feat: add CSAF VEX document generation

pyproject.toml

@@ -33,6 +33,8 @@ dependencies = [
   "tree-sitter-languages==1.10.2",
   "univers==30.12",
   "litellm<=1.75.8",
+  "csaf-tool==0.3.2",
+  "jsonschema>=4.0.0,<5.0.0",
 ]
 requires-python = ">=3.11,<3.13"
 description = "NVIDIA AI Blueprint: Vulnerability Analysis for Container Security"

src/exploit_iq_commons/utils/dep_tree.py

@@ -12,7 +12,6 @@
 from packaging.specifiers import SpecifierSet
 from tqdm import tqdm
 
-import logging
 import ast
 import json
 import zipfile
@@ -180,7 +179,7 @@ def find_all_files(self, root_dir):
                                 try:
                                     full_path.rename(new_path)
                                 except Exception as e:
-                                    logging.warning(
+                                    logger.warning(
                                         "Rename failed: %s → %s: %s",
                                         full_path, new_path, e
                                     )
@@ -815,7 +814,7 @@ def get_go_mod_graph_tree(manifest_path) -> str:
                 f"manifest wasn't found at {manifest_path}, error details => "
                 f"{repr(e)}"
             )
-            logging.error(error_message_exception)
+            logger.error(error_message_exception)
             raise e
         return process_object.stdout
 

src/exploit_iq_commons/utils/js_extended_parser.py

@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import logging
 from typing import Any
 from typing import List
 from typing import Tuple

src/exploit_iq_commons/utils/source_code_git_loader.py

@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import logging
 import os
 import typing
 from pathlib import Path

src/vuln_analysis/configs/config-http-nim.yml

@@ -118,6 +118,10 @@ functions:
   cve_justify:
     _type: cve_justify
     llm_name: justify_llm
+  cve_generate_vex:
+    _type: cve_generate_vex
+    skip: false
+    vex_format: csaf
   cve_http_output:
     _type: cve_http_output
     url: http://localhost:8080
@@ -213,6 +217,7 @@ workflow:
   cve_checklist_name: cve_checklist
   cve_agent_executor_name: cve_agent_executor
   cve_generate_cvss_name: cve_generate_cvss
+  cve_generate_vex_name: cve_generate_vex
   cve_summarize_name: cve_summarize
   cve_justify_name: cve_justify
   cve_output_config_name: cve_http_output

src/vuln_analysis/configs/config-http-openai.yml

@@ -125,6 +125,9 @@ functions:
   cve_justify:
     _type: cve_justify
     llm_name: justify_llm
+  cve_generate_vex:
+    _type: cve_generate_vex
+    skip: false
   cve_http_output:
     _type: cve_http_output
     url: http://localhost:8080
@@ -222,6 +225,7 @@ workflow:
   cve_checklist_name: cve_checklist
   cve_agent_executor_name: cve_agent_executor
   cve_generate_cvss_name: cve_generate_cvss
+  cve_generate_vex_name: cve_generate_vex
   cve_summarize_name: cve_summarize
   cve_justify_name: cve_justify
   cve_output_config_name: cve_http_output

src/vuln_analysis/configs/config-tracing.yml

@@ -128,6 +128,9 @@ functions:
   cve_justify:
     _type: cve_justify
     llm_name: justify_llm
+  cve_generate_vex:
+    _type: cve_generate_vex
+    skip: false
   cve_file_output:
     _type: cve_file_output
     file_path: .tmp/output.json
@@ -218,6 +221,7 @@ workflow:
   cve_checklist_name: cve_checklist
   cve_agent_executor_name: cve_agent_executor
   cve_generate_cvss_name: cve_generate_cvss
+  cve_generate_vex_name: cve_generate_vex
   cve_summarize_name: cve_summarize
   cve_justify_name: cve_justify
   cve_output_config_name: cve_file_output

src/vuln_analysis/configs/config.yml

@@ -98,6 +98,10 @@ functions:
   cve_justify:
     _type: cve_justify
     llm_name: justify_llm
+  cve_generate_vex:
+    _type: cve_generate_vex
+    skip: false
+    vex_format: csaf
   cve_file_output:
     _type: cve_file_output
     file_path: .tmp/output.json
@@ -186,6 +190,7 @@ workflow:
   cve_checklist_name: cve_checklist
   cve_agent_executor_name: cve_agent_executor
   cve_generate_cvss_name: cve_generate_cvss
+  cve_generate_vex_name: cve_generate_vex
   cve_summarize_name: cve_summarize
   cve_justify_name: cve_justify
   cve_output_config_name: cve_file_output

src/vuln_analysis/configs/openapi/openapi.json

@@ -944,17 +944,33 @@
                     },
                     "justification": {
                         "$ref": "#/components/schemas/JustificationOutput"
+                    },
+                    "intel_score": {
+                        "type": "integer",
+                        "title": "Intel Score"
+                    },
+                    "cvss": {
+                        "anyOf": [
+                            {
+                                "$ref": "#/components/schemas/CVSSOutput"
+                            },
+                            {
+                                "type": "null"
+                            }
+                        ]
                     }
                 },
                 "type": "object",
                 "required": [
                     "vuln_id",
                     "checklist",
                     "summary",
-                    "justification"
+                    "justification",
+                    "intel_score",
+                    "cvss"
                 ],
                 "title": "AgentMorpheusEngineOutput",
-                "description": "Contains all output generated by the main Agent Morpheus LLM Engine for a given vulnerability.\n\n- vuln_id: the ID of the vulnerability being processed by the LLM engine.\n- checklist: a list of ChecklistItemOutput objects, each containing an input and a response from the LLM agent.\n- summary: a short summary of the checklist inputs and responses, generated by an LLM.\n- justification: a JustificationOutput object containing details of the model's justification decision."
+                "description": "Contains all output generated by the main Agent Morpheus LLM Engine for a given vulnerability.\n\n- vuln_id: the ID of the vulnerability being processed by the LLM engine.\n- checklist: a list of ChecklistItemOutput objects, each containing an input and a response from the LLM agent.\n- summary: a short summary of the checklist inputs and responses, generated by an LLM.\n- justification: a JustificationOutput object containing details of the model's justification decision.\n- intel_score: the intelligence score for the vulnerability.\n- cvss: a CVSSOutput object containing the CVSS score and vector string for the vulnerability."
             },
             "AgentMorpheusInfo": {
                 "properties": {
@@ -1054,11 +1070,7 @@
                         "$ref": "#/components/schemas/AgentMorpheusInfo"
                     },
                     "output": {
-                        "items": {
-                            "$ref": "#/components/schemas/AgentMorpheusEngineOutput"
-                        },
-                        "type": "array",
-                        "title": "Output"
+                        "$ref": "#/components/schemas/OutputPayload"
                     }
                 },
                 "type": "object",
@@ -1218,6 +1230,25 @@
                 "type": "object",
                 "title": "CVSS3"
             },
+            "CVSSOutput": {
+                "properties": {
+                    "vector_string": {
+                        "type": "string",
+                        "title": "Vector String"
+                    },
+                    "score": {
+                        "type": "string",
+                        "title": "Score"
+                    }
+                },
+                "type": "object",
+                "required": [
+                    "vector_string",
+                    "score"
+                ],
+                "title": "CVSSOutput",
+                "description": "CVSS (Common Vulnerability Scoring System) representing the severity of a vulnerability in reference to an image.\n- vector_string: The CVSS vector string that encodes the metric values used to calculate the score.\n- score: The calculated CVSS base score representing the severity of the vulnerability in the given image."
+            },
             "CVSSV3": {
                 "properties": {
                     "attackComplexity": {
@@ -2492,6 +2523,35 @@
                 "type": "object",
                 "title": "Note"
             },
+            "OutputPayload": {
+                "properties": {
+                    "analysis": {
+                        "items": {
+                            "$ref": "#/components/schemas/AgentMorpheusEngineOutput"
+                        },
+                        "type": "array",
+                        "title": "Analysis"
+                    },
+                    "vex": {
+                        "anyOf": [
+                            {
+                                "type": "object"
+                            },
+                            {
+                                "type": "null"
+                            }
+                        ],
+                        "title": "Vex"
+                    }
+                },
+                "type": "object",
+                "required": [
+                    "analysis",
+                    "vex"
+                ],
+                "title": "OutputPayload",
+                "description": "Wrapper for final pipeline results.\n- analysis: per-vulnerability analysis results\n- vex: the vulnerability exploitability exchange document JSON"
+            },
             "PackageState": {
                 "properties": {
                     "product_name": {