feat(tools): CVE variant cluster analysis — cluster_cve_variants + manus-use cluster-variants CLI#67
Open
manus-use wants to merge 1 commit into
Open
feat(tools): CVE variant cluster analysis — cluster_cve_variants + manus-use cluster-variants CLI#67manus-use wants to merge 1 commit into
manus-use wants to merge 1 commit into
Conversation
manus-use
pushed a commit
that referenced
this pull request
Jun 29, 2026
…n PRs roadmap, and changelog section - poc-search subcommand (PR #62): multi-source PoC aggregator (trickest, VulnCheck KEV, Exploit-DB, GitHub, NVD) - changelog subcommand (PR #66): conventional-commit release automation - VulnCheck enrichment section: VULNCHECK_API_KEY optional, vulncheck-kev + nist-nvd2 indexes - Updated 8-step VI pipeline description to include VulnCheck KEV in step 2, patch diff/exploit complexity/version range in step 6 - Coming Soon table: 9 open PRs (#51 silent-patches, #53 cve-timeline, #54 version-range, #58 vendor-response, #60 poc-freshness, #63 blast-radius, #64 sbom-scan, #65 temporal-priority, #67 cluster-variants) - Updated built-in tools list to mention VulnCheck KEV and new VI tools - Added Changelog section linking to CHANGELOG.md - Updated Table of Contents with Changelog entry - Expanded Security examples to include poc-search and changelog
…nt patch-status CLI
Adds `get_patch_status(cve_id)` Strands tool and `manus-agent patch-status CVE-ID`
CLI subcommand to answer "has a patch been released for this CVE across my
distribution stack, and how quickly?".
## What it checks
Queries four free, unauthenticated sources in parallel (degrades gracefully
if any source is down):
1. **Ubuntu Security API** — ubuntu.com/security/cves/{CVE}.json
Package-level fix versions + USN advisory IDs per release codename
2. **Debian Security Tracker** — security-tracker.debian.org per-CVE JSON
Status (open/resolved) + fixed versions per suite (bookworm, bullseye, sid…)
3. **Red Hat CVE DB** — access.redhat.com/labs/securitydataapi/cve/{CVE}.json
RHSA errata IDs, affected RHEL/OCP products, still-vulnerable package states
4. **OSV.dev** — api.osv.dev/v1/query
Fix version ranges across PyPI, npm, Maven, Go, crates.io, RubyGems, etc.
Patch date inferred from vuln `modified` timestamp.
## Output
Per-vendor result: `vendor`, `status` (fixed/vulnerable/not_affected/unknown),
`fixed_version`, `advisory_ids`, `patch_date`, `days_to_patch`, `affected_packages`.
Top-level summary: `overall_status` (fully_patched / partially_patched /
unpatched / unknown), `vendors_fixed`, `vendors_vulnerable`, `fastest_patch_vendor`,
`fastest_patch_days`, `all_advisory_ids`.
## CLI
```
manus-agent patch-status CVE-2024-3094
manus-agent patch-status CVE-2021-44228 --output json
```
## VI agent integration
`get_patch_status` added to VulnerabilityIntelligenceAgent tool list (Step 6d
in system prompt). The agent now reports patch availability alongside exploit
complexity and blast-radius in every analysis.
## Tests
83 new unit tests (100% mocked — no real HTTP calls).
Total suite: 985 passing (was 902), 0 failures.
a1b5f54 to
596cc90
Compare
This was referenced Jul 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Given a seed CVE, this PR adds a tool and CLI subcommand that discovers related CVEs grouped into three labelled clusters, helping analysts understand the full vulnerability family around a CVE.
What was built
cluster_cve_variantsStrands tool (src/manus_use/tools/cluster_cve_variants.py)Clusters related CVEs into:
Each cluster reports count, avg/max CVSS, and top CWE distribution. The text renderer fires actionable warnings when a cluster is dense (≥5 same-component, ≥3 same-CWE, or ≥3 same-researcher CVEs).
manus-use cluster-variantsCLI subcommandDesign
Tests
46 new unit/integration tests — all fully mocked, zero real HTTP calls.
Checklist
ruff check . --fix→ cleanruff format src/ tests/ruff check .→ All checks passedpython3 -m pytest tests/ -q→ 817 passed, 0 failures