VexLLM: silence negligible CVE alerts using LLM

VexLLM generates Vulnerability-Exploitability eXchange (VEX) information using LLM, so as to silence negligible CVE alerts that are produced by Trivy.

The following output formats are supported:

• .trivyignore
• OpenVEX

Installation

go install github.com/AkihiroSuda/vexllm/cmd/vexllm@latest

Example

# Set OpenAI API key
export OPENAI_API_KEY=...

# Generate a report using Trivy
trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL >python.json

# Generate .trivyignore using VexLLM
vexllm generate python.json .trivyignore \
  --hint-not-server \
  --hint-compromise-on-availability \
  --hint-used-commands=python3 \
  --hint-unused-commands=git,wget,curl,apt,apt-get

# Print the report, using the generated .trivyignore
trivy convert --format=table python.json

The following hints are passed to the LLM:

• The image is not used as a server program
• Confidentiality and Integrity matter more than Availability for this non-server image
• python3 command is known to be used
• git, wget, curl, apt, apt-get commands are known to be unused

Output of .trivyignore:

# {"vulnerability":{"@id":"CVE-2024-32002","description":"Git is a revision cont
rol system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, an
d 2.39.4, repositories with submodules can be crafted in a way that exploits a b
ug in Git whereby it can be fooled into writing files not into the submodule's w
orktree but into a `.git/` directory. This allows writing a hook that will be ex
ecuted while the clone operation is still running, giving the user no opportunit
y to inspect the code that is being executed. The problem has been patched in ve
rsions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic l
ink support is disabled in Git (e.g. via `git config --global core.symlinks fals
e`), the described attack won't work. As always, it is best to avoid cloning rep
ositories from untrusted sources."},"products":[{"@id":"git-man@1:2.39.2-1.1"}],
"status":"not_affected","justification":"vulnerable_code_not_in_execute_path","i
mpact_statement":"{\"confidence\":0.6,\"reason\":\"This RCE vulnerability is spe
cific to recursive clones in Git, which is not a commonly used feature in the co
ntext of a Python container image.\"}"}
CVE-2024-3200

# [...]

# {"vulnerability":{"@id":"CVE-2023-45853","description":"MiniZip in zlib throug
h 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpe
nNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is
 not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also
 vulnerable because it bundles an affected zlib version, and exposes the applica
ble MiniZip code through its compress API."},"products":[{"@id":"zlib1g-dev@1:1.
2.13.dfsg-1"}],"status":"not_affected","justification":"vulnerable_code_not_in_e
xecute_path","impact_statement":"{\"confidence\":0.7,\"reason\":\"The zlib vulne
rability related to MiniZip is not a concern as the artifact does not involve us
ing MiniZip functionality.\"}"}
CVE-2023-45853

The confidence score and the reason string in the impact_statement property are generated by the LLM. Other properties are duplicated from the original input.

Configuration

LLM backends

VexLLM is tested with OpenAI GPT-3.5 Turbo and Anthropic Claude 3.5 Sonnet.

The following env vars are recognized:

• OpenAI
  • OPENAI_API_KEY (necessary)
  • OPENAI_MODEL
  • OPENAI_BASE_URL
  • OPENAI_API_BASE
  • OPENAI_ORGANIZATION
• Anthropic
  • ANTHROPIC_API_KEY (necessary)

VexLLM may also work with Google AI, and Ollama, but these backends are not tested. See pkg/llm/....

Command reference

vexllm generate

Generate Vulnerability-Exploitability eXchange (VEX) information using LLM, so as to silence negligible CVE alerts that are produced by Trivy.

Usage:
  vexllm generate INPUT OUTPUT

Examples:
  # Basic usage
  export OPENAI_API_KEY=...

  trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL >python.json

  vexllm generate python.json .trivyignore \
    --hint-not-server \
    --hint-compromise-on-availability \
    --hint-used-commands=python3 \
    --hint-unused-commands=git,wget,curl,apt,apt-get

  trivy convert --format=table python.json


Flags:
  -h, --help                              help for generate
      --hint stringArray                  Hint, as an arbitrary text
      --hint-compromise-on-availability   Hint: focus on Confidentiality and Integrity rather than on Availability
      --hint-not-server                   Hint: not a server program
      --hint-unused-commands strings      Hint: list of unused shell commands
      --hint-used-commands strings        Hint: list of used shell commands
      --input-format string               Input format ([auto trivy]) (default "auto")
      --llm string                        LLM backend ([auto openai ollama anthropic googleai]) (default "auto")
      --llm-batch-size int                Number of vulnerabilities to be processed in a single LLM API call (default 10)
      --llm-temperature float             Temperature
      --output-format string              Output format ([auto trivyignore openvex]) (default "auto")

Global Flags:
      --debug   debug mode [$DEBUG]

vexllm completion bash

Generate the autocompletion script for the bash shell.

This script depends on the 'bash-completion' package.
If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

	source <(vexllm completion bash)

To load completions for every new session, execute once:

#### Linux:

	vexllm completion bash > /etc/bash_completion.d/vexllm

#### macOS:

	vexllm completion bash > $(brew --prefix)/etc/bash_completion.d/vexllm

You will need to start a new shell for this setup to take effect.

Usage:
  vexllm completion bash

Flags:
  -h, --help              help for bash
      --no-descriptions   disable completion descriptions

Global Flags:
      --debug   debug mode [$DEBUG]