Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LLM Integration #5861

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

LLM Integration #5861

wants to merge 10 commits into from

Conversation

TmmmmmR
Copy link

@TmmmmmR TmmmmmR commented Oct 30, 2024
edited
Loading

Overview

This extension integrates LLM with ZAP and includes two main features:

  • API Sequencing: Import Swagger/OpenAPI definitions to generate sequences of HTTP calls for subsequent scanning operations.
  • Alert Review: Examine an alert and determine the confidence level based on evidence from ZAP, complete with an explanation for the updated confidence level.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

For more details, please refer to the developer rules and guidelines.

@github-actions GitHub Actions
Copy link


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

0 out of 2 committers have signed the CLA.
@Temmar
@TmmmmmR
temmar seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
Posted by the CLA Assistant Lite bot.

kingthorin
kingthorin reviewed Oct 30, 2024
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll have to finish the rest of my review in a bit, but here's some starting bits.

README.md Outdated Show resolved Hide resolved
addOns/llm/gradle.properties Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/ExtensionLlm.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/ExtensionLlm.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/ExtensionLlm.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated Show resolved Hide resolved
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated Show resolved Hide resolved
@TmmmmmR
update PR
d7cdcbb
@TmmmmmR
cancel update for README.md
0252e5b 
Signed-off-by: Abdessamad TEMMAR <[email protected]>
@TmmmmmR
Fix minor prompt typo
9a86edc 
Signed-off-by: Abdessamad TEMMAR <[email protected]>
@TmmmmmR
Fix minor typo in variable name
73820ab 
Signed-off-by: Abdessamad TEMMAR <[email protected]>
kingthorin
kingthorin reviewed Oct 31, 2024
View reviewed changes
addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java Outdated
Comment on lines 167 to 174
getExtAlert().updateAlert(updatedAlert);
getExtAlert().updateAlertInTree(originalAlert, updatedAlert);
if (alert.getHistoryRef() != null) {
alert.getHistoryRef().updateAlert(updated_alert);
alert.getHistoryRef().updateAlert(updatedAlert);
if (alert.getHistoryRef().getSiteNode() != null) {
// Needed if the same alert was raised on another href for the same
// SiteNode
alert.getHistoryRef().getSiteNode().updateAlert(updated_alert);
alert.getHistoryRef().getSiteNode().updateAlert(updatedAlert);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about these conditionals and doing the same action over and over, shouldn't the call hat 167 have done it regardless of the conditions?

Copy link
Author

@TmmmmmR TmmmmmR Oct 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why, but without this I get this exception when I do alert review for a node of alerts :

Index -1 out of bounds for length 10
java.lang.ArrayIndexOutOfBoundsException: Index -1 out of bounds for length 10

I used the same code from this extension : https://github.com/zaproxy/zap-extensions/blob/main/addOns/alertFilters/src/main/java/org/zaproxy/zap/extension/alertFilters/ExtensionAlertFilters.java#L459

@TmmmmmR
Read LLM endpoint from settings
75ebe35 
Signed-off-by: Abdessamad TEMMAR <[email protected]>
kingthorin
kingthorin reviewed Oct 31, 2024
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should only have the base help and messages.

@kingthorin
Copy link
Member

There's likely a bunch of places swagger should be replaced with openapi.

https://swagger.io/blog/api-strategy/difference-between-swagger-and-openapi/

@yns000
Copy link

yns000 commented Nov 8, 2024

Hi TmmmmmR,

I started my review on this, but ended up having a few questions, can I propose we setup a meeting between yourself and the 2 reviewers so that to see a demo of the addon?

Thank you,
Yiannis

@TmmmmmR
Copy link
Author

TmmmmmR commented Nov 11, 2024
edited
Loading

Hello @yns000, yes of course ! I'm available on slack under the dev-llm channel, my username is temmar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kingthorin kingthorin kingthorin left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TmmmmmR @kingthorin @yns000