davidalami / vulnmapai Goto Github PK

Description:

When running pytest inside our Docker container using the GitHub Actions workflow, it's not detecting any tests, even though tests exist in our codebase. This causes the CI pipeline to fail with an exit code 5.

Steps to Reproduce:

1. Trigger the GitHub Actions workflow (e.g., by pushing a commit or creating a pull request).
2. Observe the step Run Tests in the workflow.

Expected Behavior:
Pytest should detect and run all the tests inside the Docker container.

Actual Behavior:
Pytest is not detecting any tests and exits with code 5.

Is your feature request related to a problem? Please describe.
Currently, our report template does not allow users to interactively ask follow-up questions to ChatGPT.

Describe the solution you'd like
Develop an endpoint in the Flask app (e.g., /ask-chatgpt) that:

1. Receives POST requests with user queries.
2. Fetches the ChatGPT API key from environment variables.
3. Uses the API key to interact with OpenAI and retrieve the response.
4. Returns the ChatGPT response to the client.

Describe alternatives you've considered
An alternative is to have the frontend directly communicate with the OpenAI API. However, for security reasons, it's better to keep API interactions at the backend.

Additional context
N/A

The HTML string in the prepare_report method can be improved by using a template engine or at least by organizing the HTML string more cleanly and making the resulting HTML report more user-friendly.

Describe the bug
I followed the instructions to try to test the project. Still, after running the container, I had an error ModuleNotFoundError in multiple ways with a different behavior but with the same error message with different modules (packages).

To Reproduce
Steps to reproduce the behavior:

1. Go to https://github.com/davidalami/VulnMapAI#for-developers and follow the instructions. So, I obtained the following result:

~/Projects/random/VulnMapAI$ docker run -it --entrypoint=/bin/bash -e "OPENAI_API_KEY=sk-..."  -p 1337:1337 vulnmapai
┌──(root㉿a61403c272a3)-[/app]
└─# python main.py 127.0.0.1 --top_ports 500
Traceback (most recent call last):
  File "main.py", line 4, in <module>
    from webapp.app import app
ModuleNotFoundError: No module named 'webapp'

2. Go to https://github.com/davidalami/VulnMapAI#for-hackers and follow the instructions. So, I obtained the following result:

~/Projects/random/VulnMapAI$ docker run -it \
    -e  OPENAI_API_KEY="sk-..." \
     -v $(pwd):/app \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --cap-add NET_ADMIN \
    --cap-add SYS_MODULE \
    --device /dev/net/tun:/dev/net/tun \
    --entrypoint=/bin/bash -p 1337:1337 quantumcrack/vulnmapai-final:latest
Unable to find image 'quantumcrack/vulnmapai-final:latest' locally
latest: Pulling from quantumcrack/vulnmapai-final
3e359b41b521: Already exists 
2cf2f5b97457: Already exists 
37747e89ab88: Already exists 
c1c542d2f90a: Already exists 
abba38decc9b: Already exists 
50794d3b2d7d: Pull complete 
c42da0915d5a: Pull complete 
e2492b34a12e: Pull complete 
6dc55ac30eeb: Pull complete 
4c4ee7a2bd05: Pull complete 
3128b91b3dba: Pull complete 
e4284cca2e5f: Pull complete 
013d065c4a87: Pull complete 
08d38134aeaa: Pull complete 
c6970020f28e: Pull complete 
17bb70cd13b3: Pull complete 
045ed9306eb8: Pull complete 
Digest: sha256:56f41a1264b20db89a42ca3a45f4efbe6b24eb31f68137ba88f6526db8e201db
Status: Downloaded newer image for quantumcrack/vulnmapai-final:latest
┌──(root㉿df22aafac18c)-[/app]
└─# python main.py 127.0.0.1 --top_ports 500
Traceback (most recent call last):
  File "main.py", line 3, in <module>
    from orchestration.pentest import PenetrationTester
  File "/app/orchestration/pentest.py", line 3, in <module>
    from advising.llm import Advisor
  File "/app/advising/llm.py", line 4, in <module>
    from yaml import safe_load
ModuleNotFoundError: No module named 'yaml'

Expected behavior
I should see the project running well in my http://localhost:1337 and start test the project to discover possible vulnerabilities into my local network interfaces.

Screenshots

Desktop (please complete the following information):

• OS: Linux davtop 6.2.0-34-generic #34~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 7 13:12:03 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
• Docker version 24.0.6, build ed223bc
• I used the code until the last commit

Additional context
Nothing

Is blocked by: #11

Is your feature request related to a problem? Please describe.
For more contextual responses, ChatGPT should be aware of the content of the report when answering.

Describe the solution you'd like
Before querying ChatGPT:

1. Extract relevant data from the template (discoveries, advises, etc.).
2. Combine this context with the user's question.
3. Update the backend to forward both the question and context to OpenAI.

Describe alternatives you've considered
N/A

Additional context
N/A

Refactor the code to handle the absence of the OPENAI_API_KEY environment variable more gracefully in the Advisor class, maybe by adding a proper error message or by asking the user to input it manually if it's not set.

Currently, the prompts for OpenAI API are hardcoded within the Advisor class. These can be refactored out into a separate file, making the codebase cleaner and the prompts easier to manage and update.

Is blocked by: #10 and #9

Is your feature request related to a problem? Please describe.
Users should be able to send their questions and receive responses without refreshing the page.

Describe the solution you'd like
Implement JS frontend functionality in the template to:

1. Listen for button clicks.
2. On button click, send an POST request with the user's question to /ask-chatgpt.
3. Update the UI with ChatGPT's response in the dedicated section.

Describe alternatives you've considered
A full-page reload could be considered but would degrade the user experience.

Additional context
N/A

Is your feature request related to a problem? Please describe.
After viewing the report, users might have questions and need a way to interact with ChatGPT directly from the report.

Describe the solution you'd like
Modify the HTML template to:

1. Incorporate an input field for user questions after the "Full Discovery Result" section.
2. Add a button for submitting the question.
3. Create a section/div to showcase ChatGPT's responses.

Describe alternatives you've considered
Another approach could be to redirect users to a separate page for Q&A, but an integrated context window provides a seamless experience.

Additional context
N/A

Is your feature request related to a problem? Please describe.
I'm always frustrated when constants are scattered across multiple modules and files, leading to potential redundancy and lack of clarity.

Describe the solution you'd like
Creating container classes in a dedicated file, where all constants related to the functionality will be housed.

Describe alternatives you've considered
Storing constants in a standalone constants.py file without a container class, but this could lead to potential naming clashes and lacks contextual grouping.

The current prompts can be made more concise, clear, and informative to possibly receive better and more accurate responses from the OpenAI. The task is to review and improve the wording and structure of the existing prompts.
While the current prompts provide some clarity on the desired outcome, refining their structure and wording can help achieve better and more accurate responses from the OpenAI API.