Include source code for /explain_vulnerability AI slash command tool
What does this MR do and why?
Include vulnerable source code when invoking the /explain_vulnerability
slash command tool for Duo Chat.
The prompt was taken from the existing Vertex prompt here and can be iterated upon.
Issue: #464318 (closed)
Screenshots or screen recordings
How to set up and validate locally
- Enable the
explain_vulnerability_tool
feature flag:Feature.enable(:explain_vulnerability_tool)
- Setup Duo Chat
- Create a vulnerability in a project with a file in the console:
source = <<~SOURCE #include <stdio.h> int main(int argc, char *argv[]) { char buf[8]; memcpy(&buf, "123456789"); printf("hello, world!"); } SOURCE project = Project.find(<my-project-id>) project.repository.create_file(User.find(<my-user-id>), 'src/main.c', source, message: 'Vulnerable file', branch_name: 'main') finding = FactoryBot.create(:vulnerabilities_finding, :sast, project: project, location: { 'file' => 'src/main.c', 'start_line' => 5, 'end_line' => 6 }) FactoryBot.create(:vulnerability, findings: [finding], project: project)
- Execute the following GraphQL query:
mutation explainVulnerability($agentVersionId: AiAgentVersionID, $clientSubscriptionId: String) { aiAction( input: { chat: { resourceId: "gid://gitlab/Vulnerability/<my-vulnerability-id>", content: "/explain_vulnerability", agentVersionId: $agentVersionId, }, clientSubscriptionId: $clientSubscriptionId } ) { requestId errors __typename } }
http://localhost:3000/<my-group>/<my-project>/-/security/vulnerability_report
, click theGitLab Duo Chat
button and enter `/explain_vulnerability``
Edited by Alex Buijs