Cursor/advance pentagi with ai composer 1 969f#194
Merged
DevOpsMadDog merged 2 commits intoDec 8, 2025
Conversation
Co-authored-by: shivakumaar.umasudan <shivakumaar.umasudan@devopsai.co>
Co-authored-by: shivakumaar.umasudan <shivakumaar.umasudan@devopsai.co>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
9 issues found across 11 files
Prompt for AI agents (all 9 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="PENTAGI_IMPROVEMENTS_SUMMARY.md">
<violation number="1" location="PENTAGI_IMPROVEMENTS_SUMMARY.md:100">
P2: The risk scoring formula has incorrect operator precedence. Due to `*` binding tighter than `+`, only `business_impact * 0.2` is multiplied by 10. The formula should wrap the entire weighted sum in parentheses before multiplying by 10 to achieve the documented 0.0-10.0 range.</violation>
</file>
<file name="fixops-enterprise/src/api/v1/pentagi.py">
<violation number="1" location="fixops-enterprise/src/api/v1/pentagi.py:5">
P3: Unused imports: `Query` and `Mapping` are imported but never used. Remove them to keep the imports clean.</violation>
<violation number="2" location="fixops-enterprise/src/api/v1/pentagi.py:44">
P2: Potential mutation of input data: `payload.get("metadata", {})` returns the original dict reference if "metadata" exists in payload. Subsequent assignments mutate the original payload. Use `.copy()` or create a new dict to avoid side effects.</violation>
</file>
<file name="frontend/src/pages/RiskGraph.jsx">
<violation number="1" location="frontend/src/pages/RiskGraph.jsx:316">
P1: Memory leak: The polling interval created in `handleRunMicroPentest` is not cleaned up on component unmount. If the component unmounts while polling is active, `setInterval` and `setTimeout` continue running, potentially calling `setState` on an unmounted component. Consider storing the interval ID in a ref and clearing it in the cleanup effect.</violation>
<violation number="2" location="frontend/src/pages/RiskGraph.jsx:573">
P2: Context menu positioning bug: Using `position: 'absolute'` with `clientX`/`clientY` viewport coordinates will position the menu incorrectly relative to the positioned parent container. Use `position: 'fixed'` instead to correctly position at viewport coordinates.</violation>
</file>
<file name="QUICK_START.md">
<violation number="1" location="QUICK_START.md:146">
P2: Broken documentation links: `pentagi/INTEGRATION.md` and `pentagi/ADVANCED_FEATURES.md` do not exist. The `pentagi/` directory is empty. Either create these files or update the links to point to existing documentation.</violation>
</file>
<file name="fixops-enterprise/src/api/v1/micro_pentest.py">
<violation number="1" location="fixops-enterprise/src/api/v1/micro_pentest.py:34">
P3: Redundant authentication dependency. `authenticated_payload` already includes `Depends(authenticate)` internally, so the explicit `_: None = Depends(authenticate)` is unnecessary and causes authentication to run twice.</violation>
<violation number="2" location="fixops-enterprise/src/api/v1/micro_pentest.py:99">
P2: Information leakage risk: exposing raw internal service error responses to clients could reveal sensitive implementation details or stack traces. Consider logging the full error server-side and returning a generic error message to clients.</violation>
<violation number="3" location="fixops-enterprise/src/api/v1/micro_pentest.py:191">
P1: Direct function call bypasses FastAPI dependency injection. The `authenticated_payload` dependency includes payload size validation and content-type checks that are skipped when calling `run_micro_pentest` directly. Consider extracting the core logic into a shared helper function that both endpoints can use, or use proper HTTP client calls.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| - Exploitability factor (0.0 - 1.0) | ||
| - Impact factor (0.0 - 1.0) | ||
| - Business impact factor (0.0 - 1.0) | ||
| - Final score: (exploitability * 0.4) + (impact * 0.4) + (business_impact * 0.2) * 10 |
Contributor
There was a problem hiding this comment.
P2: The risk scoring formula has incorrect operator precedence. Due to * binding tighter than +, only business_impact * 0.2 is multiplied by 10. The formula should wrap the entire weighted sum in parentheses before multiplying by 10 to achieve the documented 0.0-10.0 range.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At PENTAGI_IMPROVEMENTS_SUMMARY.md, line 100:
<comment>The risk scoring formula has incorrect operator precedence. Due to `*` binding tighter than `+`, only `business_impact * 0.2` is multiplied by 10. The formula should wrap the entire weighted sum in parentheses before multiplying by 10 to achieve the documented 0.0-10.0 range.</comment>
<file context>
@@ -0,0 +1,259 @@
+- Exploitability factor (0.0 - 1.0)
+- Impact factor (0.0 - 1.0)
+- Business impact factor (0.0 - 1.0)
+- Final score: (exploitability * 0.4) + (impact * 0.4) + (business_impact * 0.2) * 10
+
+## Integration Points
</file context>
|
|
||
| from __future__ import annotations | ||
|
|
||
| from typing import Any, Dict, Mapping, MutableMapping |
Contributor
There was a problem hiding this comment.
P3: Unused imports: Query and Mapping are imported but never used. Remove them to keep the imports clean.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/pentagi.py, line 5:
<comment>Unused imports: `Query` and `Mapping` are imported but never used. Remove them to keep the imports clean.</comment>
<file context>
@@ -0,0 +1,135 @@
+
+from __future__ import annotations
+
+from typing import Any, Dict, Mapping, MutableMapping
+
+from fastapi import APIRouter, Depends, HTTPException, Query, status
</file context>
|
|
||
| # Prepare context and metadata | ||
| context = payload.get("context", {}) | ||
| metadata = payload.get("metadata", {}) |
Contributor
There was a problem hiding this comment.
P2: Potential mutation of input data: payload.get("metadata", {}) returns the original dict reference if "metadata" exists in payload. Subsequent assignments mutate the original payload. Use .copy() or create a new dict to avoid side effects.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/pentagi.py, line 44:
<comment>Potential mutation of input data: `payload.get("metadata", {})` returns the original dict reference if "metadata" exists in payload. Subsequent assignments mutate the original payload. Use `.copy()` or create a new dict to avoid side effects.</comment>
<file context>
@@ -0,0 +1,135 @@
+
+ # Prepare context and metadata
+ context = payload.get("context", {})
+ metadata = payload.get("metadata", {})
+ metadata["source"] = "pentagi"
+ metadata["integration_type"] = "penetration_test"
</file context>
Suggested change
| metadata = payload.get("metadata", {}) | |
| metadata = {**payload.get("metadata", {})} |
| <div | ||
| ref={contextMenuRef} | ||
| style={{ | ||
| position: 'absolute', |
Contributor
There was a problem hiding this comment.
P2: Context menu positioning bug: Using position: 'absolute' with clientX/clientY viewport coordinates will position the menu incorrectly relative to the positioned parent container. Use position: 'fixed' instead to correctly position at viewport coordinates.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/src/pages/RiskGraph.jsx, line 573:
<comment>Context menu positioning bug: Using `position: 'absolute'` with `clientX`/`clientY` viewport coordinates will position the menu incorrectly relative to the positioned parent container. Use `position: 'fixed'` instead to correctly position at viewport coordinates.</comment>
<file context>
@@ -409,9 +557,111 @@ const RiskGraph = () => {
+ <div
+ ref={contextMenuRef}
+ style={{
+ position: 'absolute',
+ left: `${contextMenu.x}px`,
+ top: `${contextMenu.y}px`,
</file context>
Suggested change
| position: 'absolute', | |
| position: 'fixed', |
| }) | ||
|
|
||
| // Poll for status updates | ||
| const pollInterval = setInterval(async () => { |
Contributor
There was a problem hiding this comment.
P1: Memory leak: The polling interval created in handleRunMicroPentest is not cleaned up on component unmount. If the component unmounts while polling is active, setInterval and setTimeout continue running, potentially calling setState on an unmounted component. Consider storing the interval ID in a ref and clearing it in the cleanup effect.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/src/pages/RiskGraph.jsx, line 316:
<comment>Memory leak: The polling interval created in `handleRunMicroPentest` is not cleaned up on component unmount. If the component unmounts while polling is active, `setInterval` and `setTimeout` continue running, potentially calling `setState` on an unmounted component. Consider storing the interval ID in a ref and clearing it in the cleanup effect.</comment>
<file context>
@@ -214,29 +220,171 @@ const RiskGraph = () => {
+ })
+
+ // Poll for status updates
+ const pollInterval = setInterval(async () => {
+ try {
+ const statusResponse = await api.get(`/micro-pentest/status/${response.data.flow_id}`)
</file context>
|
|
||
| ## Next Steps | ||
|
|
||
| - Read [INTEGRATION.md](pentagi/INTEGRATION.md) for detailed integration guide |
Contributor
There was a problem hiding this comment.
P2: Broken documentation links: pentagi/INTEGRATION.md and pentagi/ADVANCED_FEATURES.md do not exist. The pentagi/ directory is empty. Either create these files or update the links to point to existing documentation.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At QUICK_START.md, line 146:
<comment>Broken documentation links: `pentagi/INTEGRATION.md` and `pentagi/ADVANCED_FEATURES.md` do not exist. The `pentagi/` directory is empty. Either create these files or update the links to point to existing documentation.</comment>
<file context>
@@ -0,0 +1,148 @@
+
+## Next Steps
+
+- Read [INTEGRATION.md](pentagi/INTEGRATION.md) for detailed integration guide
+- Read [ADVANCED_FEATURES.md](pentagi/ADVANCED_FEATURES.md) for feature documentation
+- Review [PENTAGI_IMPROVEMENTS_SUMMARY.md](PENTAGI_IMPROVEMENTS_SUMMARY.md) for complete overview
</file context>
| @router.post("/run", response_model=dict) | ||
| async def run_micro_pentest( | ||
| payload: Dict[str, Any] = Depends(authenticated_payload), | ||
| _: None = Depends(authenticate), |
Contributor
There was a problem hiding this comment.
P3: Redundant authentication dependency. authenticated_payload already includes Depends(authenticate) internally, so the explicit _: None = Depends(authenticate) is unnecessary and causes authentication to run twice.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 34:
<comment>Redundant authentication dependency. `authenticated_payload` already includes `Depends(authenticate)` internally, so the explicit `_: None = Depends(authenticate)` is unnecessary and causes authentication to run twice.</comment>
<file context>
@@ -0,0 +1,216 @@
+@router.post("/run", response_model=dict)
+async def run_micro_pentest(
+ payload: Dict[str, Any] = Depends(authenticated_payload),
+ _: None = Depends(authenticate),
+) -> MutableMapping[str, Any]:
+ """Run micro penetration tests for selected CVEs using PentAGI."""
</file context>
| ) | ||
| raise HTTPException( | ||
| status_code=status.HTTP_502_BAD_GATEWAY, | ||
| detail=f"PentAGI API error: {response.text}", |
Contributor
There was a problem hiding this comment.
P2: Information leakage risk: exposing raw internal service error responses to clients could reveal sensitive implementation details or stack traces. Consider logging the full error server-side and returning a generic error message to clients.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 99:
<comment>Information leakage risk: exposing raw internal service error responses to clients could reveal sensitive implementation details or stack traces. Consider logging the full error server-side and returning a generic error message to clients.</comment>
<file context>
@@ -0,0 +1,216 @@
+ )
+ raise HTTPException(
+ status_code=status.HTTP_502_BAD_GATEWAY,
+ detail=f"PentAGI API error: {response.text}",
+ )
+
</file context>
| "target_urls": config.get("target_urls", []), | ||
| "context": config.get("context", {}), | ||
| } | ||
| tasks.append(run_micro_pentest(task_payload, None)) |
Contributor
There was a problem hiding this comment.
P1: Direct function call bypasses FastAPI dependency injection. The authenticated_payload dependency includes payload size validation and content-type checks that are skipped when calling run_micro_pentest directly. Consider extracting the core logic into a shared helper function that both endpoints can use, or use proper HTTP client calls.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 191:
<comment>Direct function call bypasses FastAPI dependency injection. The `authenticated_payload` dependency includes payload size validation and content-type checks that are skipped when calling `run_micro_pentest` directly. Consider extracting the core logic into a shared helper function that both endpoints can use, or use proper HTTP client calls.</comment>
<file context>
@@ -0,0 +1,216 @@
+ "target_urls": config.get("target_urls", []),
+ "context": config.get("context", {}),
+ }
+ tasks.append(run_micro_pentest(task_payload, None))
+
+ results = await asyncio.gather(*tasks, return_exceptions=True)
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Adds micro penetration testing from the Risk Graph using PentAGI. Users can multi-select CVEs, run tests, and monitor status; FixOps now ingests PentAGI findings and reports.
New Features
Migration
Written for commit 381acea. Summary will update automatically on new commits.