gcve-eu/gcve-eu-ai-extension

# AI-Assisted Vulnerability Information Annotation A small Python utility to fetch vulnerability information from `db.gcve.eu` by identifier, generate an analyst-oriented summary and recommendation using a configurable local Ollama model, and extend the returned vulnerability record with [GCVE AI provenance metadata](https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/). The generated enrichment is added under: x_gcve[].extensions["local-ai-vulnerability-enrichment"] The AI provenance annotation follows the [GCVE BCP-05-X-01](https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/) extension and is added under: x_gcve[].extensions["bcp-05-x-01"].ai_annotations[] ## Features - Fetches vulnerability records from `https://db.gcve.eu` - Accepts either CVE IDs or GCVE IDs - Uses a configurable Ollama endpoint and model - Generates: - a concise vulnerability summary - a practical recommendation - confidence level - caveats - Adds AI provenance information using the [GCVE BCP-05-X-01](https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/) extension - Outputs enriched JSON suitable for further processing with tools such as `jq` ## Requirements - Python 3.10+ - A running Ollama instance - A local Ollama model suitable for summarization - `requests` - Optional: `jq` for pretty-printing output Install Python dependencies: pip install requests Install and run Ollama separately, then pull a model, for example: ollama pull qwen3.6:35b You can use another model if preferred. ## Basic usage python3 summarize.py CVE-2026-0300 Pretty-print the result with `jq`: python3 summarize.py --ollama-think=true CVE-2026-0300 | jq . Fetch by GCVE ID: python3 summarize.py --ollama-think=true GCVE-1-2026-0001 | jq . ## Configuration The script can be configured through command-line options or environment variables. Typical command-line options: python3 summarize.py \ --base-url https://db.gcve.eu \ --ollama-url http://localhost:11434 \ --model qwen3.6:35b \ --gna-source 65535 \ --ollama-think=true \ CVE-2026-0300 Typical environment variables: export GCVE_BASE_URL="https://db.gcve.eu" export OLLAMA_URL="http://localhost:11434" export OLLAMA_MODEL="qwen3.6:35b" python3 summarize.py CVE-2026-0300 | jq . ## Ollama thinking mode --ollama-think=true Example: python3 summarize.py --ollama-think=true CVE-2026-0300 | jq . python3 summarize.py --ollama-think=false CVE-2026-0300 | jq . ## Example enriched output The script preserves the original vulnerability record and appends an `x_gcve` extension block similar to the following (extension [GCVE-BCP-05-x-01](https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/)): { "x_gcve": [ { "extensions": { "bcp-05-x-01": { "ai_annotations": [ { "ai_level": "generated", "description": "A locally configured Ollama LLM generated an analyst-oriented summary and recommendation from the fetched vulnerability record. The script does not independently verify the generated content.", "field_name": "x_gcve.extensions.local-ai-vulnerability-enrichment", "models": [ { "identifier": "qwen3.6:35b", "name": "qwen3.6:35b", "provider": "local", "gna_source": 65535 } ], "review_status": "none", "scope": "field", "tags": [ "ai-computer-assisted:assistance-level=\"ai-generated\"", "ai-computer-assisted:review-level=\"unreviewed\"" ] } ] }, "local-ai-vulnerability-enrichment": { "caveats": [ "The specific vulnerability type and CVSS score are not stated in the source record.", "The inclusion of Siemens RUGGEDCOM APE1808 alongside Palo Alto Networks products requires verification of scope." ], "confidence": "high", "generated_at": "2026-05-17T13:26:12+00:00", "recommendation": "Upgrade PAN-OS to 12.1.7, 11.2.12, 11.1.15, or 10.2.18-h6, or the latest corresponding hotfixes. Disable the User-ID Authentication Portal or remove response pages from external-facing interface management profiles if not required. Apply patches immediately given active exploitation.", "summary": "CVE-2026-0300 affects Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls configured with the User-ID Authentication Portal enabled and an external-facing interface management profile with response pages. It is actively exploited and has a total technical impact. Affected versions include PAN-OS 12.1.0–12.1.4-h4, 11.2.0–11.2.10-h5, 11.1.0–11.1.13-h4, and 10.2.0–10.2.17, plus specific hotfix branches. Supplier data also lists Siemens RUGGEDCOM APE1808 as affected.", "vulnerability_id": "CVE-2026-0300" } } } ] } ## Output fields ### `local-ai-vulnerability-enrichment` This extension contains the generated content: | Field | Description | | --- | --- | | `vulnerability_id` | The CVE or GCVE ID requested by the user | | `summary` | LLM-generated vulnerability summary | | `recommendation` | LLM-generated remediation or mitigation recommendation | | `confidence` | Confidence estimate returned by the model | | `caveats` | Known limitations or uncertainty in the generated output | | `generated_at` | UTC timestamp when the enrichment was generated | ### `bcp-05-x-01` This extension contains AI provenance metadata: | Field | Description | | --- | --- | | `ai_level` | Level of AI involvement, for example `generated` | | `description` | Human-readable description of the AI-generated enrichment | | `field_name` | Field or extension that was generated with AI assistance | | `models` | Ollama model metadata | | `review_status` | Human review state, for example `none` | | `scope` | Scope of the annotation, for example `field` | | `tags` | Machine-readable AI assistance and review tags | ## Recommended workflow Generate the enriched record: python3 summarize.py --ollama-think=true CVE-2026-0300 > enriched.json Inspect the AI-generated fields: jq '.x_gcve[]?.extensions["local-ai-vulnerability-enrichment"]' enriched.json Inspect the BCP-05-X-01 AI annotation: jq '.x_gcve[]?.extensions["bcp-05-x-01"].ai_annotations[]' enriched.json ## Important note The generated summary and recommendation are produced by a locally configured LLM. They should be considered analyst assistance, not authoritative vulnerability intelligence. Always review the original vulnerability record and upstream vendor advisories before using the generated recommendation operationally. ## VLAI severity enrichment script A second script is available at `bin/vlai_severity.py` to enrich a vulnerability record with severity inferred by the Vulnerability-Lookup VLAI API (`/api/vlai/severity-classification`) and attach a `bcp-05-x-01` AI annotation. Example: python3 bin/vlai_severity.py CVE-2026-0300 | jq . # Optional: override the standard gna_source value in BCP metadata python3 bin/vlai_severity.py --gna-source 1234 CVE-2026-0300 | jq . This writes an extension block under: - `x_gcve[].extensions["vlai-severity-enrichment"]` - `x_gcve[].extensions["bcp-05-x-01"].ai_annotations[]` ## VLAI severity enrichment for full cvelistV5 dumps Use `bin/vlai_severity_dump.py` to process the full `cvelistv5.ndjson` dump and emit enriched JSON files using the same directory layout as `CVEProject/cvelistV5`: - `/cves///CVE-YYYY-NNNN.json` - bucket format is `xxx` (for example, `CVE-2026-12345` -> `cves/2026/12xxx/CVE-2026-12345.json`) Example: python3 bin/vlai_severity_dump.py --output-dir /tmp/cvelistv5-ai --continue-on-error Useful options: - `--limit N` process only the first N records (good for testing) - `--dump-url` override source dump URL - `--dump-file /path/to/cvelistv5.ndjson` read the source dump from a local file instead of downloading - `--vlai-base-url` override VLAI API base URL