Merge pull request #151 from zvigrinberg/fix-checklist-problems

zvigrinberg · web-flow · commit daf988c4d290 · 2025-11-26T22:15:41.000+02:00
fix: regressive bugs of agent
diff --git a/kustomize/base/exploit-iq-config.yml b/kustomize/base/exploit-iq-config.yml
@@ -103,7 +103,7 @@ functions:
     verbose: false
   cve_generate_cvss:
     _type: cve_generate_cvss
-    skip: false
+    skip: true
     llm_name: generate_cvss_llm
     tool_names:
       - Code Semantic Search
diff --git a/src/vuln_analysis/configs/config-http-openai.yml b/src/vuln_analysis/configs/config-http-openai.yml
@@ -97,7 +97,7 @@ functions:
     verbose: false
   cve_generate_cvss:
     _type: cve_generate_cvss
-    skip: false
+    skip: true
     llm_name: generate_cvss_llm
     tool_names:
       - Code Semantic Search
diff --git a/src/vuln_analysis/configs/config-tracing.yml b/src/vuln_analysis/configs/config-tracing.yml
@@ -100,7 +100,7 @@ functions:
     verbose: false
   cve_generate_cvss:
     _type: cve_generate_cvss
-    skip: false
+    skip: true
     llm_name: generate_cvss_llm
     tool_names:
       - Code Semantic Search
diff --git a/src/vuln_analysis/configs/config.yml b/src/vuln_analysis/configs/config.yml
@@ -77,7 +77,7 @@ functions:
     verbose: false
   cve_generate_cvss:
     _type: cve_generate_cvss
-    skip: false
+    skip: true
     llm_name: generate_cvss_llm
     tool_names:
       - Code Semantic Search
diff --git a/src/vuln_analysis/utils/prompting.py b/src/vuln_analysis/utils/prompting.py
@@ -570,11 +570,12 @@ def build_prompt(self) -> str:
    - Include relevant context from the CVE
 
 2. CONTENT PRIORITIES:
-   - If the CVE mentions a specific vulnerable function or method, the FIRST 
-     checklist item must verify whether that function is called or imported 
-     in the codebase
+   - If the CVE mentions a specific vulnerable function or method in a given package or library, the FIRST
+     checklist item must verify whether that function in that package or library is called or imported
+     in the codebase - function should be specified together with the package name,
+     for example : 'Is the function1 function from the package1 package called in the codebase?'
    - Focus on exploitability factors (version presence is already confirmed)
-   - Include specific technical names from the CVE (functions, libraries, 
+   - Include specific technical names from the CVE (functions, libraries,
      configurations, cipher modes, etc.)
    - Consider the attack vector (network exposure, user input, file processing, etc.)
    - Address relevant security controls or mitigations
