Skip to content

feat(tools): CVE variant cluster analysis — cluster_cve_variants + manus-use cluster-variants CLI#67

Open
manus-use wants to merge 1 commit into
mainfrom
feat/variant-cluster-analysis
Open

feat(tools): CVE variant cluster analysis — cluster_cve_variants + manus-use cluster-variants CLI#67
manus-use wants to merge 1 commit into
mainfrom
feat/variant-cluster-analysis

Conversation

@manus-use

Copy link
Copy Markdown
Owner

Summary

Given a seed CVE, this PR adds a tool and CLI subcommand that discovers related CVEs grouped into three labelled clusters, helping analysts understand the full vulnerability family around a CVE.

What was built

cluster_cve_variants Strands tool (src/manus_use/tools/cluster_cve_variants.py)

Clusters related CVEs into:

  • same_component — CVEs affecting the same vendor/product (CPE-derived)
  • same_cwe — CVEs sharing at least one CWE weakness class
  • same_researcher — CVEs citing the same disclosure domain (huntr.dev, zerodayinitiative.com, talosintelligence.com, etc.)

Each cluster reports count, avg/max CVSS, and top CWE distribution. The text renderer fires actionable warnings when a cluster is dense (≥5 same-component, ≥3 same-CWE, or ≥3 same-researcher CVEs).

manus-use cluster-variants CLI subcommand

manus-use cluster-variants CVE-2021-44228
manus-use cluster-variants CVE-2021-44228 --max-results 100 --output json

Design

  • NVD REST API v2 only — no auth required, no paid endpoints used
  • Two parallel NVD requests per invocation (product keyword + CWE fallback)
  • Graceful degradation on network failure (returns empty clusters, not exceptions)
  • Registered in VulnerabilityIntelligenceAgent tool list
  • Step 8b added to vi_agent system prompt (optional, skipped on NVD unavailability)

Tests

46 new unit/integration tests — all fully mocked, zero real HTTP calls.

Metric Before After
Tests passing 771 817
Failures 0 0

Checklist

  • ruff check . --fix → clean
  • ruff format src/ tests/
  • ruff check . → All checks passed
  • python3 -m pytest tests/ -q → 817 passed, 0 failures
  • No real HTTP calls in tests
  • No VULNCHECK or paid APIs used

manus-use pushed a commit that referenced this pull request Jun 29, 2026
…n PRs roadmap, and changelog section

- poc-search subcommand (PR #62): multi-source PoC aggregator (trickest, VulnCheck KEV, Exploit-DB, GitHub, NVD)
- changelog subcommand (PR #66): conventional-commit release automation
- VulnCheck enrichment section: VULNCHECK_API_KEY optional, vulncheck-kev + nist-nvd2 indexes
- Updated 8-step VI pipeline description to include VulnCheck KEV in step 2, patch diff/exploit complexity/version range in step 6
- Coming Soon table: 9 open PRs (#51 silent-patches, #53 cve-timeline, #54 version-range, #58 vendor-response, #60 poc-freshness, #63 blast-radius, #64 sbom-scan, #65 temporal-priority, #67 cluster-variants)
- Updated built-in tools list to mention VulnCheck KEV and new VI tools
- Added Changelog section linking to CHANGELOG.md
- Updated Table of Contents with Changelog entry
- Expanded Security examples to include poc-search and changelog
…nt patch-status CLI

Adds `get_patch_status(cve_id)` Strands tool and `manus-agent patch-status CVE-ID`
CLI subcommand to answer "has a patch been released for this CVE across my
distribution stack, and how quickly?".

## What it checks

Queries four free, unauthenticated sources in parallel (degrades gracefully
if any source is down):

1. **Ubuntu Security API** — ubuntu.com/security/cves/{CVE}.json
   Package-level fix versions + USN advisory IDs per release codename
2. **Debian Security Tracker** — security-tracker.debian.org per-CVE JSON
   Status (open/resolved) + fixed versions per suite (bookworm, bullseye, sid…)
3. **Red Hat CVE DB** — access.redhat.com/labs/securitydataapi/cve/{CVE}.json
   RHSA errata IDs, affected RHEL/OCP products, still-vulnerable package states
4. **OSV.dev** — api.osv.dev/v1/query
   Fix version ranges across PyPI, npm, Maven, Go, crates.io, RubyGems, etc.
   Patch date inferred from vuln `modified` timestamp.

## Output

Per-vendor result: `vendor`, `status` (fixed/vulnerable/not_affected/unknown),
`fixed_version`, `advisory_ids`, `patch_date`, `days_to_patch`, `affected_packages`.

Top-level summary: `overall_status` (fully_patched / partially_patched /
unpatched / unknown), `vendors_fixed`, `vendors_vulnerable`, `fastest_patch_vendor`,
`fastest_patch_days`, `all_advisory_ids`.

## CLI

```
manus-agent patch-status CVE-2024-3094
manus-agent patch-status CVE-2021-44228 --output json
```

## VI agent integration

`get_patch_status` added to VulnerabilityIntelligenceAgent tool list (Step 6d
in system prompt). The agent now reports patch availability alongside exploit
complexity and blast-radius in every analysis.

## Tests

83 new unit tests (100% mocked — no real HTTP calls).
Total suite: 985 passing (was 902), 0 failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant