Skip to content

[Phase 1] Stage 4: Exploit enrichment (KEV, Exploit-DB, GitHub, ExploitResearchAgent) #7

Description

@varun-polpakkara

Summary

For each CRITICAL or HIGH finding with reachability_status == REACHABLE, determines whether a known working exploit exists in the wild.

Lookup order (stops at first match)

  1. KEV table — CVE in CISA's catalog -> WEAPONIZED (strongest signal)
  2. Exploit-DB table — verified entry -> WEAPONIZED; unverified -> POC_EXISTS
  3. GitHub Search API — Metasploit module found -> WEAPONIZED; public repos with >5 stars -> POC_EXISTS
  4. ExploitResearchAgent — Tavily web search + URL fetch. Called only when 1-3 return nothing.

Result

Sets Finding.exploit_availability (WEAPONIZED / POC_EXISTS / NO_KNOWN_EXPLOIT / UNKNOWN) and Finding.exploit_details. Sets SBOMSnapshot.status = "EXPLOIT_DONE".

Critical constraint

Only HIGH + CRITICAL findings with REACHABLE status are processed. A not-reachable finding's exploit status is irrelevant to prioritisation.

Verify

  • Log4Shell (CVE-2021-44228) -> WEAPONIZED via KEV/Exploit-DB lookup, no LLM call made
  • Finding with no known exploit -> NO_KNOWN_EXPLOIT
  • NOT_REACHABLE findings are skipped entirely

Metadata

Metadata

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions