This repository contains a collection of tools for automated vulnerability research, dependency management, and security testing. The primary focus is on identifying vulnerable dependency versions and testing exploit scenarios.
An automatic dependency installation tool that monitors program execution and automatically installs missing dependencies when they are detected during runtime. This tool helps streamline the development and testing process by eliminating manual dependency management.
Key Features:
- Runtime dependency detection
- Automatic installation of missing packages
- Reduces manual configuration overhead
A baseline tool built on Claude Code that uses a trial-and-error approach to infer all possible version numbers that can trigger vulnerabilities. This tool serves as a comparison benchmark for our LLM-based mock tools.
Key Features:
- Iterative version testing approach
- Comprehensive vulnerability version discovery
- Benchmark for comparison with LLM-based approaches
An LLM-based tool that mocks APIs and infers package versions based on API features. This is the primary research tool that uses machine learning to intelligently predict vulnerable dependency combinations.
Key Features:
- LLM-powered API mocking
- Feature-based version inference
- Intelligent vulnerability prediction
See MockVenv/README.md for detailed documentation.
Test examples containing vulnerability scenarios for testing and validation purposes. Each test example includes:
project/: Source code of the vulnerable applicationrequirements.txt: A specific combination of dependency versions that can trigger vulnerabilitiesstart_server.sh: Script to start the application serverrun_exploit.sh: Script to trigger and demonstrate the vulnerability
These examples serve as test cases for validating the effectiveness of the vulnerability detection and version inference tools.
-
Navigate to a test example directory:
cd test_example1 -
Start the vulnerable server:
./start_server.sh
-
In another terminal, run the exploit:
./run_exploit.sh
Please refer to the MockVenv documentation for detailed usage instructions.
This project aims to:
- Automate the discovery of vulnerable dependency versions
- Compare traditional trial-and-error approaches with LLM-based inference
- Provide tools for security researchers to identify and test vulnerability scenarios
- Streamline the dependency management process during security testing