Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEAT: Add Insecure Code Scorer #523

Merged
merged 12 commits into from
Nov 12, 2024
Merged

FEAT: Add Insecure Code Scorer #523

merged 12 commits into from
Nov 12, 2024

Conversation

KutalVolkan
Copy link
Contributor

Overview

This PR introduces a basic implementation of an LLM-based scorer, InsecureCodeScorer, which uses a float_scale scoring system to evaluate potential security vulnerabilities in code snippets. The scorer leverages an LLM to analyze code for security issues and returns a normalized float score based on the severity of detected vulnerabilities.

Work Completed

  • pyrit/score/__init__.py:

    • Added InsecureCodeScorer to the module’s imports, enabling it to be used throughout the package.

  • assets/demo_scorer_definitions/insecure_code_scorer.yaml:

    • Created a YAML configuration file to store prompts and instructions for InsecureCodeScorer. This enables easy adjustments to LLM prompts and scoring instructions.

  • pyrit/score/insecure_code_scorer.py:

    • Implemented the core functionality of InsecureCodeScorer, leveraging _score_value_with_llm to retrieve scores from the LLM and normalize them on a float_scale.

  • doc/code/scoring/insecure_code_scorer.ipynb:

    • Created a Jupyter Notebook documentation for InsecureCodeScorer, showcasing example usage, scoring results, and explanations of the scoring process.

Next Steps

  • Fix the KeyError in the Jupyter Notebook and optimize the insecure_code_scorer.yaml configuration file.

Related Issue

Issue #513

@KutalVolkan
Copy link
Contributor Author

KutalVolkan commented Nov 5, 2024
edited
Loading

Hello @rdheekonda ,

Thank you so much for the feedback! I believe I’ve resolved all the issues and cleaned up the code. Could you please verify? Of course, feel free to add any further feedback, and I’ll address it.

I have one question, though—I think you may address this anyway: I'm not sure where exactly I should place the insecure_code_scorer.yaml file. Currently, it’s located at assets/demo_scorer_definitions/insecure_code_scorer.yaml.

Thank you!

@KutalVolkan KutalVolkan marked this pull request as ready for review November 5, 2024 18:30
@rdheekonda
Copy link
Contributor

Hello @rdheekonda ,

Thank you so much for the feedback! I believe I’ve resolved all the issues and cleaned up the code. Could you please verify? Of course, feel free to add any further feedback, and I’ll address it.

I have one question, though—I think you may address this anyway: I'm not sure where exactly I should place the insecure_code_scorer.yaml file. Currently, it’s located at assets/demo_scorer_definitions/insecure_code_scorer.yaml.

Thank you!

Thank you for your contribution. We're organizing all scoring system prompts in this path https://github.com/Azure/PyRIT/tree/main/pyrit/datasets/score. Could you create a directory named insecure_code and place the file system_prompt.yaml inside it? Path could be something like pyrit/datasets/score/insecure_code/system_prompt.yaml

1 similar comment
@rdheekonda
Copy link
Contributor

Hello @rdheekonda ,

Thank you so much for the feedback! I believe I’ve resolved all the issues and cleaned up the code. Could you please verify? Of course, feel free to add any further feedback, and I’ll address it.

I have one question, though—I think you may address this anyway: I'm not sure where exactly I should place the insecure_code_scorer.yaml file. Currently, it’s located at assets/demo_scorer_definitions/insecure_code_scorer.yaml.

Thank you!

Thank you for your contribution. We're organizing all scoring system prompts in this path https://github.com/Azure/PyRIT/tree/main/pyrit/datasets/score. Could you create a directory named insecure_code and place the file system_prompt.yaml inside it? Path could be something like pyrit/datasets/score/insecure_code/system_prompt.yaml

@KutalVolkan
Copy link
Contributor Author

KutalVolkan commented Nov 6, 2024
edited
Loading

Hello @rdheekonda ,
Thank you so much for the feedback! I believe I’ve resolved all the issues and cleaned up the code. Could you please verify? Of course, feel free to add any further feedback, and I’ll address it.
I have one question, though—I think you may address this anyway: I'm not sure where exactly I should place the insecure_code_scorer.yaml file. Currently, it’s located at assets/demo_scorer_definitions/insecure_code_scorer.yaml.
Thank you!

Thank you for your contribution. We're organizing all scoring system prompts in this path https://github.com/Azure/PyRIT/tree/main/pyrit/datasets/score. Could you create a directory named insecure_code and place the file system_prompt.yaml inside it? Path could be something like pyrit/datasets/score/insecure_code/system_prompt.yaml

Hello @rdheekonda.

Thank you!

I made the changes. Feel free to review and let me know if any further adjustments are needed! 😃

@KutalVolkan
Copy link
Contributor Author

KutalVolkan commented Nov 6, 2024
edited
Loading

Hi Raja,

I encountered an issue when running pre-commit run --all. The mypy hook failed due to attribute errors in attack_manager.py, specifically with np.infty not being recognized.

Error Output:

pyrit/auxiliary_attacks/gcg/attack/base/attack_manager.py:1124: error: Module has no attribute "infty" [attr-defined]

Fix Applied: I replaced np.infty with np.inf to resolve these errors. If I made any errors, I can easily revert the changes.

238d923

@rdheekonda
Copy link
Contributor

Hi Raja,

I encountered an issue when running pre-commit run --all. The mypy hook failed due to attribute errors in attack_manager.py, specifically with np.infty not being recognized.

Error Output:

pyrit/auxiliary_attacks/gcg/attack/base/attack_manager.py:1124: error: Module has no attribute "infty" [attr-defined]

Fix Applied: I replaced np.infty with np.inf to resolve these errors. If I made any errors, I can easily revert the changes.

238d923

Sounds good. Thanks.

@KutalVolkan KutalVolkan changed the title [DRAFT] FEAT: Add Insecure Code Scorer FEAT: Add Insecure Code Scorer Nov 10, 2024
@rdheekonda rdheekonda merged commit 42a6c7a into Azure:main Nov 12, 2024
6 checks passed
@KutalVolkan KutalVolkan deleted the feat/insecure-code-scorer branch November 14, 2024 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdheekonda rdheekonda rdheekonda approved these changes

@rlundeen2 rlundeen2 Awaiting requested review from rlundeen2

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KutalVolkan @rdheekonda @rlundeen2