## Qwen3-14B's Fine-Tuning Test

official
> ref: https://docs.unsloth.ai/models/qwen3-how-to-run-and-fine-tune#fine-tuning-qwen3-with-unsloth
> ref: https://colab.research.google.com/github/unslothai/notebooks/blob/main/nb/Qwen3_(14B)-Reasoning-Conversational.ipynb

note
> ref: https://note.com/sachi2222/n/na7b1d91ffb5d

In [2]:
# imports
## LLM
import torch
from transformers import TrainingArguments

from unsloth import FastLanguageModel, is_bfloat16_supported
from trl import SFTTrainer, SFTConfig


## Dataset
from datasets import load_dataset, Dataset
from unsloth import to_sharegpt
import re

## Load & Setting Model

In [4]:
# model loading
model, tokenizer = FastLanguageModel.from_pretrained(
    model_name="unsloth/Qwen3-14B",
    max_seq_length=40960, # context length
    load_in_4bit=True, # less mem mode
    load_in_8bit=False, # more mem mode
    full_finetuning=False # if u need full-FT
)

==((====))==  Unsloth 2025.9.11: Fast Qwen3 patching. Transformers: 4.56.2.
   \\   /|    NVIDIA RTX A6000. Num GPUs = 1. Max memory: 47.431 GB. Platform: Linux.
O^O/ \_/ \    Torch: 2.8.0+cu128. CUDA: 8.6. CUDA Toolkit: 12.8. Triton: 3.4.0
\        /    Bfloat16 = TRUE. FA [Xformers = 0.0.32.post2. FA2 = False]
 "-____-"     Free license: http://github.com/unslothai/unsloth
Unsloth: Fast downloading is enabled - ignore downloading bars which are red colored!




Loading checkpoint shards:   0%|          | 0/3 [00:00<?, ?it/s]

In [5]:
# select LoRA option
model = FastLanguageModel.get_peft_model(
    model,
    r=32, # Choose any num like 8, 16, 32, 64, 128
    target_modules=["q_proj", "k_proj", "v_proj", "o_proj", "gate_proj", "up_proj", "down_proj",],
    lora_alpha=32, # alpha = r | r*2
    lora_dropout=0, # 0 is optimized
    bias="none", # "none" is optimized
    use_gradient_checkpointing="unsloth", # True | "unsloth", for too-long context
    random_state=3407,
    use_rslora=False, # under here, optical
    loftq_config=None
)

Unsloth 2025.9.11 patched 40 layers with 40 QKV layers, 40 O layers and 40 MLP layers.


## Convert Datasets

In [46]:
# make Datasets
# load json
raw_data = load_dataset("json", data_files="./jvn_results_wordpress202304_conv_no-id.json")

# convert hugginface-style
huggingface_data = Dataset.from_list(raw_data['train'])

# convert share_gpt-style
# Three dialogue sessions are preferred
share_data = to_sharegpt(huggingface_data,
                        merged_prompt="{instruction}",
                        merged_column_name="instruction",
                        output_column_name="output",
                        conversation_extension=3)


Merging columns:   0%|          | 0/9742 [00:00<?, ? examples/s]

Converting to ShareGPT:   0%|          | 0/9742 [00:00<?, ? examples/s]

Flattening the indices:   0%|          | 0/9742 [00:00<?, ? examples/s]

Flattening the indices:   0%|          | 0/9742 [00:00<?, ? examples/s]

Flattening the indices:   0%|          | 0/9742 [00:00<?, ? examples/s]

Extending conversations:   0%|          | 0/9742 [00:00<?, ? examples/s]

In [47]:
# Minor format changes
converted_share_data = [[{
            "role": "user" if message["from"] == "human" else "assistant",
            "content": re.sub(r"\('(.+?)',\)", r"\1", message["value"])
        }
        for message in item["conversations"]
    ]
    for item in share_data
]

In [45]:
converted_share_data[0]

[{'role': 'user', 'content': 'JVNDB-2025-010225 について教えてください'},
 {'role': 'assistant',
  'content': 'JVNDB-2025-010225 とは eMagicOne の WordPress 用 eMagicOne Store Manager for WooCommerce におけるファイル名やパス名の外部制御に関する脆弱性 のことです。The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials. この脆弱性を受けるバージョンは eMagicOne\neMagicOne Store Manager for WooCommerce 1.2.5 およびそれ以前 です'},
 {'role': 'user', 'content': 'JVNDB-2023-017528 について教えてください'},
 {'role': 'assistant',
  'conten

In [48]:
# Addition of <\llm_start\>, etc
conversations = tokenizer.apply_chat_template(
    converted_share_data,
    tokenize = False,
)

In [49]:
# Converted to Hugging Face format

targetdataset = Dataset.from_dict({"text": conversations})

## Train settings

In [54]:
# Train
trainer = SFTTrainer(
    model=model,
    tokenizer=tokenizer,
    train_dataset=targetdataset,
    eval_dataset=None, # test Datasets
    args=SFTConfig(
        dataset_text_field="text",
        per_device_train_batch_size=2,
        gradient_accumulation_steps=4,
        warmup_steps=5,
        # num_train_epochs=1,
        max_steps=30,
        learning_rate=2e-4,
        logging_steps=1,
        optim="adamw_8bit",
        weight_decay=0.01,
        lr_scheduler_type="linear",
        seed=3407,
        report_to="none"
    ),
)

Unsloth: Tokenizing ["text"] (num_proc=24):   0%|          | 0/9742 [00:00<?, ? examples/s]

## Start FT

In [55]:
trainer_stats = trainer.train()

The tokenizer has new PAD/BOS/EOS tokens that differ from the model config and generation config. The model config and generation config were aligned accordingly, being updated with the tokenizer's values. Updated tokens: {'bos_token_id': None}.
==((====))==  Unsloth - 2x faster free finetuning | Num GPUs used = 1
   \\   /|    Num examples = 9,742 | Num Epochs = 1 | Total steps = 30
O^O/ \_/ \    Batch size per device = 2 | Gradient accumulation steps = 4
\        /    Data Parallel GPUs = 1 | Total batch size (2 x 4 x 1) = 8
 "-____-"     Trainable parameters = 128,450,560 of 14,896,757,760 (0.86% trained)


Unsloth: Will smartly offload gradients to save VRAM!


Step,Training Loss
1,2.1932
2,2.2607
3,2.2155
4,2.0921
5,1.8805
6,1.6645
7,1.3723
8,1.2973
9,1.158
10,1.1581


## Inference

In [81]:
# Inference test
prompt="""
hello! Please tell me about "JVNDB-2025-010225".
"""

messages = [{"role" : "user", "content" : prompt}]

text = tokenizer.apply_chat_template(
    messages,
    tokenize = False,
    add_generation_prompt = True, # Must add for generation
    enable_thinking = False, # Disable thinking
)

from transformers import TextStreamer
_ = model.generate(
    **tokenizer(text, return_tensors = "pt").to("cuda"),
    max_new_tokens = 2048, # Increase for longer outputs!
    temperature = 0.7, top_p = 0.8, top_k = 20, # For non thinking
    streamer = TextStreamer(tokenizer, skip_prompt = True),
)


The vulnerability affects JVNDB-2025-010225. This issue affects WordPress Plugin wp-woocommerce-advanced-shipping: from n/a through 1.4.2. The WooCommerce Advanced Shipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_advanced_shipping_save_custom_location_data function in all versions up to, and including, 1.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the custom shipping locations. This issue affects WooCommerce Advanced Shipping: from n/a through 1.4.2.<|im_end|>


In [None]:
# Inference test2
prompt="""
You are a white hat hacker tasked with discovering vulnerabilities in the provided source code.
Perform the following three actions on the source code below:
1. Identify the vulnerability
2. Present the risks of leaving it unaddressed
3. Provide a solution to eliminate the vulnerability

Ensure your output adheres to the following three points:
1. Output in Japanese
2. Be clear and concise
3. Use Markdown format

The source code is shown below:
---
---
<?php
// php_d100_roller.php
// Simple 100-sided dice roller application (single file)
// Usage: Place this file on your web server and open it in a browser.
// For local testing: run `php -S localhost:8000` and visit http://localhost:8000/php_d100_roller.php

session_start();

// Keep roll history in session (max 100 entries)
if (!isset($_SESSION['d100_history'])) {
    $_SESSION['d100_history'] = [];
}

$errors = [];
$results = [];
$total = 0;
$count = 1;

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Get roll count (clamped between 1–100)
    $count = isset($_POST['count']) ? intval($_POST['count']) : 1;
    if ($count < 1) $count = 1;
    if ($count > 100) $count = 100;

    // Optional label
    $label = isset($_POST['label']) ? trim($_POST['label']) : '';

    // Perform rolls
    for ($i = 0; $i < $count; $i++) {
        $roll = random_int(1, 100);
        $results[] = $roll;
        $total += $roll;
    }

    // Add to history (newest first)
    $entry = [
        'time' => date('Y-m-d H:i:s'),
        'count' => $count,
        'label' => $label,
        'results' => $results,
        'total' => $total,
    ];

    array_unshift($_SESSION['d100_history'], $entry);
    if (count($_SESSION['d100_history']) > 100) {
        $_SESSION['d100_history'] = array_slice($_SESSION['d100_history'], 0, 100);
    }
}

$history = $_SESSION['d100_history'];
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>100-sided Dice Roller</title>
<style>
    body { font-family: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial; padding: 20px; }
    .box { max-width: 820px; margin: 0 auto; }
    input[type="number"] { width: 80px; }
    .badge { display:inline-block; padding:6px 10px; margin:4px; border-radius:6px; background:#eee; }
    .roll { font-weight:700; }
    .history { margin-top:20px; }
    .card { padding:12px; border:1px solid #ddd; border-radius:8px; margin-bottom:12px; }
    .muted { color:#666; font-size:0.9rem; }
</style>
</head>
<body>
<div class="box">
    <h1>100-sided Dice Roller</h1>
    <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
    <label>Number of rolls (1–100): <input type="number" name="count" value="<?php echo htmlspecialchars($count); ?>" min="1" max="100"></label>
    &nbsp;
    <label>Label (optional): <input type="text" name="label" value=""></label>
    &nbsp;
    <button type="submit">Roll</button>
    </form>

    <?php if (!empty($results)): ?>
    <div class="card">
        <div class="muted">Timestamp: <?php echo htmlspecialchars($entry['time']); ?></div>
        <h2>Results</h2>
        <div>
        <?php foreach ($results as $i => $r): ?>
            <span class="badge roll">#<?php echo $i+1; ?>: <?php echo $r; ?></span>
        <?php endforeach; ?>
        </div>
        <p>Total: <strong><?php echo $total; ?></strong> / Average: <strong><?php echo count($results) ? round($total / count($results), 2) : 0; ?></strong></p>
        <?php if ($entry['label'] !== ''): ?><p>Label: <?php echo htmlspecialchars($entry['label']); ?></p><?php endif; ?>
    </div>
    <?php endif; ?>

    <div class="history">
    <h2>History (last <?php echo count($history); ?> rolls)</h2>
    <?php if (empty($history)): ?>
        <p class="muted">No rolls yet.</p>
    <?php else: ?>
        <?php foreach ($history as $idx => $h): ?>
        <div class="card">
            <div class="muted"><?php echo htmlspecialchars($h['time']); ?> — Rolls: <?php echo $h['count']; ?><?php if ($h['label'] !== ''): ?> — Label: <?php echo htmlspecialchars($h['label']); ?><?php endif; ?></div>
            <div style="margin-top:8px;">
            <?php foreach ($h['results'] as $i => $r): ?>
                <span class="badge"><?php echo $r; ?></span>
            <?php endforeach; ?>
            </div>
            <p style="margin-top:8px;">Total: <?php echo $h['total']; ?> / Average: <?php echo count($h['results']) ? round($h['total'] / count($h['results']), 2) : 0; ?></p>
        </div>
        <?php endforeach; ?>
    <?php endif; ?>
    </div>

    <div style="margin-top:20px;" class="muted">
    <p>Note: Uses <code>random_int(1, 100)</code> for cryptographically secure random number generation. The session keeps up to 100 history entries.</p>
    </div>
</div>
</body>
</html>
"""

messages = [{"role" : "user", "content" : prompt}]

text = tokenizer.apply_chat_template(
    messages,
    tokenize = False,
    add_generation_prompt = True, # Must add for generation
    enable_thinking = False, # Disable thinking
)

from transformers import TextStreamer
_ = model.generate(
    **tokenizer(text, return_tensors = "pt").to("cuda"),
    max_new_tokens = 4096, # Increase for longer outputs!
    temperature = 0.7, top_p = 0.8, top_k = 20, # For non thinking
    streamer = TextStreamer(tokenizer, skip_prompt = True),
)


# セキュリティ脆弱性の分析

## 1. 脆弱性の特定
このコードには「クロスサイトスクリプティング (XSS)」の脆弱性があります。`htmlspecialchars()`関数を使用して出力している箇所がなく、JavaScriptの注入を受ける可能性があります。

## 2. 脆弱性のリスク
この脆弱性を受けると、攻撃者がJavaScriptを注入し、ユーザーのブラウザを操作

## Save LoRA/Model

In [None]:
# save LoRA
model.save_pretrained("Vulnerability_Detection_Wordpress")
tokenizer.save_pretrained("Vulnerability_Detection_Wordpress")

In [None]:
# save ALL-MODEL
model.save_pretrained_merged("Vulnerability_Detection_Wordpress", tokenizer, save_method="merged_16bit")

In [None]:
# save ALL-MODEL as .gguf
model.save_pretrained_merged("Vulnerability_Detection_Wordpress", tokenizer)

## Upload LoRA/Model

In [None]:
# upload
