mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-07-06 17:37:49 +02:00
feat: Add LLM analysis workflow and ruff linter fixes
LLM Analysis Workflow: - Add llm_analyzer module for AI-powered code security analysis - Add llm_analysis workflow with SARIF output support - Mount AI module in Python worker for A2A wrapper access - Add a2a-sdk dependency to Python worker requirements - Fix workflow parameter ordering in Temporal manager Ruff Linter Fixes: - Fix bare except clauses (E722) across AI and CLI modules - Add noqa comments for intentional late imports (E402) - Replace undefined get_ai_status_async with TODO placeholder - Remove unused imports and variables - Remove container diagnostics display from exception handler MCP Configuration: - Reactivate FUZZFORGE_MCP_URL with default value - Set default MCP URL to http://localhost:8010/mcp in init
This commit is contained in:
@@ -181,15 +181,18 @@ class TemporalManager:
|
||||
# Prepare workflow input arguments
|
||||
workflow_params = workflow_params or {}
|
||||
|
||||
# Build args list: [target_id, ...workflow_params values]
|
||||
# Build args list: [target_id, ...workflow_params in schema order]
|
||||
# The workflow parameters are passed as individual positional args
|
||||
workflow_args = [target_id]
|
||||
|
||||
# Add parameters in order based on workflow signature
|
||||
# For security_assessment: scanner_config, analyzer_config, reporter_config
|
||||
# For atheris_fuzzing: target_file, max_iterations, timeout_seconds
|
||||
if workflow_params:
|
||||
workflow_args.extend(workflow_params.values())
|
||||
# Add parameters in order based on metadata schema
|
||||
# This ensures parameters match the workflow signature order
|
||||
if workflow_params and 'parameters' in workflow_info.metadata:
|
||||
param_schema = workflow_info.metadata['parameters'].get('properties', {})
|
||||
# Iterate parameters in schema order and add values
|
||||
for param_name in param_schema.keys():
|
||||
param_value = workflow_params.get(param_name)
|
||||
workflow_args.append(param_value)
|
||||
|
||||
# Determine task queue from workflow vertical
|
||||
vertical = workflow_info.metadata.get("vertical", "default")
|
||||
@@ -199,6 +202,8 @@ class TemporalManager:
|
||||
f"Starting workflow: {workflow_name} "
|
||||
f"(id={workflow_id}, queue={task_queue}, target={target_id})"
|
||||
)
|
||||
logger.info(f"DEBUG: workflow_args = {workflow_args}")
|
||||
logger.info(f"DEBUG: workflow_params received = {workflow_params}")
|
||||
|
||||
try:
|
||||
# Start workflow execution with positional arguments
|
||||
|
||||
@@ -0,0 +1,349 @@
|
||||
"""
|
||||
LLM Analyzer Module - Uses AI to analyze code for security issues
|
||||
"""
|
||||
|
||||
# Copyright (c) 2025 FuzzingLabs
|
||||
#
|
||||
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
||||
# at the root of this repository for details.
|
||||
#
|
||||
# After the Change Date (four years from publication), this version of the
|
||||
# Licensed Work will be made available under the Apache License, Version 2.0.
|
||||
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Additional attribution and requirements are provided in the NOTICE file.
|
||||
|
||||
import logging
|
||||
from pathlib import Path
|
||||
from typing import Dict, Any, List
|
||||
|
||||
try:
|
||||
from toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult
|
||||
except ImportError:
|
||||
try:
|
||||
from modules.base import BaseModule, ModuleMetadata, ModuleResult
|
||||
except ImportError:
|
||||
from src.toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class LLMAnalyzer(BaseModule):
|
||||
"""
|
||||
Uses an LLM to analyze code for potential security issues.
|
||||
|
||||
This module:
|
||||
- Sends code to an LLM agent via A2A protocol
|
||||
- Asks the LLM to identify security vulnerabilities
|
||||
- Collects findings and returns them in structured format
|
||||
"""
|
||||
|
||||
def get_metadata(self) -> ModuleMetadata:
|
||||
"""Get module metadata"""
|
||||
return ModuleMetadata(
|
||||
name="llm_analyzer",
|
||||
version="1.0.0",
|
||||
description="Uses AI to analyze code for security issues",
|
||||
author="FuzzForge Team",
|
||||
category="analyzer",
|
||||
tags=["llm", "ai", "security", "analysis"],
|
||||
input_schema={
|
||||
"agent_url": {
|
||||
"type": "string",
|
||||
"description": "A2A agent endpoint URL",
|
||||
"default": "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
|
||||
},
|
||||
"llm_model": {
|
||||
"type": "string",
|
||||
"description": "LLM model to use",
|
||||
"default": "gpt-4o-mini"
|
||||
},
|
||||
"llm_provider": {
|
||||
"type": "string",
|
||||
"description": "LLM provider (openai, anthropic, etc.)",
|
||||
"default": "openai"
|
||||
},
|
||||
"file_patterns": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"description": "File patterns to analyze",
|
||||
"default": ["*.py", "*.js", "*.ts", "*.java", "*.go"]
|
||||
},
|
||||
"max_files": {
|
||||
"type": "integer",
|
||||
"description": "Maximum number of files to analyze",
|
||||
"default": 5
|
||||
},
|
||||
"max_file_size": {
|
||||
"type": "integer",
|
||||
"description": "Maximum file size in bytes",
|
||||
"default": 50000 # 50KB
|
||||
},
|
||||
"timeout": {
|
||||
"type": "integer",
|
||||
"description": "Timeout per file in seconds",
|
||||
"default": 60
|
||||
}
|
||||
},
|
||||
output_schema={
|
||||
"findings": {
|
||||
"type": "array",
|
||||
"description": "Security issues identified by LLM"
|
||||
}
|
||||
},
|
||||
requires_workspace=True
|
||||
)
|
||||
|
||||
def validate_config(self, config: Dict[str, Any]) -> bool:
|
||||
"""Validate module configuration"""
|
||||
# Lazy import to avoid Temporal sandbox restrictions
|
||||
try:
|
||||
from fuzzforge_ai.a2a_wrapper import send_agent_task # noqa: F401
|
||||
except ImportError:
|
||||
raise RuntimeError(
|
||||
"A2A wrapper not available. Ensure fuzzforge_ai module is accessible."
|
||||
)
|
||||
|
||||
agent_url = config.get("agent_url")
|
||||
if not agent_url or not isinstance(agent_url, str):
|
||||
raise ValueError("agent_url must be a valid URL string")
|
||||
|
||||
max_files = config.get("max_files", 5)
|
||||
if not isinstance(max_files, int) or max_files <= 0:
|
||||
raise ValueError("max_files must be a positive integer")
|
||||
|
||||
return True
|
||||
|
||||
async def execute(self, config: Dict[str, Any], workspace: Path) -> ModuleResult:
|
||||
"""
|
||||
Execute the LLM analysis module.
|
||||
|
||||
Args:
|
||||
config: Module configuration
|
||||
workspace: Path to the workspace containing code to analyze
|
||||
|
||||
Returns:
|
||||
ModuleResult with findings from LLM analysis
|
||||
"""
|
||||
# Start execution timer
|
||||
self.start_timer()
|
||||
|
||||
logger.info(f"Starting LLM analysis in workspace: {workspace}")
|
||||
|
||||
# Extract configuration
|
||||
agent_url = config.get("agent_url", "http://fuzzforge-task-agent:8000/a2a/litellm_agent")
|
||||
llm_model = config.get("llm_model", "gpt-4o-mini")
|
||||
llm_provider = config.get("llm_provider", "openai")
|
||||
file_patterns = config.get("file_patterns", ["*.py", "*.js", "*.ts", "*.java", "*.go"])
|
||||
max_files = config.get("max_files", 5)
|
||||
max_file_size = config.get("max_file_size", 50000)
|
||||
timeout = config.get("timeout", 60)
|
||||
|
||||
# Find files to analyze
|
||||
files_to_analyze = []
|
||||
for pattern in file_patterns:
|
||||
for file_path in workspace.rglob(pattern):
|
||||
if file_path.is_file():
|
||||
try:
|
||||
# Check file size
|
||||
if file_path.stat().st_size > max_file_size:
|
||||
logger.debug(f"Skipping {file_path} (too large)")
|
||||
continue
|
||||
|
||||
files_to_analyze.append(file_path)
|
||||
|
||||
if len(files_to_analyze) >= max_files:
|
||||
break
|
||||
except Exception as e:
|
||||
logger.warning(f"Error checking file {file_path}: {e}")
|
||||
continue
|
||||
|
||||
if len(files_to_analyze) >= max_files:
|
||||
break
|
||||
|
||||
logger.info(f"Found {len(files_to_analyze)} files to analyze")
|
||||
|
||||
# Analyze each file
|
||||
all_findings = []
|
||||
for file_path in files_to_analyze:
|
||||
logger.info(f"Analyzing: {file_path.relative_to(workspace)}")
|
||||
|
||||
try:
|
||||
findings = await self._analyze_file(
|
||||
file_path=file_path,
|
||||
workspace=workspace,
|
||||
agent_url=agent_url,
|
||||
llm_model=llm_model,
|
||||
llm_provider=llm_provider,
|
||||
timeout=timeout
|
||||
)
|
||||
all_findings.extend(findings)
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"Error analyzing {file_path}: {e}")
|
||||
# Continue with next file
|
||||
continue
|
||||
|
||||
logger.info(f"LLM analysis complete. Found {len(all_findings)} issues.")
|
||||
|
||||
# Create result using base module helper
|
||||
return self.create_result(
|
||||
findings=all_findings,
|
||||
status="success",
|
||||
summary={
|
||||
"files_analyzed": len(files_to_analyze),
|
||||
"total_findings": len(all_findings),
|
||||
"agent_url": agent_url,
|
||||
"model": f"{llm_provider}/{llm_model}"
|
||||
}
|
||||
)
|
||||
|
||||
async def _analyze_file(
|
||||
self,
|
||||
file_path: Path,
|
||||
workspace: Path,
|
||||
agent_url: str,
|
||||
llm_model: str,
|
||||
llm_provider: str,
|
||||
timeout: int
|
||||
) -> List[Dict[str, Any]]:
|
||||
"""Analyze a single file with LLM"""
|
||||
|
||||
# Read file content
|
||||
try:
|
||||
with open(file_path, 'r', encoding='utf-8') as f:
|
||||
code_content = f.read()
|
||||
except Exception as e:
|
||||
logger.error(f"Failed to read {file_path}: {e}")
|
||||
return []
|
||||
|
||||
# Determine language from extension
|
||||
extension = file_path.suffix.lower()
|
||||
language_map = {
|
||||
".py": "python",
|
||||
".js": "javascript",
|
||||
".ts": "typescript",
|
||||
".java": "java",
|
||||
".go": "go",
|
||||
".rs": "rust",
|
||||
".c": "c",
|
||||
".cpp": "cpp",
|
||||
}
|
||||
language = language_map.get(extension, "code")
|
||||
|
||||
# Build prompt for LLM
|
||||
system_prompt = (
|
||||
"You are a security code analyzer. Analyze the provided code and identify "
|
||||
"potential security vulnerabilities, bugs, and code quality issues. "
|
||||
"For each issue found, respond in this exact format:\n"
|
||||
"ISSUE: [short title]\n"
|
||||
"SEVERITY: [error/warning/note]\n"
|
||||
"LINE: [line number or 'unknown']\n"
|
||||
"DESCRIPTION: [detailed explanation]\n\n"
|
||||
"If no issues are found, respond with 'NO_ISSUES_FOUND'."
|
||||
)
|
||||
|
||||
user_message = (
|
||||
f"Analyze this {language} code for security vulnerabilities:\n\n"
|
||||
f"File: {file_path.relative_to(workspace)}\n\n"
|
||||
f"```{language}\n{code_content}\n```"
|
||||
)
|
||||
|
||||
# Call LLM via A2A wrapper (lazy import to avoid Temporal sandbox restrictions)
|
||||
try:
|
||||
from fuzzforge_ai.a2a_wrapper import send_agent_task
|
||||
|
||||
result = await send_agent_task(
|
||||
url=agent_url,
|
||||
model=llm_model,
|
||||
provider=llm_provider,
|
||||
prompt=system_prompt,
|
||||
message=user_message,
|
||||
context=f"llm_analysis_{file_path.stem}",
|
||||
timeout=float(timeout)
|
||||
)
|
||||
|
||||
llm_response = result.text
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"A2A call failed for {file_path}: {e}")
|
||||
return []
|
||||
|
||||
# Parse LLM response into findings
|
||||
findings = self._parse_llm_response(
|
||||
llm_response=llm_response,
|
||||
file_path=file_path,
|
||||
workspace=workspace
|
||||
)
|
||||
|
||||
return findings
|
||||
|
||||
def _parse_llm_response(
|
||||
self,
|
||||
llm_response: str,
|
||||
file_path: Path,
|
||||
workspace: Path
|
||||
) -> List:
|
||||
"""Parse LLM response into structured findings"""
|
||||
|
||||
if "NO_ISSUES_FOUND" in llm_response:
|
||||
return []
|
||||
|
||||
findings = []
|
||||
relative_path = str(file_path.relative_to(workspace))
|
||||
|
||||
# Simple parser for the expected format
|
||||
lines = llm_response.split('\n')
|
||||
current_issue = {}
|
||||
|
||||
for line in lines:
|
||||
line = line.strip()
|
||||
|
||||
if line.startswith("ISSUE:"):
|
||||
# Save previous issue if exists
|
||||
if current_issue:
|
||||
findings.append(self._create_module_finding(current_issue, relative_path))
|
||||
current_issue = {"title": line.replace("ISSUE:", "").strip()}
|
||||
|
||||
elif line.startswith("SEVERITY:"):
|
||||
current_issue["severity"] = line.replace("SEVERITY:", "").strip().lower()
|
||||
|
||||
elif line.startswith("LINE:"):
|
||||
line_num = line.replace("LINE:", "").strip()
|
||||
try:
|
||||
current_issue["line"] = int(line_num)
|
||||
except ValueError:
|
||||
current_issue["line"] = None
|
||||
|
||||
elif line.startswith("DESCRIPTION:"):
|
||||
current_issue["description"] = line.replace("DESCRIPTION:", "").strip()
|
||||
|
||||
# Save last issue
|
||||
if current_issue:
|
||||
findings.append(self._create_module_finding(current_issue, relative_path))
|
||||
|
||||
return findings
|
||||
|
||||
def _create_module_finding(self, issue: Dict[str, Any], file_path: str):
|
||||
"""Create a ModuleFinding from parsed issue"""
|
||||
|
||||
severity_map = {
|
||||
"error": "critical",
|
||||
"warning": "medium",
|
||||
"note": "low",
|
||||
"info": "low"
|
||||
}
|
||||
|
||||
# Use base class helper to create proper ModuleFinding
|
||||
return self.create_finding(
|
||||
title=issue.get("title", "Security issue detected"),
|
||||
description=issue.get("description", ""),
|
||||
severity=severity_map.get(issue.get("severity", "warning"), "medium"),
|
||||
category="security",
|
||||
file_path=file_path,
|
||||
line_start=issue.get("line"),
|
||||
metadata={
|
||||
"tool": "llm-analyzer",
|
||||
"type": "llm-security-analysis"
|
||||
}
|
||||
)
|
||||
@@ -0,0 +1,19 @@
|
||||
"""
|
||||
LLM Analysis Workflow
|
||||
"""
|
||||
|
||||
# Copyright (c) 2025 FuzzingLabs
|
||||
#
|
||||
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
||||
# at the root of this repository for details.
|
||||
#
|
||||
# After the Change Date (four years from publication), this version of the
|
||||
# Licensed Work will be made available under the Apache License, Version 2.0.
|
||||
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Additional attribution and requirements are provided in the NOTICE file.
|
||||
|
||||
from .workflow import LlmAnalysisWorkflow
|
||||
from .activities import analyze_with_llm
|
||||
|
||||
__all__ = ["LlmAnalysisWorkflow", "analyze_with_llm"]
|
||||
@@ -0,0 +1,162 @@
|
||||
"""
|
||||
LLM Analysis Workflow Activities
|
||||
"""
|
||||
|
||||
# Copyright (c) 2025 FuzzingLabs
|
||||
#
|
||||
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
||||
# at the root of this repository for details.
|
||||
#
|
||||
# After the Change Date (four years from publication), this version of the
|
||||
# Licensed Work will be made available under the Apache License, Version 2.0.
|
||||
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Additional attribution and requirements are provided in the NOTICE file.
|
||||
|
||||
import logging
|
||||
from pathlib import Path
|
||||
from typing import Dict, Any
|
||||
|
||||
from temporalio import activity
|
||||
|
||||
try:
|
||||
from toolbox.modules.analyzer.llm_analyzer import LLMAnalyzer
|
||||
except ImportError:
|
||||
try:
|
||||
from modules.analyzer.llm_analyzer import LLMAnalyzer
|
||||
except ImportError:
|
||||
from src.toolbox.modules.analyzer.llm_analyzer import LLMAnalyzer
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
@activity.defn(name="llm_generate_sarif")
|
||||
async def llm_generate_sarif(findings: list, metadata: Dict[str, Any]) -> Dict[str, Any]:
|
||||
"""
|
||||
Generate SARIF report from LLM findings.
|
||||
|
||||
Args:
|
||||
findings: List of finding dictionaries
|
||||
metadata: Metadata including tool_name, tool_version, run_id
|
||||
|
||||
Returns:
|
||||
SARIF report dictionary
|
||||
"""
|
||||
activity.logger.info(f"Generating SARIF report from {len(findings)} findings")
|
||||
|
||||
# Basic SARIF 2.1.0 structure
|
||||
sarif_report = {
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
"driver": {
|
||||
"name": metadata.get("tool_name", "llm-analyzer"),
|
||||
"version": metadata.get("tool_version", "1.0.0"),
|
||||
"informationUri": "https://github.com/FuzzingLabs/fuzzforge_ai"
|
||||
}
|
||||
},
|
||||
"results": []
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
# Convert findings to SARIF results
|
||||
for finding in findings:
|
||||
sarif_result = {
|
||||
"ruleId": finding.get("id", "unknown"),
|
||||
"level": _severity_to_sarif_level(finding.get("severity", "warning")),
|
||||
"message": {
|
||||
"text": finding.get("title", "Security issue detected")
|
||||
},
|
||||
"locations": []
|
||||
}
|
||||
|
||||
# Add description if present
|
||||
if finding.get("description"):
|
||||
sarif_result["message"]["markdown"] = finding["description"]
|
||||
|
||||
# Add location if file path is present
|
||||
if finding.get("file_path"):
|
||||
location = {
|
||||
"physicalLocation": {
|
||||
"artifactLocation": {
|
||||
"uri": finding["file_path"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Add region if line number is present
|
||||
if finding.get("line_start"):
|
||||
location["physicalLocation"]["region"] = {
|
||||
"startLine": finding["line_start"]
|
||||
}
|
||||
if finding.get("line_end"):
|
||||
location["physicalLocation"]["region"]["endLine"] = finding["line_end"]
|
||||
|
||||
sarif_result["locations"].append(location)
|
||||
|
||||
sarif_report["runs"][0]["results"].append(sarif_result)
|
||||
|
||||
activity.logger.info(f"Generated SARIF report with {len(sarif_report['runs'][0]['results'])} results")
|
||||
|
||||
return sarif_report
|
||||
|
||||
|
||||
def _severity_to_sarif_level(severity: str) -> str:
|
||||
"""Convert severity to SARIF level"""
|
||||
severity_map = {
|
||||
"critical": "error",
|
||||
"high": "error",
|
||||
"medium": "warning",
|
||||
"low": "note",
|
||||
"info": "note"
|
||||
}
|
||||
return severity_map.get(severity.lower(), "warning")
|
||||
|
||||
|
||||
@activity.defn(name="analyze_with_llm")
|
||||
async def analyze_with_llm(target_path: str, config: Dict[str, Any]) -> Dict[str, Any]:
|
||||
"""
|
||||
Analyze code using LLM.
|
||||
|
||||
Args:
|
||||
target_path: Path to the workspace containing code
|
||||
config: LLM analyzer configuration
|
||||
|
||||
Returns:
|
||||
Dictionary containing findings and summary
|
||||
"""
|
||||
activity.logger.info(f"Starting LLM analysis: {target_path}")
|
||||
activity.logger.info(f"Config: {config}")
|
||||
|
||||
workspace = Path(target_path)
|
||||
|
||||
if not workspace.exists():
|
||||
raise FileNotFoundError(f"Workspace not found: {target_path}")
|
||||
|
||||
# Create and execute LLM analyzer
|
||||
analyzer = LLMAnalyzer()
|
||||
|
||||
# Validate configuration
|
||||
analyzer.validate_config(config)
|
||||
|
||||
# Execute analysis
|
||||
result = await analyzer.execute(config, workspace)
|
||||
|
||||
if result.status == "failed":
|
||||
raise RuntimeError(f"LLM analysis failed: {result.error or 'Unknown error'}")
|
||||
|
||||
activity.logger.info(
|
||||
f"LLM analysis completed: {len(result.findings)} findings from "
|
||||
f"{result.summary.get('files_analyzed', 0)} files"
|
||||
)
|
||||
|
||||
# Convert ModuleFinding objects to dicts for serialization
|
||||
findings_dicts = [finding.model_dump() for finding in result.findings]
|
||||
|
||||
return {
|
||||
"findings": findings_dicts,
|
||||
"summary": result.summary
|
||||
}
|
||||
@@ -0,0 +1,64 @@
|
||||
name: llm_analysis
|
||||
version: "1.0.0"
|
||||
vertical: python
|
||||
description: "Uses AI/LLM to analyze code for security vulnerabilities and code quality issues"
|
||||
author: "FuzzForge Team"
|
||||
tags:
|
||||
- "llm"
|
||||
- "ai"
|
||||
- "security"
|
||||
- "static-analysis"
|
||||
- "code-quality"
|
||||
|
||||
# Workspace isolation mode
|
||||
workspace_isolation: "shared"
|
||||
|
||||
default_parameters:
|
||||
agent_url: "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
|
||||
llm_model: "gpt-4o-mini"
|
||||
llm_provider: "openai"
|
||||
max_files: 5
|
||||
|
||||
parameters:
|
||||
type: object
|
||||
properties:
|
||||
agent_url:
|
||||
type: string
|
||||
description: "A2A agent endpoint URL"
|
||||
llm_model:
|
||||
type: string
|
||||
description: "LLM model to use (e.g., gpt-4o-mini, claude-3-5-sonnet)"
|
||||
llm_provider:
|
||||
type: string
|
||||
description: "LLM provider (openai, anthropic, etc.)"
|
||||
file_patterns:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
description: "File patterns to analyze (e.g., ['*.py', '*.js'])"
|
||||
max_files:
|
||||
type: integer
|
||||
description: "Maximum number of files to analyze"
|
||||
max_file_size:
|
||||
type: integer
|
||||
description: "Maximum file size in bytes"
|
||||
timeout:
|
||||
type: integer
|
||||
description: "Timeout per file in seconds"
|
||||
|
||||
output_schema:
|
||||
type: object
|
||||
properties:
|
||||
sarif:
|
||||
type: object
|
||||
description: "SARIF-formatted security findings from LLM"
|
||||
summary:
|
||||
type: object
|
||||
description: "Analysis summary"
|
||||
properties:
|
||||
files_analyzed:
|
||||
type: integer
|
||||
total_findings:
|
||||
type: integer
|
||||
model_used:
|
||||
type: string
|
||||
@@ -0,0 +1,236 @@
|
||||
"""
|
||||
LLM Analysis Workflow - Temporal Version
|
||||
|
||||
Uses AI/LLM to analyze code for security issues.
|
||||
"""
|
||||
|
||||
# Copyright (c) 2025 FuzzingLabs
|
||||
#
|
||||
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
||||
# at the root of this repository for details.
|
||||
#
|
||||
# After the Change Date (four years from publication), this version of the
|
||||
# Licensed Work will be made available under the Apache License, Version 2.0.
|
||||
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Additional attribution and requirements are provided in the NOTICE file.
|
||||
|
||||
from datetime import timedelta
|
||||
from typing import Dict, Any, Optional
|
||||
|
||||
from temporalio import workflow
|
||||
from temporalio.common import RetryPolicy
|
||||
|
||||
# Import for type hints (will be executed by worker)
|
||||
with workflow.unsafe.imports_passed_through():
|
||||
import logging
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
@workflow.defn
|
||||
class LlmAnalysisWorkflow:
|
||||
"""
|
||||
Analyze code using AI/LLM for security vulnerabilities.
|
||||
|
||||
User workflow:
|
||||
1. User runs: ff workflow run llm_analysis .
|
||||
2. CLI uploads project to MinIO
|
||||
3. Worker downloads project
|
||||
4. Worker calls LLM analyzer module
|
||||
5. LLM analyzes code files and reports findings
|
||||
6. Results returned in SARIF format
|
||||
"""
|
||||
|
||||
@workflow.run
|
||||
async def run(
|
||||
self,
|
||||
target_id: str, # MinIO UUID of uploaded user code
|
||||
agent_url: Optional[str] = None,
|
||||
llm_model: Optional[str] = None,
|
||||
llm_provider: Optional[str] = None,
|
||||
file_patterns: Optional[list] = None,
|
||||
max_files: Optional[int] = None,
|
||||
max_file_size: Optional[int] = None,
|
||||
timeout: Optional[int] = None
|
||||
) -> Dict[str, Any]:
|
||||
"""
|
||||
Main workflow execution.
|
||||
|
||||
Args:
|
||||
target_id: UUID of the uploaded target in MinIO
|
||||
agent_url: A2A agent endpoint URL
|
||||
llm_model: LLM model to use
|
||||
llm_provider: LLM provider
|
||||
file_patterns: File patterns to analyze
|
||||
max_files: Maximum number of files to analyze
|
||||
max_file_size: Maximum file size in bytes
|
||||
timeout: Timeout per file in seconds
|
||||
|
||||
Returns:
|
||||
Dictionary containing findings and summary
|
||||
"""
|
||||
workflow_id = workflow.info().workflow_id
|
||||
|
||||
workflow.logger.info(
|
||||
f"Starting LLMAnalysisWorkflow "
|
||||
f"(workflow_id={workflow_id}, target_id={target_id}, model={llm_model})"
|
||||
)
|
||||
|
||||
results = {
|
||||
"workflow_id": workflow_id,
|
||||
"target_id": target_id,
|
||||
"status": "running",
|
||||
"steps": [],
|
||||
"findings": []
|
||||
}
|
||||
|
||||
try:
|
||||
# Get run ID for workspace isolation
|
||||
run_id = workflow.info().run_id
|
||||
|
||||
# Step 1: Download user's project from MinIO
|
||||
workflow.logger.info("Step 1: Downloading user code from MinIO")
|
||||
target_path = await workflow.execute_activity(
|
||||
"get_target",
|
||||
args=[target_id, run_id, "shared"],
|
||||
start_to_close_timeout=timedelta(minutes=5),
|
||||
retry_policy=RetryPolicy(
|
||||
initial_interval=timedelta(seconds=1),
|
||||
maximum_interval=timedelta(seconds=30),
|
||||
maximum_attempts=3
|
||||
)
|
||||
)
|
||||
results["steps"].append({
|
||||
"step": "download",
|
||||
"status": "success",
|
||||
"target_path": target_path
|
||||
})
|
||||
workflow.logger.info(f"✓ Target downloaded to: {target_path}")
|
||||
|
||||
# Step 2: Run LLM analysis
|
||||
workflow.logger.info("Step 2: Analyzing code with LLM")
|
||||
|
||||
# Build analyzer config
|
||||
analyzer_config = {}
|
||||
if agent_url:
|
||||
analyzer_config["agent_url"] = agent_url
|
||||
if llm_model:
|
||||
analyzer_config["llm_model"] = llm_model
|
||||
if llm_provider:
|
||||
analyzer_config["llm_provider"] = llm_provider
|
||||
if file_patterns:
|
||||
analyzer_config["file_patterns"] = file_patterns
|
||||
if max_files is not None:
|
||||
analyzer_config["max_files"] = max_files
|
||||
if max_file_size is not None:
|
||||
analyzer_config["max_file_size"] = max_file_size
|
||||
if timeout is not None:
|
||||
analyzer_config["timeout"] = timeout
|
||||
|
||||
analysis_results = await workflow.execute_activity(
|
||||
"analyze_with_llm",
|
||||
args=[target_path, analyzer_config],
|
||||
start_to_close_timeout=timedelta(minutes=30), # LLM calls can be slow
|
||||
retry_policy=RetryPolicy(
|
||||
initial_interval=timedelta(seconds=5),
|
||||
maximum_interval=timedelta(minutes=1),
|
||||
maximum_attempts=2
|
||||
)
|
||||
)
|
||||
|
||||
findings = analysis_results.get("findings", [])
|
||||
summary = analysis_results.get("summary", {})
|
||||
|
||||
results["steps"].append({
|
||||
"step": "llm_analysis",
|
||||
"status": "success",
|
||||
"files_analyzed": summary.get("files_analyzed", 0),
|
||||
"findings_count": len(findings)
|
||||
})
|
||||
|
||||
workflow.logger.info(
|
||||
f"✓ LLM analysis completed: "
|
||||
f"{summary.get('files_analyzed', 0)} files, "
|
||||
f"{len(findings)} findings"
|
||||
)
|
||||
|
||||
# Step 3: Generate SARIF report
|
||||
workflow.logger.info("Step 3: Generating SARIF report")
|
||||
|
||||
sarif_report = await workflow.execute_activity(
|
||||
"llm_generate_sarif",
|
||||
args=[findings, {
|
||||
"tool_name": "llm-analyzer",
|
||||
"tool_version": "1.0.0",
|
||||
"run_id": run_id
|
||||
}],
|
||||
start_to_close_timeout=timedelta(minutes=5),
|
||||
retry_policy=RetryPolicy(
|
||||
initial_interval=timedelta(seconds=1),
|
||||
maximum_interval=timedelta(seconds=30),
|
||||
maximum_attempts=3
|
||||
)
|
||||
)
|
||||
|
||||
results["steps"].append({
|
||||
"step": "sarif_generation",
|
||||
"status": "success",
|
||||
"results_count": len(sarif_report.get("runs", [{}])[0].get("results", []))
|
||||
})
|
||||
|
||||
workflow.logger.info(
|
||||
f"✓ SARIF report generated: "
|
||||
f"{len(sarif_report.get('runs', [{}])[0].get('results', []))} results"
|
||||
)
|
||||
|
||||
# Step 4: Upload results to MinIO
|
||||
workflow.logger.info("Step 4: Uploading results to MinIO")
|
||||
|
||||
# Upload SARIF report
|
||||
if sarif_report:
|
||||
results_url = await workflow.execute_activity(
|
||||
"upload_results",
|
||||
args=[run_id, sarif_report],
|
||||
start_to_close_timeout=timedelta(minutes=5),
|
||||
retry_policy=RetryPolicy(
|
||||
initial_interval=timedelta(seconds=1),
|
||||
maximum_interval=timedelta(seconds=30),
|
||||
maximum_attempts=3
|
||||
)
|
||||
)
|
||||
results["results_url"] = results_url
|
||||
workflow.logger.info(f"✓ Results uploaded to: {results_url}")
|
||||
|
||||
# Step 5: Cleanup cache
|
||||
workflow.logger.info("Step 5: Cleaning up cache")
|
||||
await workflow.execute_activity(
|
||||
"cleanup_cache",
|
||||
args=[target_id],
|
||||
start_to_close_timeout=timedelta(minutes=2),
|
||||
retry_policy=RetryPolicy(
|
||||
initial_interval=timedelta(seconds=1),
|
||||
maximum_interval=timedelta(seconds=10),
|
||||
maximum_attempts=2
|
||||
)
|
||||
)
|
||||
workflow.logger.info("✓ Cache cleaned up")
|
||||
|
||||
# Mark workflow as successful
|
||||
results["status"] = "success"
|
||||
results["sarif"] = sarif_report
|
||||
results["summary"] = summary
|
||||
results["findings"] = findings
|
||||
|
||||
workflow.logger.info(
|
||||
f"✅ LLMAnalysisWorkflow completed successfully: "
|
||||
f"{len(findings)} findings"
|
||||
)
|
||||
|
||||
except Exception as e:
|
||||
workflow.logger.error(f"❌ Workflow failed: {e}")
|
||||
results["status"] = "failed"
|
||||
results["error"] = str(e)
|
||||
raise
|
||||
|
||||
return results
|
||||
Reference in New Issue
Block a user