# SecuBox CVE Triage Agent

AI-powered CVE analysis and vulnerability management for SecuBox.

## Features

- **Automated CVE Scanning**: Monitors installed packages (opkg, LXC, Docker)
- **NVD Integration**: Fetches latest vulnerabilities from NIST NVD API
- **CrowdSec Correlation**: Matches CVE-related CrowdSec alerts
- **AI Analysis**: LocalAI-powered impact assessment and recommendations
- **Approval Workflow**: Queue-based patch approval for critical changes
- **Multi-Source Monitoring**: opkg packages, LXC containers, Docker images

## CLI Reference

```bash
# Status and monitoring
cve-triage status          # Agent status
cve-triage scan            # Scan installed packages
cve-triage fetch           # Fetch latest CVE data
cve-triage run             # Full triage cycle

# CVE analysis
cve-triage analyze CVE-2024-1234   # Analyze specific CVE

# Recommendation management
cve-triage list-pending    # List pending recommendations
cve-triage approve <id>    # Approve recommendation
cve-triage reject <id>     # Reject recommendation
cve-triage approve-all     # Approve all pending

# Alerts
cve-triage alerts          # Show active alerts

# Reports
cve-triage summary         # Security summary
cve-triage export          # Export full report (JSON)

# Daemon
cve-triage daemon          # Run as background daemon
```

## Configuration

Edit `/etc/config/cve-triage`:

```uci
config cve-triage 'main'
    option enabled '1'
    option interval '3600'           # Triage interval (seconds)
    option localai_url 'http://127.0.0.1:8081'
    option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'
    option min_severity 'high'       # low/medium/high/critical
    option affected_only '1'         # Only CVEs affecting installed packages
    option auto_apply_patches '0'    # Queue patches for approval
    option min_confidence '80'       # AI confidence threshold
```

## Data Flow

```
1. COLLECT
   ├─ opkg list-installed
   ├─ LXC container packages (dpkg/apk)
   └─ Docker images

2. FETCH CVEs
   ├─ NVD API (last 7 days, high severity)
   └─ CrowdSec CVE alerts

3. MATCH
   └─ CVE descriptions ↔ package names

4. ANALYZE (LocalAI)
   ├─ Impact assessment
   ├─ OpenWrt relevance
   └─ Action recommendation

5. RECOMMEND
   ├─ patch: opkg upgrade <pkg>
   ├─ mitigate: manual steps
   └─ monitor: no action

6. APPROVE/APPLY
   ├─ Auto-apply (if enabled)
   └─ Queue for review
```

## LocalAI Integration

Requires LocalAI running at `http://127.0.0.1:8081`.

Without LocalAI, the agent uses basic CVSS-based analysis.

## Files

- `/etc/config/cve-triage` - Configuration
- `/var/lib/cve-triage/` - State and recommendations
- `/var/cache/cve-triage/` - CVE data cache
- `/var/lib/cve-triage/pending_actions.json` - Approval queue

## Part of SecuBox v0.19 AI Gateway