Hugging Face's logo

Spaces:
martynattakit
/
CodeSentinel-CWE_Classification
Running

App Files Community
1
CodeSentinel-CWE_Classification
File size: 3,217 Bytes
81c4c9c
 
 
 
 
 
 
 
 
832fa51
81c4c9c
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
832fa51
 
3ba3938
832fa51
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
---
title: CodeSentinel
emoji: 🛡️
colorFrom: green
colorTo: gray
sdk: docker
app_port: 7860
pinned: false
---

# CodeSentinel

Vulnerability classification tool combining fine-tuned ML models with MITRE framework coverage.

Paste a **code snippet**, **CVE description**, or **bug report** — CodeSentinel identifies the vulnerability type, severity, and (for AI/ML inputs) the relevant ATLAS attack technique.

## What it does

- **Code input** → Qwen2.5-Coder 7B analyzes the code → RoBERTa classifies the CWE
- **Text input** → RoBERTa classifies directly from the description
- **AI/ML input** → ATLAS pattern matcher identifies the relevant attack technique

## Models

| Model | Purpose | Accuracy |
|-------|---------|----------|
| [`martynattakit/vuln-classifier-roberta`](https://huggingface.co/martynattakit/vuln-classifier-roberta) | CWE classification from text | Macro F1: 0.850 |
| [`martynattakit/vuln-analyzer-qwen-lora`](https://huggingface.co/martynattakit/vuln-analyzer-qwen-lora) | Code → vulnerability description | Eval loss: — |

## Coverage

**CWE Top 25** (MITRE 2024):
CWE-787, CWE-79, CWE-89, CWE-416, CWE-78, CWE-20, CWE-125, CWE-22, CWE-352, CWE-434, CWE-862, CWE-476, CWE-287, CWE-190, CWE-502, CWE-77, CWE-119, CWE-798, CWE-918, CWE-306, CWE-362, CWE-269, CWE-94, CWE-863, CWE-276

**MITRE ATLAS** (25 techniques):
Prompt injection, data poisoning, model extraction, membership inference, adversarial examples, jailbreaking, and more.

## Known limitations

- **CWE-77**: 0 F1 — insufficient training samples. Predictions for this class are unreliable.
- **CWE-863**: F1 0.60 — semantic overlap with CWE-862 makes these hard to distinguish.
- **ATLAS matching** uses keyword signals + retrieval, not a fine-tuned classifier. Confidence scores reflect signal overlap, not ground-truth accuracy. No labeled ATLAS dataset exists yet.
- **Code analysis** training data is primarily C/C++ (BigVul). Python/JS/Go descriptions may be less precise.

## Stack

```
RoBERTa-base        fine-tuned on 165k CVE→CWE pairs (xamxte/cve-to-cwe)
Qwen2.5-Coder-7B    QLoRA fine-tuned on BigVul (1,596 samples)
ATLAS matcher       keyword RAG over 25 hand-crafted MITRE case studies
FastAPI             REST API backend
```

## Local development

```bash
pip install -r requirements.txt
python app.py
# → http://localhost:7860
```

## Project structure

```
pipeline/
    classifier.py      RoBERTa inference wrapper
    code_analyzer.py   Qwen inference wrapper  
    atlas_matcher.py   ATLAS pattern matcher
    router.py          Input routing + output card
api/
    main.py            FastAPI endpoints
frontend/
    index.html         Web UI
data/
    atlas_cases.json   25 MITRE ATLAS techniques (hand-crafted)
notebooks/
    01_roberta_finetune.ipynb
    02_qwen_qlora.ipynb
```

## Links
- [Try the application here!](https://huggingface.co/spaces/martynattakit/CodeSentinel-CWE_Classification)
- [Medium Blog](https://medium.com/@martyxc2018/codesentinel-ai-cwe-classification-a3ed88f2be28)

## Acknowledgements

- **My mentor and TA from AI Builders 2025**
  For making this project possible by giving me guidances, feedbacks throughout the development of this project.