In [1]:
import argparse
import os
from models.model_manager import ModelManager
from data.data_fetcher import DataFetcher
from analysis.cve_analyzer import CVEAnalyzer
from analysis.codebase_analyzer import CodebaseAnalyzer

  from .autonotebook import tqdm as notebook_tqdm


In [2]:
model_manager = ModelManager()
available_models = model_manager.get_available_models()
selected_model = model_manager.select_model()
model_name, model_provider = selected_model



Available AI Models:
  - models/gemini-1.5-pro-latest (gemini)
  - models/gemini-1.5-pro-002 (gemini)
  - models/gemini-1.5-pro (gemini)
  - models/gemini-1.5-flash-latest (gemini)
  - models/gemini-1.5-flash (gemini)
  - models/gemini-1.5-flash-002 (gemini)
  - models/gemini-1.5-flash-8b (gemini)
  - models/gemini-1.5-flash-8b-001 (gemini)
  - models/gemini-1.5-flash-8b-latest (gemini)
  - models/gemini-2.5-pro-preview-03-25 (gemini)
  - models/gemini-2.5-flash-preview-05-20 (gemini)
  - models/gemini-2.5-flash (gemini)
  - models/gemini-2.5-flash-lite-preview-06-17 (gemini)
  - models/gemini-2.5-pro-preview-05-06 (gemini)
  - models/gemini-2.5-pro-preview-06-05 (gemini)
  - models/gemini-2.5-pro (gemini)
  - models/gemini-2.0-flash-exp (gemini)
  - models/gemini-2.0-flash (gemini)
  - models/gemini-2.0-flash-001 (gemini)
  - models/gemini-2.0-flash-lite-001 (gemini)
  - models/gemini-2.0-flash-lite (gemini)
  - models/gemini-2.0-flash-lite-preview-02-05 (gemini)
  - models/gemini-2.

In [3]:
llm = model_manager.initialize_model(model_name, model_provider, 0.3)

In [4]:
llm

ChatMistralAI(client=<httpx.Client object at 0x12453d450>, async_client=<httpx.AsyncClient object at 0x12453ee90>, mistral_api_key=SecretStr('**********'), endpoint='https://api.mistral.ai/v1', model='mistral-small-latest', temperature=0.3, model_kwargs={})

In [5]:
data_fetcher = DataFetcher()
cve_analyzer = CVEAnalyzer(llm)
codebase_analyzer = CodebaseAnalyzer(llm)

In [6]:
# Fetch CVE data
cve = "CVE-2022-25858"

cve_data = data_fetcher.fetch_cve_data(cve)
additional_data = data_fetcher.fetch_additional_vulnerability_data(cve)

# Analyze CVE
description, severity, affected_products, detailed_analysis = cve_analyzer.analyze_cve(
	cve, cve_data, additional_data
)

In [7]:
# Save detailed analysis to a file
output_dir = "analysis_results"
os.makedirs(output_dir, exist_ok=True)
output_filename = os.path.join(output_dir, f"{cve} - AI analysis.md")
with open(output_filename, "w") as f:
	f.write(f"# CVE: {cve}\n\n")
	f.write(f"## Description\n{description}\n\n")
	f.write(f"## Severity\n{severity}\n\n")
	f.write(f"## Affected Products\n")
	for product in affected_products:
		f.write(f"  - {product}\n")
	f.write(f"\n## Detailed AI Analysis\n{detailed_analysis}\n")
print(f"\nDetailed analysis saved to {output_filename}")


Detailed analysis saved to analysis_results/CVE-2022-25858 - AI analysis.md


In [8]:
import os
codebase = "/Users/tuliotutui/Documents/GitHub/cliged-dash"

codebase_name = os.path.basename(codebase.rstrip(os.sep))
print(f"\n{'=' * 80}")
print(f"Codebase Analysis: {codebase_name} ({codebase})")
print(f"{'=' * 80}")

# Load codebase
documents = codebase_analyzer.load_codebase(codebase)
if not documents:
	print("Failed to load codebase.")

# Analyze codebase relevance
relevance_analysis = codebase_analyzer.analyze_codebase_relevance(
	cve, description, affected_products, documents
)

print(relevance_analysis)


output_filename = os.path.join(output_dir, f"{codebase_name} - {cve} - AI analysis.md")
with open(output_filename, "a") as f:
	f.write(f"# Analysis of {codebase_name} for {cve}\n\n")
	f.write(f"\n## Codebase Relevance Analysis\n{relevance_analysis}\n")
print(f"\nCodebase analysis saved to {output_filename}")


Codebase Analysis: cliged-dash (/Users/tuliotutui/Documents/GitHub/cliged-dash)


  4%|▎         | 2508/68058 [00:00<00:12, 5365.98it/s]Error loading file /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/typescript/ThirdPartyNoticeText.txt: Error loading /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/typescript/ThirdPartyNoticeText.txt
  9%|▉         | 6198/68058 [00:01<00:10, 6087.00it/s]Error loading file /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/fsevents/fsevents.node: Error loading /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/fsevents/fsevents.node
 15%|█▌        | 10433/68058 [00:01<00:12, 4612.84it/s]Error loading file /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/source-map/lib/mappings.wasm: Error loading /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/source-map/lib/mappings.wasm
 21%|██        | 14036/68058 [00:02<00:09, 5799.72it/s]Error loading file /Users/tuliotutui/Documents/GitHub/cliged-dash/node_modules/jsc-android/dist/org/webkit/android-jsc-cppruntime/r250231/androi

### **Final Analysis: CVE-2022-25858 Relevance to the Codebase**

#### **1. Does the Codebase Use Affected Dependencies?**
- **Yes**, the codebase includes **AWS SDK for JavaScript (v3.x)** packages (`@aws-sdk/client-personalize-events@3.6.1`, `@aws-sdk/client-pinpoint@3.6.1`).
- **CVE-2022-25858** affects **AWS SDK v3.x prior to 3.129.0**, making the codebase **vulnerable** due to its use of **v3.6.1**.
- The vulnerability is a **Server-Side Request Forgery (SSRF)** issue where the SDK fails to properly validate URLs in HTTP requests, allowing attackers to make unauthorized requests to internal systems.

#### **2. Are There Patterns Matching the Vulnerability?**
- The vulnerability arises when the AWS SDK processes **untrusted or user-controlled input** in HTTP requests.
- The codebase does not explicitly show vulnerable patterns, but if it:
  - Passes **user-supplied URLs** to AWS SDK methods (e.g., `client.send()`).
  - Uses dynamic input in AWS API calls (e.g., `PutEventsCommand` w

In [None]:
llm = model_manager.initialize_model(selected_model, 0.3)

In [11]:
cve_data['cve']['descriptions']

'The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.'

In [12]:
data_fetcher.fetch_cve_data('CVE-2021-44228')['cve']['descriptions']

'Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.'