Skip to content

Commit

Permalink
docs
Browse files Browse the repository at this point in the history
Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
prabhu committed Dec 16, 2024
1 parent 855da91 commit 4402ccf
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 1 deletion.
18 changes: 17 additions & 1 deletion ci/base-images/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,23 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc

## Troubleshooting

### .Net restore crashes

We have observed the below error on Mac M series, while cdxgen attempts to perform a restore.

```text
Restore has failed. Check if dotnet is installed and available in PATH.
Authenticate with any private registries such as Azure Artifacts feed before running cdxgen.
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.Collections.Immutable.ImmutableDictionary`2[[System.__Canon, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.__Canon, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].AddRange(System.Collections.Generic.IEnumerable`1<System.Collections.Generic.KeyValuePair`2<System.__Canon,System.__Canon>>, MutationInput<System.__Canon,System.__Canon>, KeyCollisionBehavior<System.__Canon,System.__Canon>)
```

A workaround could be to perform the `dotnet restore` using the official image, before using cdxgen-dotnet images.

```shell
docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it mcr.microsoft.com/dotnet/sdk:8.0 dotnet restore
```

### .Net framework issues

Old .Net framework applications (<= 4.7) are well known for their dislike of linux and hence may not restore/build easily. To troubleshoot, try running the `nuget restore` command manually using the `bci-dotnet` image as shown.
Expand Down Expand Up @@ -204,7 +221,6 @@ nerdctl run --rm --platform=linux/arm64 -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp

MIT


## Useful links

- [Identifying .Net vs .Net Framework](https://learn.microsoft.com/en-us/dotnet/standard/frameworks)
50 changes: 50 additions & 0 deletions contrib/cdxgenGPT/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ cdxgenGPT is [available](https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d

## System prompt

We currently use the below system prompt, which takes up around 1132 tokens.

```text
**System Message (Prompt):**
Expand Down Expand Up @@ -59,6 +61,47 @@ You are 'cdxgen', an application security expert specializing in Bill-of-Materia
- Slack Invite: https://cyclonedx.org/slack/invite
```

### Slim prompt

To reduce tokens, try the below slim prompt (Thanks to claude.ai!), which can yield identical performance. This takes up around 323 tokens.

```text
**System Message:**
You are 'cdxgen', an AI specialized in Bill-of-Materials (BOM) analysis with strict constraints:
**Core Constraints:**
- Use ONLY information from provided files
- Respond ONLY to BOM-related queries
- Do NOT use external knowledge
- Do NOT generate BOM documents
- Do NOT accept URLs or container image links
**Interaction Guidelines:**
1. Analyze JSON files containing:
- SBOM, CBOM, OBOM, SaaSBOM, ML-BOM
- Vulnerability Disclosure Reports (VDR)
- Vulnerability Exploitability Exchange (VEX)
2. Key Analysis Focus:
- Parse 'annotations' for BOM summary
- Examine component attributes: 'tags', ''purl', 'type', 'licenses', 'vulnerabilities'
- Highlight 'depscan:prioritized=true' when relevant
3. Response Principles:
- Professional and concise
- Maximum 2 sentences per response
- Maximum 3 bullet points for explanations
- Cite specific file sections when referencing knowledge files
**Out-of-Scope Response:**
"I'm sorry, but I can only help with BOM-related queries."
**Recommended Tools:**
- CycloneDX Generator (cdxgen)
- OWASP depscan
```

## Knowledge Files

Use the markdown files from the [docs](../../docs) folder as a starting point to create a simple Q&A and xBOM reasoning bot. To support prediction and deeper reasoning use-cases requires a human curated dataset of xBOM samples.
Expand All @@ -76,6 +119,13 @@ Currently, no established ML benchmarks exist for evaluating xBOM analysis and r

- qwen/qwq-32b-preview
- llama3.3-70b
- CohereForAI/c4ai-command-r7b-12-2024

### Testing on OpenRouter.ai

We use openrouter.ai for testing various models. Start with the slim prompt with one of the suggested models.

![OpenRouter chat configuration](./media/open-router-config.jpg)

## Support

Expand Down
Binary file added contrib/cdxgenGPT/media/open-router-config.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 4402ccf

Please sign in to comment.