Skip to content

Commit 8e4123c

Browse files
chg: [doc] Document the optional CWE knowledge base refresh before training
Clarify that vulntrain-train-cwe-classification works out of the box with the versioned mapping, and that refreshing the CWE knowledge base from the Vulnerability-Lookup API is an optional two-step pipeline (update_cwe_knowledge_base.py then build_child_to_ancestor.py) to run before training.
1 parent abc180d commit 8e4123c

2 files changed

Lines changed: 28 additions & 3 deletions

File tree

docs/index.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,23 @@ Predict CWE classifications from vulnerability descriptions and associated patch
132132
vulntrain-train-cwe-classification --base-model roberta-base --dataset-id CIRCL/vulnerability-cwe-patch --repo-id CIRCL/cwe-parent-vulnerability-classification-roberta-base
133133
```
134134

135+
The trainer maps each CWE of the dataset to an ancestor CWE via
136+
`vulntrain/data/deep_child_to_ancestor.json`, built so that every training
137+
label has an *Allowed* or *Allowed-with-Review* MITRE mapping usage: the model
138+
can never suggest a Discouraged or Prohibited CWE.
139+
140+
This mapping is versioned and shipped with VulnTrain, so no extra step is
141+
required before training. To optionally refresh it against the latest CWE
142+
data from [Vulnerability-Lookup](https://vulnerability.circl.lu), run the
143+
following commands before training and commit the regenerated files:
144+
145+
```bash
146+
python tools/cwe/update_cwe_knowledge_base.py # refresh the CWE knowledge base from the API
147+
python tools/cwe/build_child_to_ancestor.py # regenerate vulntrain/data/deep_child_to_ancestor.json
148+
```
149+
150+
See `tools/cwe/README.md` for details.
151+
135152

136153
### Text generation
137154

tools/cwe/README.md

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,16 @@
11
# CWE mapping generation tools
22

3-
One-off scripts used to build the CWE mapping files. They are not part of the
4-
installed `vulntrain` package and are only needed when the CWE data must be
5-
regenerated.
3+
Scripts used to build the CWE mapping consumed by
4+
`vulntrain-train-cwe-classification`. They are not part of the installed
5+
`vulntrain` package.
6+
7+
Running them is **optional**: the resulting
8+
`vulntrain/data/deep_child_to_ancestor.json` is versioned and shipped with
9+
VulnTrain, so training works out of the box. Run the pipeline below before
10+
training only when you want to pick up the latest CWE data (new CWEs, changed
11+
mapping usages) from Vulnerability-Lookup, and commit the regenerated files.
12+
Both steps are needed, in order: the first only refreshes the knowledge base,
13+
the second regenerates the mapping the trainer reads.
614

715
## Pipeline
816

0 commit comments

Comments
 (0)