In [1]:
%load_ext autoreload
%autoreload 2

### Security Advisory Collection

In [8]:
from snyk_ai.advisories import Advisories
from snyk_ai import Models

# Load all advisories
ADVISORIES = Advisories("../data/advisories")

print(f"Loaded {len(ADVISORIES)} advisories:\n")
for adv in ADVISORIES:
    print(f" * {adv.filename}")
    print(f"   {adv.title}")
    print(f"   {len(adv.blocks)} blocks, {len(adv.sections)} sections")
    print()

# LLM used for summarizing code blocks
MODEL = Models.Llama_3_2

Loaded 8 advisories:

 * advisory-001.md
   Cross-Site Scripting (XSS) in express-validator
   43 blocks, 13 sections

 * advisory-002.md
   SQL Injection in webapp-auth
   56 blocks, 15 sections

 * advisory-003.md
   Dependency Confusion in secure-config
   73 blocks, 15 sections

 * advisory-004.md
   Path Traversal in data-processor
   61 blocks, 15 sections

 * advisory-005.md
   Remote Code Execution in file-handler
   65 blocks, 15 sections

 * advisory-006.md
   Cross-Site Request Forgery (CSRF) in api-client
   57 blocks, 15 sections

 * advisory-007.md
   Server-Side Request Forgery (SSRF) in http-server
   67 blocks, 15 sections

 * advisory-008.md
   Insecure Deserialization in json-parser
   61 blocks, 15 sections



### A Security Advisory

In [10]:
adv = ADVISORIES["advisory-003.md"]

print(f"{adv.title}")
print()
print(f"{adv.executive_summary}")

Dependency Confusion in secure-config

A dependency confusion vulnerability has been discovered in the `secure-config` package affecting versions 3.0.0 through 3.1.9. This vulnerability allows attackers to potentially inject malicious packages into the dependency resolution process by exploiting missing package integrity checks and scoped package naming conflicts.


In [27]:
for i, block in enumerate(adv.blocks):
    prefix = f"  {i:2}: {block.type.value:12}"
    lines = block.lines if block.lines else [block.content]
    for line in lines:
        content_preview = line[:50].replace("\n", " ")
        if len(line) > 50:
            content_preview += "..."
        print(f"{prefix} | {content_preview}")
        prefix = " " * 18
    print(f"{prefix.replace(' ', '-')}-|-{'-'*53}")

   0: header       | Security Advisory: Dependency Confusion in secure-...
-------------------|------------------------------------------------------
   1: paragraph    | **CVE ID:** CVE-2024-1237  
                   | **Package:** secure-config  
                   | **Ecosystem:** npm  
                   | **Severity:** Medium  
                   | **CVSS Score:** 6.5  
                   | **Published:** February 10, 2024
-------------------|------------------------------------------------------
   2: header       | Executive Summary
-------------------|------------------------------------------------------
   3: paragraph    | A dependency confusion vulnerability has been disc...
-------------------|------------------------------------------------------
   4: header       | Vulnerability Details
-------------------|------------------------------------------------------
   5: header       | Description
-------------------|------------------------------------------------------
   

## Sections

A section is all blocks between two headers.

In [None]:
# Section breakdown with chunks
print(f"Total sections: {len(adv.sections)}")

for i, sec in enumerate(adv.sections):
    print(f'\n---\n\n{i+1:2}. Section: "{sec.header.content}"')
    print()
    print(f"    Markdown blocks ({len(sec.blocks)}): {' '.join([b.type.value for b in sec.blocks])}")
    print()
    
    chunks = sec.get_chunks(model=MODEL)
    print(f"    Chunks ({len(chunks)}):")
    for chunk in chunks:
        text = chunk.text[:70] + "..." if len(chunk.text) > 70 else chunk.text
        # text = chunk.text
        print(f"      [{chunk.source_type.value}] {text}")


In [None]:
ADVISORIES.init_vectordb(MODEL)

In [None]:
ADVISORIES.search(
    "Explain how path traversal attacks work and show me a vulnerable code example."
)