed to generate CVSS for this analysis." - return_intermediate_steps: false - verbose: false - cve_summarize: - _type: cve_summarize - llm_name: summarize_llm - cve_justify: - _type: cve_justify - llm_name: justify_llm - cve_generate_vex: - _type: cve_generate_vex - skip: false - # vex_format: csaf - cve_http_output: - _type: cve_http_output - url: CALLBACK_URL_PLACEHOLDER - endpoint: /api/v1/reports - auth_type: bearer - token_path: /var/run/secrets/kubernetes.io/serviceaccount/token - verify_path: /app/certs/service-ca.crt - enable_mlops: ${ENABLE_MLOPS:-false} - mlops_config: - mlops_url: http://localhost:8080 - auth_type: "bearer" - token_path: "/var/run/secrets/kubernetes.io/serviceaccount/token" - verify_path: "/app/certs/service-ca.crt" - enable_verify: true - cve_calculate_intel_score: - _type: cve_calculate_intel_score - llm_name: intel_source_score_llm - generate_intel_score: true - intel_low_score: 51 - insist_analysis: false - cve_source_acquisition: - _type: cve_source_acquisition - base_git_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}git - base_pickle_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}pickle - base_rpm_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}rpms - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - rpm_user_type: ${RPM_USER_TYPE:-internal} - cve_checker_segmentation: - _type: cve_checker_segmentation - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index - cve_package_code_agent: - _type: cve_package_code_agent - llm_name: cve_agent_executor_llm - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index - rpm_user_type: ${RPM_USER_TYPE:-internal} - tool_names: - - Source Grep - - Code Keyword Search - cve_checker_report: - _type: cve_checker_report - llm_name: cve_agent_executor_llm - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - cve_build_agent: - _type: cve_build_agent - llm_name: cve_agent_executor_llm - base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker - max_iterations: 10 - tool_names: - - Source Grep - - Code Keyword Search - health_check: - _type: health_check - -llms: - checklist_llm: - _type: ${LLM_TYPE_CHECKLIST:-nim} - api_key: ${LLM_API_KEY_CHECKLIST:-"EMPTY"} - base_url: ${CHECKLIST_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${CHECKLIST_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 2000 - top_p: 0.01 - code_vdb_retriever_llm: - _type: ${LLM_TYPE_VDB_CODE_RETRIEVER:-nim} - api_key: ${LLM_API_KEY_CODE_VDB_RETRIEVER:-"EMPTY"} - base_url: ${CODE_VDB_RETRIEVER_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${CODE_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 2000 - top_p: 0.01 - doc_vdb_retriever_llm: - _type: ${LLM_TYPE_VDB_DOC_RETRIEVER:-nim} - api_key: ${LLM_API_KEY_DOC_VDB_RETRIEVER:-"EMPTY"} - base_url: ${DOC_VDB_RETRIEVER_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${DOC_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 2000 - top_p: 0.01 - cve_agent_executor_llm: - _type: ${LLM_TYPE_AGENT_EXECUTOR:-nim} - api_key: ${LLM_API_KEY_AGENT_EXECUTOR:-"EMPTY"} - base_url: ${AGENT_EXECUTOR_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${AGENT_EXECUTOR_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 2000 - top_p: 0.01 - generate_cvss_llm: - _type: ${LLM_TYPE_GENERATE_CVSS:-nim} - api_key: ${LLM_API_KEY_GENERATE_CVSS:-"EMPTY"} - base_url: ${GENERATE_CVSS_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${GENERATE_CVSS_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 1024 - top_p: 0.01 - summarize_llm: - _type: ${LLM_TYPE_SUMMARIZE:-nim} - api_key: ${LLM_API_KEY_SUMMARIZE:-"EMPTY"} - base_url: ${SUMMARIZE_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${SUMMARIZE_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 1024 - top_p: 0.01 - justify_llm: - _type: ${LLM_TYPE_JUSTIFY:-nim} - api_key: ${LLM_API_KEY_JUSTIFY:-"EMPTY"} - base_url: ${JUSTIFY_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${JUSTIFY_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 1024 - top_p: 0.01 - - intel_source_score_llm: - _type: ${LLM_TYPE_INTEL_SOURCE_SCORE:-nim} - api_key: ${LLM_API_KEY_INTEL_SOURCE_SCORE:-"EMPTY"} - base_url: ${INTEL_SOURCE_SCORE_LLM_API_BASE:-https://integrate.api.nvidia.com/v1} - model_name: ${INTEL_SOURCE_SCORE_MODEL_NAME:-meta/llama-3.1-70b-instruct} - temperature: 0.0 - max_tokens: 1024 - top_p: 0.01 - -embedders: - nim_embedder: - _type: nim - base_url: ${NIM_EMBED_BASE_URL:-https://integrate.api.nvidia.com/v1} - model_name: ${EMBEDDER_MODEL_NAME:-nvidia/nv-embedqa-e5-v5} - truncate: END - max_batch_size: 128 - -workflow: - _type: cve_agent - cve_generate_vdbs_name: cve_generate_vdbs - cve_fetch_intel_name: cve_fetch_intel - cve_calculate_intel_score_name: cve_calculate_intel_score - cve_process_sbom_name: cve_process_sbom - cve_check_vuln_deps_name: cve_check_vuln_deps - cve_checklist_name: cve_checklist - cve_agent_executor_name: cve_agent_executor - cve_generate_cvss_name: cve_generate_cvss - cve_generate_vex_name: cve_generate_vex - cve_summarize_name: cve_summarize - cve_justify_name: cve_justify - cve_output_config_name: cve_http_output - cve_source_acquisition_name: cve_source_acquisition - cve_checker_segmentation_name: cve_checker_segmentation - cve_package_code_agent_name: cve_package_code_agent - cve_checker_report_name: cve_checker_report - cve_build_agent_name: cve_build_agent - -eval: - general: - output_dir: ./.tmp/eval/cve_agent - dataset: - _type: json - file_path: data/eval_datasets/eval_dataset.json - - profiler: - token_uniqueness_forecast: true - workflow_runtime_forecast: true - compute_llm_metrics: true - csv_exclude_io_text: true - prompt_caching_prefixes: - enable: true - min_frequency: 0.1 - bottleneck_analysis: - # Can also be simple_stack - enable_nested_stack: true - concurrency_spike_analysis: - enable: true - spike_threshold: 7