vulnerability-analysis/src/vuln_analysis/configs/config.yml at main · RHEcosystemAppEng/vulnerability-analysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

general:
  use_uvloop: true
  telemetry:
    tracing:
      phoenix:
        _type: phoenix
        endpoint: ${OTEL_TRACES_ENDPOINT:-http://localhost:6006/v1/traces}
        project: cve_agent

functions:
  cve_generate_vdbs:
    _type: cve_generate_vdbs
    agent_name: cve_agent_executor  # Used to determine which tools are enabled
    embedder_name: nim_embedder
    base_git_dir: .cache/am_cache/git
    base_vdb_dir: .cache/am_cache/vdb
    base_code_index_dir: .cache/am_cache/code_index
  cve_fetch_intel:
    _type: cve_fetch_intel
  cve_process_sbom:
    _type: cve_process_sbom
  cve_check_vuln_deps :
    _type: cve_check_vuln_deps
    skip: false
  cve_checklist:
    _type: cve_checklist
    llm_name: checklist_llm
  Code Semantic Search:
    _type: local_vdb_retriever
    embedder_name: nim_embedder
    llm_name: code_vdb_retriever_llm
    vdb_type: code
    return_source_documents: false
  Docs Semantic Search:
    _type: local_vdb_retriever
    embedder_name: nim_embedder
    llm_name: doc_vdb_retriever_llm
    vdb_type: doc
    return_source_documents: false
  Code Keyword Search:
    _type: lexical_code_search
    top_k: 5
  CVE Web Search:
     _type: serp_wrapper
     max_retries: 5
  Container Analysis Data:
    _type: container_image_analysis_data
  cve_agent_executor:
    _type: cve_agent_executor
    llm_name: cve_agent_executor_llm
    tool_names:
      - Code Semantic Search
      - Docs Semantic Search
      # - Code Keyword Search  # Uncomment to enable keyword search
      - CVE Web Search
    max_concurrency: null
    max_iterations: 10
    prompt_examples: false
    replace_exceptions: true
    replace_exceptions_value: "I do not have a definitive answer for this checklist item."
    return_intermediate_steps: false
    cve_web_search_enabled: true
    verbose: false
  cve_generate_cvss:
    _type: cve_generate_cvss
    skip: true
    llm_name: generate_cvss_llm
    tool_names:
      - Code Semantic Search
      - Docs Semantic Search
      - Code Keyword Search  # Uncomment to enable keyword search
      - Container Analysis Data
    max_concurrency: null
    max_iterations: 10
    prompt_examples: true
    replace_exceptions: false
    replace_exceptions_value: "Failed to generate CVSS for this analysis."
    return_intermediate_steps: false
    verbose: false
  cve_summarize:
    _type: cve_summarize
    llm_name: summarize_llm
  cve_justify:
    _type: cve_justify
    llm_name: justify_llm
  cve_generate_vex:
    _type: cve_generate_vex
    skip: false
    vex_format: csaf
  cve_file_output:
    _type: cve_file_output
    file_path: .tmp/output.json
    markdown_dir: .tmp/vulnerability_markdown_reports
    overwrite: true
  cve_calculate_intel_score:
    _type: cve_calculate_intel_score
    llm_name: intel_source_score_llm
    generate_intel_score: true
    intel_low_score: 51
    insist_analysis: false

llms:
  checklist_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${CHECKLIST_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 2000
    top_p: 0.01
  code_vdb_retriever_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${CODE_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 2000
    top_p: 0.01
  doc_vdb_retriever_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${DOC_VDB_RETRIEVER_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 2000
    top_p: 0.01
  cve_agent_executor_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${CVE_AGENT_EXECUTOR_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 2000
    top_p: 0.01
  generate_cvss_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${GENERATE_CVSS_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 1024
    top_p: 0.01
  summarize_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${SUMMARIZE_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 1024
    top_p: 0.01
  justify_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${JUSTIFY_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 1024
    top_p: 0.01
  intel_source_score_llm:
    _type: nim
    base_url: ${NVIDIA_API_BASE:-https://integrate.api.nvidia.com/v1}
    model_name: ${JUSTIFY_MODEL_NAME:-meta/llama-3.1-70b-instruct}
    temperature: 0.0
    max_tokens: 1024
    top_p: 0.01

embedders:
  nim_embedder:
    _type: nim
    base_url: ${NIM_EMBED_BASE_URL:-https://integrate.api.nvidia.com/v1}
    model_name: ${EMBEDDER_MODEL_NAME:-nvidia/nv-embedqa-e5-v5}
    truncate: END
    max_batch_size: 128

workflow:
  _type: cve_agent
  cve_generate_vdbs_name: cve_generate_vdbs
  cve_fetch_intel_name: cve_fetch_intel
  cve_calculate_intel_score_name: cve_calculate_intel_score
  cve_process_sbom_name: cve_process_sbom
  cve_check_vuln_deps_name: cve_check_vuln_deps
  cve_checklist_name: cve_checklist
  cve_agent_executor_name: cve_agent_executor
  cve_generate_cvss_name: cve_generate_cvss
  cve_generate_vex_name: cve_generate_vex
  cve_summarize_name: cve_summarize
  cve_justify_name: cve_justify
  cve_output_config_name: cve_file_output

eval:
  general:
    output_dir: ./.tmp/eval/cve_agent
    dataset:
        _type: json
        file_path: data/eval_datasets/eval_dataset.json

    profiler:
        token_uniqueness_forecast: true
        workflow_runtime_forecast: true
        compute_llm_metrics: true
        csv_exclude_io_text: true
        prompt_caching_prefixes:
          enable: true
          min_frequency: 0.1
        bottleneck_analysis:
          # Can also be simple_stack
          enable_nested_stack: true
        concurrency_spike_analysis:
          enable: true
          spike_threshold: 7