Skip to content

APPENG-3801-B - Agent performance fixes - all agent stages #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 49 commits into from
Nov 18, 2025
Merged

APPENG-3801-B - Agent performance fixes - all agent stages #134

merged 49 commits into from
Nov 18, 2025

Conversation

@etsien
Copy link
Collaborator

@etsien etsien commented Oct 20, 2025
edited
Loading

Comprehensive Prompting Improvements Across Vulnerability Analysis Pipeline

This PR implements systematic improvements to all prompting stages of the vulnerability analysis pipeline, focusing on consistency, clarity, reduced verbosity, and reduced LLM hallucinations. Also incorporates tool improvements from prior PR (APPENG-3801-A).

Edit:
Also rebased to incorporate the latest PRs that were merged upstream to branch rh-aiq-main.

Summary of Changes

All 7 stages of the vulnerability analysis pipeline have been improved with:

  • Consistent XML-style section markers (<TASK>, <INSTRUCTIONS>, <EXAMPLES>, etc.)
  • Reduced verbosity while maintaining technical precision
  • Dynamic tool awareness to prevent instructing agents to use disabled tools
  • Separated LLM responsibilities from deterministic code operations
  • Improved example quality and diversity

Files Modified

Core Prompting and Utilities

  1. src/vuln_analysis/utils/prompting.py - Major restructuring

    • Added build_tool_descriptions() consolidated base function
    • Updated 6 prompt constants with structured sections
    • Simplified get_agent_prompt() and get_cvss_prompt() functions

  2. src/vuln_analysis/utils/intel_source_score.py

    • Separated LLM scoring from arithmetic calculation
    • LLM now provides only individual criterion scores
    • Code calculates total with validation

  3. src/vuln_analysis/utils/checklist_prompt_generator.py

    • Added tool_names parameter to generate_checklist()
    • Dynamic tool descriptions formatted for Jinja2 rendering
    • Structured requirements section

  4. src/vuln_analysis/utils/justification_parser.py

    • Restructured JUSTIFICATION_PROMPT with clear sections
    • Added exploitation conditions definition
    • Explicit logical precedence order for 12 categories

Function Implementations

  1. src/vuln_analysis/functions/cve_agent.py

    • Updated _create_agent() to use build_tool_descriptions()
    • Strategic tool guidance formatted locally
    • Uses partial_variables for tool_selection_strategy

  2. src/vuln_analysis/functions/cve_checklist.py

    • Added agent_name field to CVEChecklistToolConfig
    • Retrieves agent tool configuration
    • Passes agent tool names to checklist generation

  3. src/vuln_analysis/functions/cve_generate_cvss.py

    • Simplified _create_agent() function
    • Removed conditional example insertion

Tests

  1. tests/test_base_tool_descriptions.py - New test suite
    • Tests consolidated build_tool_descriptions() function
    • Validates tool description generation
    • Verifies MOD_FEW_SHOT structure

etsien added 18 commits October 2, 2025 16:13
@etsien
bugfix in the testing env
a1834bd
@etsien
update tool descriptions for clarity
1d79035
@etsien
refactor tool names to be class constants instead of disparate strings
6864fa7
@etsien
add initial unit tests
e05ea7a
@etsien
rename tool names to be more consistent and distinct
8893f5c
@etsien
update unit tests with tool names and tool constants
dd18463
@etsien
cleanup startup guide notebook
4efffcd
@etsien
rework intel source score section
8f3182e
@etsien
update agent execution stage prompts and make tool descriptions dynamic
dd215cf
@etsien
add tests for dynamic tool descriptions
35ee318
@etsien
revamp the tool description list, as well as the checklist prompt for…
0af8e7a 
… better clarity and quality
@etsien
revamp checklist prompt implementation, as well as add in dynamic too…
a882f88 
…l descriptions to both checklist and agent prompts
@etsien
update tests for tool descriptions
26f0d74
@etsien
add more detailed agent examples with more useful MRKL-formatted steps
186350d
@etsien
update for summary prompt
f71e9f8
@etsien
update justification prompt with more logic and explanations on how t…
9707671 
…o pick the class
@etsien
update CVSS prompts and cleanup examples and guidance
faeb811
@etsien
bugfix on intel source
dcf836f
@vbelouso
Copy link
Collaborator

vbelouso commented Oct 20, 2025

/ok-to-test

@zvigrinberg zvigrinberg mentioned this pull request Oct 21, 2025
Closed
@etsien
bug patch for vdb generation
efa84ad 
adding in constants during the vdb generation check
@etsien
Copy link
Collaborator Author

etsien commented Oct 21, 2025

bugfix pushed for the vdb tool issue

@zvigrinberg zvigrinberg self-requested a review October 22, 2025 11:02
zvigrinberg
zvigrinberg requested changes Oct 22, 2025
View reviewed changes
Copy link
Collaborator

@zvigrinberg zvigrinberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @etsien
The agent is not being started with these changes.
Please see my comment for a quick fix and will continue from there...
anyway we fixed it manually and continued with the confusion matrix second batch run...

Thanks.

@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 5, 2025

/retest

@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 5, 2025

/retest vulnerability-analysis-on-pr

etsien added 15 commits November 5, 2025 11:59
@etsien
revamp the tool description list, as well as the checklist prompt for…
0df74b9 
… better clarity and quality
@etsien
revamp checklist prompt implementation, as well as add in dynamic too…
333c1eb 
…l descriptions to both checklist and agent prompts
@etsien
update tests for tool descriptions
29306b3
@etsien
add more detailed agent examples with more useful MRKL-formatted steps
a5368b6
@etsien
update for summary prompt
dbab156
@etsien
update justification prompt with more logic and explanations on how t…
f585abb 
…o pick the class
@etsien
update CVSS prompts and cleanup examples and guidance
b3b53e1
@etsien
bugfix on intel source
c26936e
@etsien
bug patch for vdb generation
ee0c6af 
adding in constants during the vdb generation check
@etsien
bugfix by Tamar
309a554
@etsien
update register_function() and transitive_search() descriptions
40de82e
@etsien
add function locator descriptions
7e0bddb
@etsien
add names to configs
eb09d06
@etsien
add local output for local testing
8754762
@etsien
Merge branch 'APPENG-3801-B-Agent-performance-fixes-checklist-and-exe…
3449499 
…cution-stages' of https://github.com/etsien/vulnerability-analysis into APPENG-3801-B-Agent-performance-fixes-checklist-and-execution-stages
@etsien
Copy link
Collaborator Author

etsien commented Nov 5, 2025

Just rebased to rh-aiq-main, incorporating discussed description changes to the tool prompting and configs

@etsien
Copy link
Collaborator Author

etsien commented Nov 5, 2025

/retest vulnerability-analysis-on-pr

@etsien etsien mentioned this pull request Nov 6, 2025
Open
@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 6, 2025

Hi @etsien ,
After you've resolved the conflicts, now the agent is crashing on startup
image
Can you please take a look and fix?

Thank you.

@etsien
Copy link
Collaborator Author

etsien commented Nov 6, 2025
edited
Loading

Hi @etsien , After you've resolved the conflicts, now the agent is crashing on startup image Can you please take a look and fix?

Thank you.

patched, forgot to bring over the bugfix from the other branch

@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 9, 2025

/retest vulnerability-analysis-on-pr

@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 10, 2025

@etsien Please rebase and resolve conflicts, and we'll merge it ( that one improved the consistency and the results significantly).

@etsien etsien requested a review from zvigrinberg November 10, 2025 15:41
@etsien
Copy link
Collaborator Author

etsien commented Nov 11, 2025

/retest vulnerability-analysis-on-pr

@zvigrinberg zvigrinberg merged commit 338adb7 into RHEcosystemAppEng:rh-aiq-main Nov 18, 2025
1 check passed
@zvigrinberg
Copy link
Collaborator

zvigrinberg commented Nov 18, 2025
edited
Loading

LGTM Approved.
remaining problems of Summarize stage and aligning Function Locator tool with the other agent tools will be done as part of #142 ( already branched out from this PR' head branch).

tmihalac pushed a commit to tmihalac/vulnerability-analysis that referenced this pull request Nov 19, 2025
@etsien
APPENG-3801-B - Agent performance fixes - all agent stages (RHEcosyst…
134dca9 
…emAppEng#134)

* bugfix in the testing env

* update tool descriptions for clarity

* refactor tool names to be class constants instead of disparate strings

* add initial unit tests

* rename tool names to be more consistent and distinct

* update unit tests with tool names and tool constants

* cleanup startup guide notebook

* rework intel source score section

* update agent execution stage prompts and make tool descriptions dynamic

* add tests for dynamic tool descriptions

* revamp the tool description list, as well as the checklist prompt for better clarity and quality

* revamp checklist prompt implementation, as well as add in dynamic tool descriptions to both checklist and agent prompts

* update tests for tool descriptions

* add more detailed agent examples with more useful MRKL-formatted steps

* update for summary prompt

* update justification prompt with more logic and explanations on how to pick the class

* update CVSS prompts and cleanup examples and guidance

* bugfix on intel source

* bug patch for vdb generation

adding in constants during the vdb generation check

* bugfix by Tamar

* update register_function() and transitive_search() descriptions

* bugfix in the testing env

* update tool descriptions for clarity

* refactor tool names to be class constants instead of disparate strings

* add initial unit tests

* rename tool names to be more consistent and distinct

* update unit tests with tool names and tool constants

* cleanup startup guide notebook

* rework intel source score section

* update agent execution stage prompts and make tool descriptions dynamic

* add tests for dynamic tool descriptions

* revamp the tool description list, as well as the checklist prompt for better clarity and quality

* revamp checklist prompt implementation, as well as add in dynamic tool descriptions to both checklist and agent prompts

* update tests for tool descriptions

* add more detailed agent examples with more useful MRKL-formatted steps

* update for summary prompt

* update justification prompt with more logic and explanations on how to pick the class

* update CVSS prompts and cleanup examples and guidance

* bugfix on intel source

* bug patch for vdb generation

adding in constants during the vdb generation check

* bugfix by Tamar

* update register_function() and transitive_search() descriptions

* add function locator descriptions

* add names to configs

* add local output for local testing

* bugfix

* Update tool_names.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zvigrinberg zvigrinberg Awaiting requested review from zvigrinberg

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@etsien @vbelouso @zvigrinberg