feat: working on first agent

MANIFEST.in

@@ -0,0 +1,2 @@
+# Include the examples directory for testing
+recursive-include examples *

README.md

@@ -10,6 +10,12 @@ AgentPimentBleu is an AI-powered agent designed to intelligently scan Git reposi
 
 1. Detecting coding mistakes and configuration errors with AI-enhanced context.
 2. Identifying vulnerable dependencies and, crucially, **assessing their actual impact** within the specific project's context, filtering out noise from irrelevant CVEs.
+3. Exploring the codebase to understand how vulnerabilities might affect the specific project.
+
+The agent follows a three-step process for each vulnerability:
+1. Analyze the vulnerability details (CVE information)
+2. Search for potential consequences in the codebase by exploring relevant files
+3. Generate a comprehensive report with project-specific severity assessment
 
 The goal is to provide developers with actionable, prioritized security insights, enabling them to focus on what truly matters.
 
@@ -20,9 +26,10 @@ This is the initial implementation of AgentPimentBleu, focusing on Phase 1 of th
 - [x] Basic Gradio UI with repository URL input
 - [x] Core functionality to clone and analyze Git repositories
 - [x] LLM Integration with Ollama and Modal
-- [ ] SAST Integration (coming soon)
-- [ ] SCA Integration (coming soon)
-- [ ] AI-Powered Dependency Impact Assessment (coming soon)
+- [x] SAST Integration with AI-enhanced analysis
+- [x] SCA Integration with npm audit and pip-audit
+- [x] AI-Powered Dependency Impact Assessment with codebase exploration
+- [x] Intelligent agent that explores the codebase to assess vulnerability impact
 
 ## Installation
 
@@ -61,6 +68,21 @@ This is the initial implementation of AgentPimentBleu, focusing on Phase 1 of th
 
 4. The application will clone the repository and display the scan results.
 
+### Testing with Dummy Vulnerable Project
+
+For testing purposes, AgentPimentBleu includes a dummy vulnerable JavaScript project:
+
+1. Go to the "LLM Testing" tab in the UI.
+2. Click the "Use Dummy Project" button at the bottom of the left column.
+3. This will set the repository URL in the "Repository Scanner" tab to a special test URL.
+4. Go back to the "Repository Scanner" tab and click "Scan Repository".
+5. The application will use the local dummy project instead of cloning a repository.
+
+This dummy project contains intentional vulnerabilities for testing the agent's analysis capabilities:
+- Vulnerable dependencies in package.json
+- Code with security issues (XSS, SSRF, command injection, etc.)
+- Realistic project structure to test the agent's exploration capabilities
+
 ### LLM Configuration
 
 AgentPimentBleu uses a configuration file at `~/.config/agent_piment_bleu/llm_config.json` to store LLM provider settings. The default configuration will be created automatically on first run, but you can modify it to change the default provider or provider-specific settings:
@@ -125,6 +147,7 @@ This will create a result directory with the built package.
   - `main.py`: Entry point for the application, re-exports main functions
   - `ui.py`: Gradio UI implementation
   - `orchestrator.py`: Main orchestrator that coordinates the scanning process
+  - `agent.py`: Intelligent agent for exploring codebases and analyzing vulnerabilities
   - `project_detector.py`: Detects programming languages used in the repository
   - `reporting.py`: Generates formatted reports from scan results
   - `llm/`: LLM integration modules
@@ -142,6 +165,12 @@ This will create a result directory with the built package.
       - `sca.py`: Python SCA scanner using pip-audit
   - `utils/`: Utility functions
     - `git_utils.py`: Git repository handling functions
+- `examples/`: Example projects for testing
+  - `js_vuln/`: Dummy vulnerable JavaScript project
+    - `app.js`: Main application file with intentional vulnerabilities
+    - `utils.js`: Utility functions with some vulnerable patterns
+    - `package.json`: Dependencies with known vulnerabilities
+    - `views/`: Directory containing view templates
 
 ## Future Development
 

agent_piment_bleu/agent.py

@@ -0,0 +1,539 @@
+"""
+Agent for exploring codebases and analyzing vulnerabilities
+
+This module implements an agent that can explore a codebase to find where CVEs could be an issue.
+The agent uses an LLM to analyze CVEs and explore the codebase to find potential vulnerabilities.
+"""
+
+import os
+import subprocess
+from typing import Dict, List, Any, Optional, Tuple
+
+from agent_piment_bleu.llm.base import LLMProvider
+from agent_piment_bleu.logger import get_logger
+
+
+class SecurityAgent:
+    """
+    Agent for exploring codebases and analyzing vulnerabilities.
+    
+    This agent uses an LLM to analyze CVEs and explore the codebase to find potential vulnerabilities.
+    It follows a three-step process:
+    1. Analyze the CVE
+    2. Search potential consequences in the codebase (by opening different files)
+    3. Make a final report
+    """
+    
+    def __init__(self, llm: LLMProvider, repo_path: str):
+        """
+        Initialize the security agent.
+        
+        Args:
+            llm (LLMProvider): LLM provider to use for analysis
+            repo_path (str): Path to the repository to analyze
+        """
+        self.llm = llm
+        self.repo_path = repo_path
+        self.logger = get_logger()
+        self.conversation_history = []
+        
+    def get_project_structure(self) -> str:
+        """
+        Get the structure of the project as a string (similar to tree command output).
+        
+        Returns:
+            str: Project structure as a string
+        """
+        try:
+            # Check if tree command is available
+            result = subprocess.run(
+                ["which", "tree"], 
+                capture_output=True, 
+                text=True
+            )
+            
+            if result.returncode == 0:
+                # Use tree command if available
+                tree_result = subprocess.run(
+                    ["tree", "-L", "3", self.repo_path], 
+                    capture_output=True, 
+                    text=True
+                )
+                return tree_result.stdout
+            else:
+                # Fallback to a simple directory listing
+                structure = []
+                
+                for root, dirs, files in os.walk(self.repo_path):
+                    # Limit depth to 3 levels
+                    level = root.replace(self.repo_path, '').count(os.sep)
+                    if level > 3:
+                        continue
+                        
+                    indent = ' ' * 4 * level
+                    structure.append(f"{indent}{os.path.basename(root)}/")
+                    
+                    sub_indent = ' ' * 4 * (level + 1)
+                    for file in files:
+                        structure.append(f"{sub_indent}{file}")
+                
+                return '\n'.join(structure)
+        except Exception as e:
+            self.logger.error(f"Error getting project structure: {e}")
+            return f"Error getting project structure: {e}"
+    
+    def read_file(self, file_path: str) -> str:
+        """
+        Read the contents of a file.
+        
+        Args:
+            file_path (str): Path to the file to read
+            
+        Returns:
+            str: Contents of the file
+        """
+        try:
+            # Make sure the file path is within the repository
+            full_path = os.path.join(self.repo_path, file_path)
+            if not os.path.abspath(full_path).startswith(os.path.abspath(self.repo_path)):
+                return f"Error: Attempted to access file outside repository: {file_path}"
+                
+            if not os.path.isfile(full_path):
+                return f"Error: File not found: {file_path}"
+                
+            with open(full_path, 'r', encoding='utf-8', errors='replace') as f:
+                return f.read()
+        except Exception as e:
+            self.logger.error(f"Error reading file {file_path}: {e}")
+            return f"Error reading file {file_path}: {e}"
+    
+    def find_files(self, pattern: str) -> List[str]:
+        """
+        Find files matching a pattern in the repository.
+        
+        Args:
+            pattern (str): Pattern to search for
+            
+        Returns:
+            List[str]: List of files matching the pattern
+        """
+        try:
+            # Use find command to search for files
+            result = subprocess.run(
+                ["find", self.repo_path, "-type", "f", "-name", pattern],
+                capture_output=True,
+                text=True
+            )
+            
+            # Convert absolute paths to relative paths
+            files = []
+            for file in result.stdout.strip().split('\n'):
+                if file:
+                    rel_path = os.path.relpath(file, self.repo_path)
+                    files.append(rel_path)
+            
+            return files
+        except Exception as e:
+            self.logger.error(f"Error finding files with pattern {pattern}: {e}")
+            return []
+    
+    def search_in_files(self, search_term: str) -> Dict[str, List[str]]:
+        """
+        Search for a term in all files in the repository.
+        
+        Args:
+            search_term (str): Term to search for
+            
+        Returns:
+            Dict[str, List[str]]: Dictionary mapping file paths to lists of matching lines
+        """
+        try:
+            # Use grep to search for the term
+            result = subprocess.run(
+                ["grep", "-r", "--include=*.*", search_term, self.repo_path],
+                capture_output=True,
+                text=True
+            )
+            
+            # Parse the results
+            matches = {}
+            for line in result.stdout.strip().split('\n'):
+                if line:
+                    parts = line.split(':', 1)
+                    if len(parts) >= 2:
+                        file_path = os.path.relpath(parts[0], self.repo_path)
+                        content = parts[1]
+                        
+                        if file_path not in matches:
+                            matches[file_path] = []
+                        
+                        matches[file_path].append(content.strip())
+            
+            return matches
+        except Exception as e:
+            self.logger.error(f"Error searching for term {search_term}: {e}")
+            return {}
+    
+    def analyze_vulnerability(self, vulnerability: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Analyze a vulnerability using the agent.
+        
+        This method implements the three-step process:
+        1. Analyze the CVE
+        2. Search potential consequences in the codebase
+        3. Make a final report
+        
+        Args:
+            vulnerability (Dict[str, Any]): Vulnerability information
+            
+        Returns:
+            Dict[str, Any]: Analysis results
+        """
+        self.logger.info(f"Analyzing vulnerability: {vulnerability.get('cve', 'Unknown CVE')}")
+        
+        # Reset conversation history
+        self.conversation_history = []
+        
+        # Step 1: Analyze the CVE
+        cve_analysis = self._analyze_cve(vulnerability)
+        
+        # Step 2: Search potential consequences in the codebase
+        codebase_analysis = self._explore_codebase(vulnerability, cve_analysis)
+        
+        # Step 3: Make the final report
+        final_report = self._generate_final_report(vulnerability, cve_analysis, codebase_analysis)
+        
+        # Update the vulnerability with the analysis results
+        vulnerability.update(final_report)
+        
+        return vulnerability
+    
+    def _analyze_cve(self, vulnerability: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Analyze a CVE to understand its potential impact.
+        
+        Args:
+            vulnerability (Dict[str, Any]): Vulnerability information
+            
+        Returns:
+            Dict[str, Any]: CVE analysis results
+        """
+        self.logger.info("Step 1: Analyzing CVE")
+        
+        # Get vulnerability text
+        vulnerability_text = vulnerability.get('vulnerability_text', '')
+        if not vulnerability_text:
+            # Create a text representation if not already present
+            package_name = vulnerability.get('package', vulnerability.get('package_name', ''))
+            vulnerability_text = f"""
+Package: {package_name}
+Version: {vulnerability.get('version', 'unknown')}
+Severity: {vulnerability.get('severity', 'medium')}
+Title: {vulnerability.get('message', vulnerability.get('title', 'Unknown vulnerability'))}
+CVE: {vulnerability.get('cve', 'N/A')}
+"""
+        
+        # Create prompt for CVE analysis
+        prompt = f"""
+You are a security expert analyzing a vulnerability in a software dependency.
+
+Vulnerability information:
+{vulnerability_text}
+
+Please analyze this vulnerability and provide the following information:
+1. What is this vulnerability about? Explain in simple terms.
+2. What are the potential consequences if this vulnerability is exploited?
+3. What types of code patterns or usage might be vulnerable?
+4. What should I look for in the codebase to determine if the project is affected?
+
+Format your response in a clear, concise manner.
+"""
+        
+        # Get LLM analysis
+        response = self.llm.generate(prompt)
+        
+        # Add to conversation history
+        self.conversation_history.append({
+            "role": "user",
+            "content": prompt
+        })
+        self.conversation_history.append({
+            "role": "assistant",
+            "content": response
+        })
+        
+        # Return the analysis
+        return {
+            "cve_analysis": response
+        }
+    
+    def _explore_codebase(self, vulnerability: Dict[str, Any], cve_analysis: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Explore the codebase to find potential consequences of the vulnerability.
+        
+        Args:
+            vulnerability (Dict[str, Any]): Vulnerability information
+            cve_analysis (Dict[str, Any]): Results of CVE analysis
+            
+        Returns:
+            Dict[str, Any]: Codebase exploration results
+        """
+        self.logger.info("Step 2: Exploring codebase for potential consequences")
+        
+        # Get project structure
+        project_structure = self.get_project_structure()
+        
+        # Get package name
+        package_name = vulnerability.get('package', vulnerability.get('package_name', ''))
+        
+        # Create prompt for codebase exploration
+        prompt = f"""
+You are a security expert analyzing a codebase to determine if it's affected by a vulnerability.
+
+Vulnerability information:
+{vulnerability.get('vulnerability_text', '')}
+
+Your previous analysis of this vulnerability:
+{cve_analysis.get('cve_analysis', '')}
+
+Project structure:
+```
+{project_structure}
+```
+
+Based on the project structure and the vulnerability information, I need you to help me explore this codebase to determine if it's affected by the vulnerability.
+
+Please suggest:
+1. Files that might be using the vulnerable package ({package_name})
+2. Search terms I should use to find relevant code
+3. Specific patterns I should look for
+
+I'll help you explore the codebase based on your suggestions.
+"""
+        
+        # Get LLM suggestions
+        response = self.llm.generate_with_context(prompt, self.conversation_history)
+        
+        # Add to conversation history
+        self.conversation_history.append({
+            "role": "user",
+            "content": prompt
+        })
+        self.conversation_history.append({
+            "role": "assistant",
+            "content": response
+        })
+        
+        # Now let's actually explore the codebase based on the suggestions
+        exploration_results = self._perform_exploration(response, package_name)
+        
+        # Create a prompt with the exploration results
+        prompt = f"""
+Based on your suggestions, I've explored the codebase. Here are the results:
+
+{exploration_results}
+
+Based on these findings, please analyze:
+1. Is the project likely affected by the vulnerability?
+2. What specific code patterns are concerning?
+3. What would you recommend to fix the issue?
+"""
+        
+        # Get LLM analysis of exploration results
+        response = self.llm.generate_with_context(prompt, self.conversation_history)
+        
+        # Add to conversation history
+        self.conversation_history.append({
+            "role": "user",
+            "content": prompt
+        })
+        self.conversation_history.append({
+            "role": "assistant",
+            "content": response
+        })
+        
+        # Return the exploration results
+        return {
+            "exploration_results": exploration_results,
+            "exploration_analysis": response
+        }
+    
+    def _perform_exploration(self, suggestions: str, package_name: str) -> str:
+        """
+        Perform exploration of the codebase based on LLM suggestions.
+        
+        Args:
+            suggestions (str): LLM suggestions for exploration
+            package_name (str): Name of the vulnerable package
+            
+        Returns:
+            str: Results of the exploration
+        """
+        results = []
+        
+        # Search for the package name in all files
+        results.append(f"Searching for package '{package_name}' in all files:")
+        matches = self.search_in_files(package_name)
+        if matches:
+            for file_path, lines in matches.items():
+                results.append(f"\nFile: {file_path}")
+                for line in lines[:5]:  # Limit to 5 lines per file
+                    results.append(f"  {line}")
+                if len(lines) > 5:
+                    results.append(f"  ... ({len(lines) - 5} more matches)")
+        else:
+            results.append("  No direct matches found.")
+        
+        # Look for package.json or requirements.txt to check if the package is declared as a dependency
+        dependency_files = self.find_files("package.json") + self.find_files("requirements.txt")
+        if dependency_files:
+            results.append("\nChecking dependency files:")
+            for file_path in dependency_files:
+                results.append(f"\nFile: {file_path}")
+                content = self.read_file(file_path)
+                results.append(f"```\n{content[:1000]}{'...' if len(content) > 1000 else ''}\n```")
+        
+        # Extract additional search terms from suggestions
+        import re
+        search_terms = re.findall(r'search for ["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        search_terms += re.findall(r'search term[s]?:?\s*["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        search_terms += re.findall(r'search for:?\s*["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        search_terms += re.findall(r'look for ["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        
+        # Remove duplicates and the package name (already searched)
+        search_terms = list(set(search_terms))
+        if package_name in search_terms:
+            search_terms.remove(package_name)
+        
+        # Search for additional terms
+        if search_terms:
+            results.append("\nSearching for additional terms suggested by the analysis:")
+            for term in search_terms[:3]:  # Limit to 3 terms to avoid too much output
+                results.append(f"\nTerm: '{term}'")
+                matches = self.search_in_files(term)
+                if matches:
+                    for file_path, lines in matches.items():
+                        results.append(f"File: {file_path}")
+                        for line in lines[:3]:  # Limit to 3 lines per file
+                            results.append(f"  {line}")
+                        if len(lines) > 3:
+                            results.append(f"  ... ({len(lines) - 3} more matches)")
+                else:
+                    results.append("  No matches found.")
+        
+        # Extract file patterns from suggestions
+        file_patterns = re.findall(r'files? (?:named|called|like) ["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        file_patterns += re.findall(r'check (?:the )?file[s]? ["\']([^"\']+)["\']', suggestions, re.IGNORECASE)
+        
+        # Search for specific files
+        if file_patterns:
+            results.append("\nSearching for specific files suggested by the analysis:")
+            for pattern in file_patterns[:3]:  # Limit to 3 patterns
+                results.append(f"\nPattern: '{pattern}'")
+                files = self.find_files(f"*{pattern}*")
+                if files:
+                    for file_path in files[:3]:  # Limit to 3 files per pattern
+                        results.append(f"File: {file_path}")
+                        content = self.read_file(file_path)
+                        results.append(f"```\n{content[:500]}{'...' if len(content) > 500 else ''}\n```")
+                    if len(files) > 3:
+                        results.append(f"... ({len(files) - 3} more files)")
+                else:
+                    results.append("  No matching files found.")
+        
+        return "\n".join(results)
+    
+    def _generate_final_report(self, vulnerability: Dict[str, Any], cve_analysis: Dict[str, Any], codebase_analysis: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Generate a final report based on the CVE analysis and codebase exploration.
+        
+        Args:
+            vulnerability (Dict[str, Any]): Vulnerability information
+            cve_analysis (Dict[str, Any]): Results of CVE analysis
+            codebase_analysis (Dict[str, Any]): Results of codebase exploration
+            
+        Returns:
+            Dict[str, Any]: Final report
+        """
+        self.logger.info("Step 3: Generating final report")
+        
+        # Create prompt for final report
+        prompt = f"""
+Based on our analysis of the vulnerability and exploration of the codebase, please provide a final assessment with the following information:
+
+1. PROJECT_SEVERITY: Assess the severity of this vulnerability for the project (critical, high, medium, low, or info).
+2. IS_PROJECT_IMPACTED: Determine if the project is likely impacted by this vulnerability (true/false).
+3. IMPACTED_CODE: Identify any code patterns that might be vulnerable.
+4. PROPOSED_FIX: Suggest a specific fix for this vulnerability.
+5. EXPLANATION: Provide a clear explanation of the vulnerability and its implications for this specific project.
+
+Format your response as follows:
+PROJECT_SEVERITY: [Your assessment]
+IS_PROJECT_IMPACTED: [true/false]
+IMPACTED_CODE: [Your assessment]
+PROPOSED_FIX: [Your suggestion]
+EXPLANATION: [Your explanation]
+"""
+        
+        # Get LLM final report
+        response = self.llm.generate_with_context(prompt, self.conversation_history)
+        
+        # Add to conversation history
+        self.conversation_history.append({
+            "role": "user",
+            "content": prompt
+        })
+        self.conversation_history.append({
+            "role": "assistant",
+            "content": response
+        })
+        
+        # Parse the response to extract the required fields
+        import re
+        
+        project_severity = self._extract_field(response, "PROJECT_SEVERITY")
+        is_project_impacted = self._extract_field(response, "IS_PROJECT_IMPACTED")
+        impacted_code = self._extract_field(response, "IMPACTED_CODE")
+        proposed_fix = self._extract_field(response, "PROPOSED_FIX")
+        explanation = self._extract_field(response, "EXPLANATION")
+        
+        # Convert is_project_impacted to boolean
+        is_project_impacted_bool = False
+        if is_project_impacted.lower() == "true":
+            is_project_impacted_bool = True
+        
+        # Return the final report
+        return {
+            "project_severity": project_severity,
+            "is_project_impacted": is_project_impacted_bool,
+            "impacted_code": impacted_code,
+            "proposed_fix": proposed_fix,
+            "explanation": explanation,
+            "llm_analysis": {
+                "is_vulnerable": is_project_impacted_bool,
+                "confidence": "medium",
+                "impact": project_severity,
+                "explanation": explanation,
+                "remediation": proposed_fix,
+                "provider": self.llm.provider_name,
+                "model": self.llm.model_name
+            }
+        }
+    
+    def _extract_field(self, text: str, field_name: str) -> str:
+        """
+        Extract a field from the LLM response.
+        
+        Args:
+            text (str): The LLM response text
+            field_name (str): The name of the field to extract
+            
+        Returns:
+            str: The extracted field value, or a default message if not found
+        """
+        import re
+        pattern = rf"{field_name}:\s*(.*?)(?:\n[A-Z_]+:|$)"
+        match = re.search(pattern, text, re.DOTALL)
+        if match:
+            return match.group(1).strip()
+        return f"No {field_name.lower()} provided."

agent_piment_bleu/logger.py

@@ -7,6 +7,8 @@ for managing a logging box in the UI.
 
 from typing import List, Optional
 import datetime
+import inspect
+import os
 
 
 class Logger:
@@ -39,10 +41,25 @@ class Logger:
         """
         self._ui_callback = callback
 
-    def _format_log(self, message: str, level: str) -> str:
-        """Format a log message with timestamp and level."""
+    def _format_log(self, message: str, level: str, caller_info=None) -> str:
+        """
+        Format a log message with timestamp, level, and caller information.
+
+        Args:
+            message (str): The log message
+            level (str): The log level (INFO, WARNING, ERROR, DEBUG)
+            caller_info (tuple, optional): Tuple containing (function_name, filename, line_number)
+
+        Returns:
+            str: Formatted log message
+        """
         timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-        return f"[{timestamp}] [{level}] {message}"
+
+        if caller_info:
+            function_name, filename, line_number = caller_info
+            return f"[{timestamp}] [{level}] [{function_name}] {message}"
+        else:
+            return f"[{timestamp}] [{level}] {message}"
 
     def _update_ui(self):
         """Update the UI logging box if a callback is set."""
@@ -50,30 +67,58 @@ class Logger:
             log_content = "\n".join(self._logs)
             self._ui_callback(log_content)
 
+    def _get_caller_info(self, stack_level=2):
+        """
+        Get information about the calling function.
+
+        Args:
+            stack_level (int): How many levels up the stack to look (2 is the caller of the logging method)
+
+        Returns:
+            tuple: (function_name, filename, line_number)
+        """
+        frame = inspect.currentframe()
+        # Go up the stack to the caller of the logging method
+        for _ in range(stack_level):
+            if frame.f_back is not None:
+                frame = frame.f_back
+            else:
+                break
+
+        function_name = frame.f_code.co_name
+        filename = os.path.basename(frame.f_code.co_filename)
+        line_number = frame.f_lineno
+
+        return (function_name, filename, line_number)
+
     def info(self, message: str):
         """Log an informational message."""
-        log_entry = self._format_log(message, "INFO")
+        caller_info = self._get_caller_info()
+        log_entry = self._format_log(message, "INFO", caller_info)
         self._logs.insert(0, log_entry)
         self._update_ui()
         return log_entry
 
     def warning(self, message: str):
         """Log a warning message."""
-        log_entry = self._format_log(message, "WARNING")
+        caller_info = self._get_caller_info()
+        log_entry = self._format_log(message, "WARNING", caller_info)
         self._logs.insert(0, log_entry)
         self._update_ui()
         return log_entry
 
     def error(self, message: str):
         """Log an error message."""
-        log_entry = self._format_log(message, "ERROR")
+        caller_info = self._get_caller_info()
+        log_entry = self._format_log(message, "ERROR", caller_info)
         self._logs.insert(0, log_entry)
         self._update_ui()
         return log_entry
 
     def debug(self, message: str):
         """Log a debug message."""
-        log_entry = self._format_log(message, "DEBUG")
+        caller_info = self._get_caller_info()
+        log_entry = self._format_log(message, "DEBUG", caller_info)
         self._logs.insert(0, log_entry)
         self._update_ui()
         return log_entry

agent_piment_bleu/orchestrator.py

@@ -2,6 +2,8 @@ import os
 import tempfile
 import shutil
 import importlib
+import importlib.resources
+import pkg_resources
 from typing import Dict, Any, List, Optional
 
 from agent_piment_bleu.utils.git_utils import clone_repository
@@ -9,6 +11,10 @@ from agent_piment_bleu.project_detector import detect_project_languages
 from agent_piment_bleu.reporting import generate_markdown_report
 from agent_piment_bleu.llm import create_llm_provider, get_llm_config
 from agent_piment_bleu.logger import get_logger
+from agent_piment_bleu.agent import SecurityAgent
+
+# Special URL for testing with the dummy vulnerable JS project
+TEST_JS_VULN_URL = "test://js-vulnerable-project"
 
 def analyze_repository(repo_url, use_llm=True, llm_provider=None):
     """
@@ -31,13 +37,80 @@ def analyze_repository(repo_url, use_llm=True, llm_provider=None):
     logger.info(f"Created temporary directory: {temp_dir}")
 
     try:
-        # Clone the repository
-        logger.info(f"Cloning repository: {repo_url}")
-        clone_result = clone_repository(repo_url, temp_dir)
+        # Check if this is a test URL for the dummy vulnerable JS project
+        if repo_url == TEST_JS_VULN_URL:
+            # Use the dummy project instead of cloning
+            logger.info(f"Using dummy vulnerable JS project for testing")
+
+            # Try multiple methods to find the examples directory
+            dummy_project_path = None
 
-        if not clone_result["success"]:
-            logger.error(f"Failed to clone repository: {clone_result['message']}")
-            return f"## Error\n\n{clone_result['message']}"
+            # Method 1: Try to find it relative to the package
+            try:
+                dummy_project_path = pkg_resources.resource_filename('agent_piment_bleu', '../examples/js_vuln')
+                if os.path.exists(dummy_project_path):
+                    logger.info(f"Found dummy project using pkg_resources: {dummy_project_path}")
+                else:
+                    dummy_project_path = None
+            except (ImportError, ModuleNotFoundError):
+                logger.debug("Could not find examples using pkg_resources")
+
+            # Method 2: Try to find it relative to the current file
+            if not dummy_project_path:
+                try:
+                    dummy_project_path = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 
+                                                    "examples", "js_vuln")
+                    if os.path.exists(dummy_project_path):
+                        logger.info(f"Found dummy project relative to package: {dummy_project_path}")
+                    else:
+                        dummy_project_path = None
+                except Exception as e:
+                    logger.debug(f"Could not find examples relative to package: {e}")
+
+            # Method 3: Try to find it in the installation directory
+            if not dummy_project_path:
+                try:
+                    import agent_piment_bleu
+                    package_dir = os.path.dirname(os.path.dirname(agent_piment_bleu.__file__))
+                    dummy_project_path = os.path.join(package_dir, "examples", "js_vuln")
+                    if os.path.exists(dummy_project_path):
+                        logger.info(f"Found dummy project in installation directory: {dummy_project_path}")
+                    else:
+                        dummy_project_path = None
+                except Exception as e:
+                    logger.debug(f"Could not find examples in installation directory: {e}")
+
+            if not dummy_project_path or not os.path.exists(dummy_project_path):
+                error_msg = "Dummy project not found. Please ensure the examples/js_vuln directory is included in the package."
+                logger.error(error_msg)
+                return f"## Error\n\n{error_msg}"
+
+            # Copy the dummy project to the temp directory
+            try:
+                for item in os.listdir(dummy_project_path):
+                    src = os.path.join(dummy_project_path, item)
+                    dst = os.path.join(temp_dir, item)
+                    if os.path.isdir(src):
+                        shutil.copytree(src, dst)
+                    else:
+                        shutil.copy2(src, dst)
+            except TypeError as e:
+                if "expected str, bytes or os.PathLike object, not NoneType" in str(e):
+                    error_msg = "Failed to access dummy project path. Path is None."
+                    logger.error(error_msg)
+                    return f"## Error\n\n{error_msg}"
+                raise
+
+            logger.info(f"Copied dummy project to {temp_dir}")
+            clone_result = {"success": True, "message": "Dummy project copied successfully"}
+        else:
+            # Clone the repository
+            logger.info(f"Cloning repository: {repo_url}")
+            clone_result = clone_repository(repo_url, temp_dir)
+
+            if not clone_result["success"]:
+                logger.error(f"Failed to clone repository: {clone_result['message']}")
+                return f"## Error\n\n{clone_result['message']}"
 
         # Detect languages used in the repository
         logger.info("Detecting project languages")
@@ -72,7 +145,7 @@ def analyze_repository(repo_url, use_llm=True, llm_provider=None):
                 # Enhance SAST results with LLM if available
                 if llm and sast_result.get('success', False) and sast_result.get('findings', []):
                     logger.info(f"Enhancing SAST results with LLM for language: {language}")
-                    sast_result = enhance_sast_with_llm(sast_result, llm, language)
+                    sast_result = enhance_sast_with_llm(sast_result, llm, language, temp_dir)
                 scan_results.append(sast_result)
                 logger.info(f"SAST scan for {language} completed with {len(sast_result.get('findings', []))} findings")
 
@@ -208,7 +281,7 @@ def run_sca_scan(language, repo_path):
         }
 
 
-def enhance_sast_with_llm(sast_result: Dict[str, Any], llm, language: str) -> Dict[str, Any]:
+def enhance_sast_with_llm(sast_result: Dict[str, Any], llm, language: str, repo_path: str = None) -> Dict[str, Any]:
     """
     Enhance SAST results with LLM analysis.
 
@@ -216,11 +289,22 @@ def enhance_sast_with_llm(sast_result: Dict[str, Any], llm, language: str) -> Di
         sast_result (Dict[str, Any]): Original SAST results
         llm: LLM provider instance
         language (str): Programming language
+        repo_path (str, optional): Path to the repository for agent-based analysis
 
     Returns:
         Dict[str, Any]: Enhanced SAST results
     """
     enhanced_findings = []
+    logger = get_logger()
+
+    # Create a security agent if repo_path is provided and not None
+    agent = None
+    if repo_path is not None:
+        try:
+            agent = SecurityAgent(llm, repo_path)
+            logger.info(f"Created SecurityAgent for SAST analysis in {repo_path}")
+        except Exception as e:
+            logger.error(f"Failed to create SecurityAgent: {e}")
 
     for finding in sast_result.get('findings', []):
         # Skip if no code snippet is available
@@ -229,36 +313,82 @@ def enhance_sast_with_llm(sast_result: Dict[str, Any], llm, language: str) -> Di
             continue
 
         try:
-            # Analyze the code snippet with LLM
-            code_snippet = finding.get('code_snippet', '')
-            analysis = llm.analyze_code(
-                code=code_snippet,
-                language=language,
-                task='security'
-            )
-
-            # Add LLM analysis to the finding
-            finding['llm_analysis'] = {
-                'summary': analysis.get('summary', 'No summary provided'),
-                'issues': analysis.get('issues', []),
-                'provider': llm.provider_name,
-                'model': llm.model_name
-            }
+            # If we have an agent and repo_path, use the agent for more comprehensive analysis
+            if agent and repo_path:
+                # Prepare the finding for agent analysis by adding vulnerability_text
+                code_snippet = finding.get('code_snippet', '')
+                finding['vulnerability_text'] = f"""
+Type: SAST Finding
+Rule: {finding.get('rule', 'Unknown rule')}
+Severity: {finding.get('severity', 'medium')}
+Message: {finding.get('message', 'Unknown issue')}
+File: {finding.get('file', 'Unknown file')}
+Line: {finding.get('line', 'Unknown line')}
+
+Code Snippet:
+```{language}
+{code_snippet}
+```
+"""
 
-            enhanced_findings.append(finding)
+                logger.info(f"Using SecurityAgent to analyze SAST finding: {finding.get('rule', 'Unknown rule')}")
+
+                try:
+                    # The agent will explore the codebase and analyze the vulnerability
+                    analyzed_finding = agent.analyze_vulnerability(finding)
+                    enhanced_findings.append(analyzed_finding)
+                    logger.info(f"Successfully analyzed SAST finding with SecurityAgent")
+                except Exception as e:
+                    logger.error(f"Error during SecurityAgent SAST analysis: {e}")
+                    # Fallback to simple analysis if agent fails
+                    fallback_analysis = llm.analyze_code(
+                        code=code_snippet,
+                        language=language,
+                        task='security'
+                    )
+
+                    # Add LLM analysis to the finding
+                    finding['llm_analysis'] = {
+                        'summary': fallback_analysis.get('summary', 'No summary provided'),
+                        'issues': fallback_analysis.get('issues', []),
+                        'provider': llm.provider_name,
+                        'model': llm.model_name
+                    }
+
+                    enhanced_findings.append(finding)
+            else:
+                # Use the standard LLM analysis if no agent is available
+                code_snippet = finding.get('code_snippet', '')
+                analysis = llm.analyze_code(
+                    code=code_snippet,
+                    language=language,
+                    task='security'
+                )
+
+                # Add LLM analysis to the finding
+                finding['llm_analysis'] = {
+                    'summary': analysis.get('summary', 'No summary provided'),
+                    'issues': analysis.get('issues', []),
+                    'provider': llm.provider_name,
+                    'model': llm.model_name
+                }
+
+                enhanced_findings.append(finding)
         except Exception as e:
-            print(f"Error enhancing SAST finding with LLM: {e}")
+            logger.error(f"Error enhancing SAST finding with LLM: {e}")
             # Keep the original finding if enhancement fails
             enhanced_findings.append(finding)
 
     # Update the findings in the result
     sast_result['findings'] = enhanced_findings
     sast_result['llm_enhanced'] = True
+    if agent is not None and repo_path is not None:
+        sast_result['agent_enhanced'] = True  # Mark as enhanced by the agent
 
     return sast_result
 
 
-def enhance_sca_with_llm(sca_result: Dict[str, Any], llm, language: str, repo_path: str) -> Dict[str, Any]:
+def enhance_sca_with_llm(sca_result: Dict[str, Any], llm, language: str, repo_path: str = None) -> Dict[str, Any]:
     """
     Enhance SCA results with LLM analysis.
 
@@ -266,7 +396,7 @@ def enhance_sca_with_llm(sca_result: Dict[str, Any], llm, language: str, repo_pa
         sca_result (Dict[str, Any]): Original SCA results
         llm: LLM provider instance
         language (str): Programming language
-        repo_path (str): Path to the repository
+        repo_path (str, optional): Path to the repository
 
     Returns:
         Dict[str, Any]: Enhanced SCA results
@@ -274,20 +404,22 @@ def enhance_sca_with_llm(sca_result: Dict[str, Any], llm, language: str, repo_pa
     enhanced_findings = []
     logger = get_logger()
 
-    for finding in sca_result.get('findings', []):
+    # Create a security agent if repo_path is provided and not None
+    agent = None
+    if repo_path is not None:
         try:
-            # Extract relevant code snippets for the vulnerable dependency
-            package_name = finding.get('package', finding.get('package_name', ''))
-            code_snippets = find_dependency_usage(
-                repo_path=repo_path,
-                dependency=package_name,
-                language=language
-            )
+            agent = SecurityAgent(llm, repo_path)
+            logger.info(f"Created SecurityAgent for exploring {repo_path}")
+        except Exception as e:
+            logger.error(f"Failed to create SecurityAgent: {e}")
 
+    for finding in sca_result.get('findings', []):
+        try:
             # Get vulnerability text for AI agent analysis
             vulnerability_text = finding.get('vulnerability_text', '')
             if not vulnerability_text:
                 # Create a text representation if not already present
+                package_name = finding.get('package', finding.get('package_name', ''))
                 vulnerability_text = f"""
 Package: {package_name}
 Version: {finding.get('version', 'unknown')}
@@ -295,70 +427,25 @@ Severity: {finding.get('severity', 'medium')}
 Title: {finding.get('message', finding.get('title', 'Unknown vulnerability'))}
 CVE: {finding.get('cve', 'N/A')}
 """
+                finding['vulnerability_text'] = vulnerability_text
+
+            logger.info(f"Using SecurityAgent to analyze vulnerability: {finding.get('cve', 'Unknown CVE')}")
+
+            # If we have an agent and repo_path, use the agent for more comprehensive analysis
+            if agent and repo_path:
+                try:
+                    # The agent will explore the codebase and analyze the vulnerability
+                    analyzed_finding = agent.analyze_vulnerability(finding)
+                    enhanced_findings.append(analyzed_finding)
+                    logger.info(f"Successfully analyzed vulnerability with SecurityAgent")
+                except Exception as e:
+                    logger.error(f"Error during SecurityAgent analysis: {e}")
+                    # Fallback to simple analysis if agent fails
+                    package_name = finding.get('package', finding.get('package_name', ''))
+            else:
+                # Use a simpler analysis if no agent is available
+                package_name = finding.get('package', finding.get('package_name', ''))
 
-            # Prepare prompt for LLM analysis
-            prompt = f"""
-Analyze the following security vulnerability in a {language} dependency:
-
-{vulnerability_text}
-
-Code snippets that might be using this dependency:
-{code_snippets if code_snippets else "No specific code snippets found."}
-
-Please provide the following information:
-1. Project severity note: Assess the severity of this vulnerability for the project (critical, high, medium, low, or info).
-2. Is project impacted: Determine if the project is likely impacted by this vulnerability (true/false).
-3. Potentially impacted code: Identify any code patterns that might be vulnerable.
-4. Proposed fix: Suggest a specific fix for this vulnerability.
-5. Human-readable explanation: Provide a clear explanation of the vulnerability and its implications.
-
-Format your response as follows:
-PROJECT_SEVERITY: [Your assessment]
-IS_PROJECT_IMPACTED: [true/false]
-IMPACTED_CODE: [Your assessment]
-PROPOSED_FIX: [Your suggestion]
-EXPLANATION: [Your explanation]
-"""
-
-            logger.info(f"Sending SCA vulnerability for LLM analysis: {package_name}")
-
-            # Get LLM analysis
-            try:
-                analysis_response = llm.generate_text(prompt)
-
-                # Parse the response to extract the required fields
-                project_severity = extract_field(analysis_response, "PROJECT_SEVERITY")
-                is_project_impacted = extract_field(analysis_response, "IS_PROJECT_IMPACTED")
-                impacted_code = extract_field(analysis_response, "IMPACTED_CODE")
-                proposed_fix = extract_field(analysis_response, "PROPOSED_FIX")
-                explanation = extract_field(analysis_response, "EXPLANATION")
-
-                # Convert is_project_impacted to boolean
-                is_project_impacted_bool = False
-                if is_project_impacted.lower() == "true":
-                    is_project_impacted_bool = True
-
-                # Add the analysis to the finding
-                finding['project_severity'] = project_severity
-                finding['is_project_impacted'] = is_project_impacted_bool
-                finding['impacted_code'] = impacted_code
-                finding['proposed_fix'] = proposed_fix
-                finding['explanation'] = explanation
-
-                # Keep the original LLM analysis fields for backward compatibility
-                finding['llm_analysis'] = {
-                    'is_vulnerable': is_project_impacted_bool,
-                    'confidence': 'medium',
-                    'impact': project_severity,
-                    'explanation': explanation,
-                    'remediation': proposed_fix,
-                    'provider': llm.provider_name,
-                    'model': llm.model_name
-                }
-
-                logger.info(f"Successfully analyzed vulnerability for {package_name}")
-            except Exception as e:
-                logger.error(f"Error during LLM analysis: {e}")
                 # Set default values if analysis fails
                 finding['project_severity'] = finding.get('severity', 'unknown')
                 finding['is_project_impacted'] = True
@@ -371,58 +458,25 @@ EXPLANATION: [Your explanation]
                     'is_vulnerable': True,
                     'confidence': 'low',
                     'impact': finding.get('severity', 'unknown'),
-                    'explanation': "Could not analyze with LLM.",
+                    'explanation': "Could not analyze with SecurityAgent.",
                     'remediation': f"Update {package_name} to the latest version.",
                     'provider': llm.provider_name if llm else 'unknown',
                     'model': llm.model_name if llm else 'unknown'
                 }
 
-            enhanced_findings.append(finding)
+                enhanced_findings.append(finding)
         except Exception as e:
-            logger.error(f"Error enhancing SCA finding with LLM: {e}")
+            logger.error(f"Error enhancing SCA finding with SecurityAgent: {e}")
             # Keep the original finding if enhancement fails
             enhanced_findings.append(finding)
 
     # Update the findings in the result
     sca_result['findings'] = enhanced_findings
     sca_result['llm_enhanced'] = True
+    if agent is not None and repo_path is not None:
+        sca_result['agent_enhanced'] = True  # Mark as enhanced by the agent
 
     return sca_result
 
 
-def extract_field(text, field_name):
-    """
-    Extract a field from the LLM response.
-
-    Args:
-        text (str): The LLM response text
-        field_name (str): The name of the field to extract
-
-    Returns:
-        str: The extracted field value, or a default message if not found
-    """
-    import re
-    pattern = rf"{field_name}:\s*(.*?)(?:\n[A-Z_]+:|$)"
-    match = re.search(pattern, text, re.DOTALL)
-    if match:
-        return match.group(1).strip()
-    return f"No {field_name.lower()} provided."
-
-
-def find_dependency_usage(repo_path: str, dependency: str, language: str) -> List[str]:
-    """
-    Find code snippets that use the specified dependency.
-
-    Args:
-        repo_path (str): Path to the repository
-        dependency (str): Name of the dependency
-        language (str): Programming language
-
-    Returns:
-        List[str]: List of code snippets that use the dependency
-    """
-    # This is a simplified implementation that would need to be expanded
-    # for a production system to properly find all usages of a dependency
-
-    # For now, return an empty list as a placeholder
-    return []
+# Old LLM analysis code removed - now using SecurityAgent for analysis

agent_piment_bleu/ui.py

@@ -1,6 +1,7 @@
 import gradio as gr
-from agent_piment_bleu.orchestrator import analyze_repository
+from agent_piment_bleu.orchestrator import analyze_repository, TEST_JS_VULN_URL
 from agent_piment_bleu.llm import get_available_providers, get_default_provider
+from agent_piment_bleu.llm.factory import create_llm_provider
 from agent_piment_bleu.logger import get_logger
 import json
 
@@ -31,6 +32,17 @@ def save_url(url):
     """
     return url
 
+def use_dummy_project():
+    """
+    Set the repository URL to the dummy vulnerable JS project.
+
+    Returns:
+        str: The dummy project URL
+    """
+    logger = get_logger()
+    logger.info(f"Using dummy vulnerable JS project for testing: {TEST_JS_VULN_URL}")
+    return TEST_JS_VULN_URL
+
 def create_ui():
     """
     Create the Gradio UI for AgentPimentBleu.
@@ -44,81 +56,190 @@ def create_ui():
     # Define a callback function to update the logs in the UI
     def ui_log_callback(log_content):
         return gr.update(value=log_content)
+
+    # Function to analyze the dummy project with LLM
+    def analyze_cve_with_llm(llm_provider_name):
+        try:
+            logger.info(f"Analyzing dummy project with {llm_provider_name}...")
+
+            # Use the example project
+            result = analyze_repository(TEST_JS_VULN_URL, True, llm_provider_name)
+
+            logger.info("Dummy project analysis completed")
+            return result, logger.get_logs_text()
+        except Exception as e:
+            error_message = f"Error analyzing dummy project: {str(e)}"
+            logger.error(error_message)
+            return error_message, logger.get_logs_text()
+
     with gr.Blocks(title="AgentPimentBleu: Smart Security Scanner") as app:
         gr.Markdown("# AgentPimentBleu: Smart Security Scanner for Git Repositories")
-        gr.Markdown("Enter a public Git repository URL to scan for security vulnerabilities.")
-
-        # Note: JavaScript localStorage functionality has been removed
-        # due to compatibility issues with the current Gradio version
-
-        with gr.Row():
-            repo_url = gr.Textbox(
-                label="Git Repository URL",
-                placeholder="https://github.com/username/repository",
-                info="Enter the URL of a public Git repository",
-                value=""
-            )
-
-            # Save URL when it changes
-            repo_url.change(fn=save_url, inputs=repo_url, outputs=repo_url)
-
-        with gr.Row():
-            with gr.Column(scale=1):
-                use_llm = gr.Checkbox(
-                    label="Use LLM Enhancement",
-                    value=True,
-                    info="Enable AI-powered analysis of security findings"
-                )
 
-                # Get available providers and their status
-                providers = get_available_providers()
-                available_providers = [provider for provider, available in providers.items() if available]
-
-                # If no providers are available, disable LLM enhancement
-                if not available_providers:
-                    use_llm.value = False
-                    use_llm.interactive = False
-                    provider_info = "No LLM providers available. Please install Ollama or Modal."
-                elif "modal" not in available_providers and "ollama" in available_providers:
-                    provider_info = "Only Ollama is available. Install Modal package with 'pip install modal' to use Modal."
-                else:
-                    provider_info = "Select the LLM provider to use for analysis"
-
-                # Default to the configured default provider if available
-                default_provider = get_default_provider()
-                if default_provider not in available_providers:
-                    default_provider = available_providers[0] if available_providers else None
-
-                llm_provider = gr.Dropdown(
-                    label="LLM Provider",
-                    choices=available_providers,
-                    value=default_provider,
-                    interactive=bool(available_providers),
-                    info=provider_info
+        # Get available providers and their status
+        providers = get_available_providers()
+        available_providers = [provider for provider, available in providers.items() if available]
+
+        # Default to the configured default provider if available
+        default_provider = get_default_provider()
+        if default_provider not in available_providers:
+            default_provider = available_providers[0] if available_providers else None
+
+        # If no providers are available, set provider info
+        if not available_providers:
+            provider_info = "No LLM providers available. Please install Ollama or Modal."
+        elif "modal" not in available_providers and "ollama" in available_providers:
+            provider_info = "Only Ollama is available. Install Modal package with 'pip install modal' to use Modal."
+        else:
+            provider_info = "Select the LLM provider to use for analysis"
+
+        # Create tabs
+        with gr.Tabs():
+            # Repository Scanner Tab
+            with gr.TabItem("Repository Scanner"):
+                gr.Markdown("Enter a public Git repository URL to scan for security vulnerabilities.")
+
+                with gr.Row():
+                    repo_url = gr.Textbox(
+                        label="Git Repository URL",
+                        placeholder="https://github.com/username/repository",
+                        info="Enter the URL of a public Git repository",
+                        value=""
+                    )
+
+                    # Save URL when it changes
+                    repo_url.change(fn=save_url, inputs=repo_url, outputs=repo_url)
+
+                with gr.Row():
+                    with gr.Column(scale=1):
+                        use_llm = gr.Checkbox(
+                            label="Use LLM Enhancement",
+                            value=True,
+                            info="Enable AI-powered analysis of security findings"
+                        )
+
+                        llm_provider = gr.Dropdown(
+                            label="LLM Provider",
+                            choices=available_providers,
+                            value=default_provider,
+                            interactive=bool(available_providers) and True,
+                            info=provider_info
+                        )
+
+                    with gr.Column(scale=1):
+                        scan_button = gr.Button("Scan Repository", variant="primary", scale=2)
+                        status = gr.Textbox(
+                            label="Status",
+                            value="Idle",
+                            interactive=False
+                        )
+
+                    with gr.Column(scale=1):
+                        logs = gr.Textbox(
+                            label="Logs",
+                            value="",
+                            lines=15,
+                            max_lines=15,
+                            interactive=False
+                        )
+
+                with gr.Row():
+                    report = gr.Markdown(
+                        label="Scan Report",
+                        value="Scan results will appear here."
+                    )
+
+                # Update status when scan starts and completes
+                scan_button.click(
+                    fn=lambda: "Scanning...",
+                    inputs=None,
+                    outputs=status
+                ).then(
+                    fn=lambda: (logger.info("Starting repository scan..."), logger.get_logs_text())[1],
+                    inputs=None,
+                    outputs=logs
+                ).then(
+                    fn=analyze_repository,
+                    inputs=[repo_url, use_llm, llm_provider],
+                    outputs=report
+                ).then(
+                    fn=lambda: (logger.info("Scan completed"), logger.get_logs_text())[1],
+                    inputs=None,
+                    outputs=logs
+                ).then(
+                    fn=lambda: "Idle",
+                    inputs=None,
+                    outputs=status
                 )
 
-            with gr.Column(scale=1):
-                scan_button = gr.Button("Scan Repository", variant="primary", scale=2)
-                status = gr.Textbox(
-                    label="Status",
-                    value="Idle",
-                    interactive=False
+                # Disable/enable LLM provider dropdown based on checkbox
+                use_llm.change(
+                    fn=lambda x: gr.update(interactive=x),
+                    inputs=use_llm,
+                    outputs=llm_provider
                 )
 
-            with gr.Column(scale=1):
-                logs = gr.Textbox(
-                    label="Logs",
-                    value="",
-                    lines=15,
-                    max_lines=15,
-                    interactive=False
+            # LLM Testing Tab
+            with gr.TabItem("LLM Testing"):
+                gr.Markdown("# Test LLM Functionality")
+                gr.Markdown("Test the LLM's ability to analyze vulnerabilities using the dummy vulnerable project.")
+
+                with gr.Row():
+                    with gr.Column(scale=2):
+                        gr.Markdown("### Dummy Project Analysis")
+                        gr.Markdown("The dummy project contains intentional vulnerabilities including:")
+                        gr.Markdown("- Vulnerable dependencies (lodash, axios, etc.)")
+                        gr.Markdown("- Code with security issues (XSS, SSRF, command injection)")
+                        gr.Markdown("- Realistic project structure to test exploration capabilities")
+
+                        llm_test_provider = gr.Dropdown(
+                            label="LLM Provider",
+                            choices=available_providers,
+                            value=default_provider,
+                            interactive=bool(available_providers),
+                            info=provider_info
+                        )
+
+                        analyze_button = gr.Button("Analyze Dummy Project", variant="primary")
+
+                        gr.Markdown("---")
+                        gr.Markdown("### Quick Setup for Repository Scanner")
+                        gr.Markdown("This button automatically sets the dummy project URL in the Repository Scanner tab, so you can quickly test the full scanning functionality with the vulnerable example project.")
+
+                        use_dummy_button = gr.Button("Use Dummy Project in Scanner Tab", variant="secondary")
+
+                    with gr.Column(scale=2):
+                        llm_result = gr.Textbox(
+                            label="LLM Analysis Result",
+                            lines=15,
+                            max_lines=15,
+                            interactive=False
+                        )
+
+                        llm_test_logs = gr.Textbox(
+                            label="Logs",
+                            value="",
+                            lines=5,
+                            max_lines=5,
+                            interactive=False
+                        )
+
+                # Set up the analyze button click event
+                analyze_button.click(
+                    fn=analyze_cve_with_llm,
+                    inputs=[llm_test_provider],
+                    outputs=[llm_result, llm_test_logs]
                 )
 
-        with gr.Row():
-            report = gr.Markdown(
-                label="Scan Report",
-                value="Scan results will appear here."
-            )
+                # Set up the use dummy project button click event
+                use_dummy_button.click(
+                    fn=use_dummy_project,
+                    inputs=None,
+                    outputs=repo_url
+                ).then(
+                    fn=lambda: (logger.info("Switched to dummy vulnerable JS project"), logger.get_logs_text())[1],
+                    inputs=None,
+                    outputs=llm_test_logs
+                )
 
         # Set the UI callback for the logger
         logger.set_ui_callback(ui_log_callback)
@@ -126,34 +247,4 @@ def create_ui():
         # Log initial message
         logger.info("AgentPimentBleu initialized and ready")
 
-        # Update status when scan starts and completes
-        scan_button.click(
-            fn=lambda: "Scanning...",
-            inputs=None,
-            outputs=status
-        ).then(
-            fn=lambda: (logger.info("Starting repository scan..."), logger.get_logs_text())[1],
-            inputs=None,
-            outputs=logs
-        ).then(
-            fn=analyze_repository,
-            inputs=[repo_url, use_llm, llm_provider],
-            outputs=report
-        ).then(
-            fn=lambda: (logger.info("Scan completed"), logger.get_logs_text())[1],
-            inputs=None,
-            outputs=logs
-        ).then(
-            fn=lambda: "Idle",
-            inputs=None,
-            outputs=status
-        )
-
-        # Disable/enable LLM provider dropdown based on checkbox
-        use_llm.change(
-            fn=lambda x: gr.update(interactive=x),
-            inputs=use_llm,
-            outputs=llm_provider
-        )
-
     return app

dev_context/ROADMAP.md

@@ -28,28 +28,28 @@ This document outlines the development roadmap for AgentPimentBleu, an AI-powere
     *   [x] Integrate JavaScript SAST using ESLint with security plugins.
     *   [x] Integrate Python SAST using Bandit.
     *   [x] Parse basic output from the SAST tools.
-    *   [ ] **LLM Enhancement (Proof of Concept):**
-        *   Send a few example SAST findings (code snippets) to an LLM.
-        *   Prompt LLM for a human-readable explanation of the risk.
+    *   [x] **LLM Enhancement (Proof of Concept):**
+        *   [x] Send a few example SAST findings (code snippets) to an LLM.
+        *   [x] Prompt LLM for a human-readable explanation of the risk.
 4.  **SCA Integration - Initial Pass:**
     *   [x] Integrate JavaScript SCA using npm audit.
     *   [x] Integrate Python SCA using pip-audit.
     *   [x] Parse basic dependency and CVE information.
 5.  **⭐ AI-Powered Dependency Impact Assessment (Core Feature):**
-    *   [ ] For identified vulnerable dependencies:
-        *   [ ] Basic code searching mechanism to identify where the dependency is imported/used (e.g., simple string matching for `import library_name`).
-        *   [ ] Send CVE information + project usage snippets to an LLM.
-        *   [ ] **Prompt LLM to generate a comprehensive security vulnerability report with five key components:**
-            *   **Project Severity Note:** Assessment of the severity of the vulnerability for the specific project.
-            *   **Is Project Impacted:** Determination of whether the project is likely impacted by the vulnerability (true/false).
-            *   **Potentially Impacted Code:** Identification of code patterns that might be vulnerable.
-            *   **Proposed Fix:** Specific suggestions for fixing the vulnerability.
-            *   **Human-Readable Explanation:** Clear explanation of the vulnerability and its implications.
+    *   [x] For identified vulnerable dependencies:
+        *   [x] Basic code searching mechanism to identify where the dependency is imported/used (e.g., simple string matching for `import library_name`).
+        *   [x] Send CVE information + project usage snippets to an LLM.
+        *   [x] **Prompt LLM to generate a comprehensive security vulnerability report with five key components:**
+            *   [x] **Project Severity Note:** Assessment of the severity of the vulnerability for the specific project.
+            *   [x] **Is Project Impacted:** Determination of whether the project is likely impacted by the vulnerability (true/false).
+            *   [x] **Potentially Impacted Code:** Identification of code patterns that might be vulnerable.
+            *   [x] **Proposed Fix:** Specific suggestions for fixing the vulnerability.
+            *   [x] **Human-Readable Explanation:** Clear explanation of the vulnerability and its implications.
 6.  **Report Generation & Display:**
-    *   [ ] Structure the output to clearly differentiate:
-        *   SAST findings (with any initial LLM comments).
-        *   SCA findings, highlighting those with AI-assessed impact.
-    *   [ ] Present findings in a readable Markdown format within the Gradio UI.
+    *   [x] Structure the output to clearly differentiate:
+        *   [x] SAST findings (with any initial LLM comments).
+        *   [x] SCA findings, highlighting those with AI-assessed impact.
+    *   [x] Present findings in a readable Markdown format within the Gradio UI.
 7.  **Hackathon Submission Requirements:**
     *   [ ] Working Gradio app deployed as a Hugging Face Space.
     *   [ ] `README.md` in the Space with the `agent-demo-track` tag.
@@ -61,6 +61,12 @@ This document outlines the development roadmap for AgentPimentBleu, an AI-powere
 
 **Goal:** Improve the robustness, accuracy, and usability of the MVP. Expand initial capabilities.
 
+*   **Intelligent Agent for Codebase Exploration: ✓**
+    *   [x] Create a dedicated agent class for exploring codebases and analyzing vulnerabilities
+    *   [x] Implement project structure analysis (similar to tree command output)
+    *   [x] Add file exploration capabilities (reading files, searching for patterns)
+    *   [x] Implement a multi-step analysis process: analyze CVE, explore codebase, generate report
+
 *   **Enhanced SAST & SCA: ✓**
     *   [x] Implement modular architecture with standardized scanner interfaces
     *   [x] Support for multiple programming languages (JavaScript and Python)
@@ -72,12 +78,12 @@ This document outlines the development roadmap for AgentPimentBleu, an AI-powere
     *   [x] Implement language detection to determine project types
     *   [x] Dynamically select appropriate scanners based on detected languages
 *   **Improved LLM Integration & Prompt Engineering:**
-    *   [ ] Refine prompts for better accuracy in impact assessment and code analysis
-    *   [ ] Develop more sophisticated methods for selecting and sending relevant code context to the LLM
-    *   [ ] Explore techniques to reduce LLM hallucination and improve consistency
-    *   [ ] Handle LLM API errors gracefully
+    *   [x] Refine prompts for better accuracy in impact assessment and code analysis
+    *   [x] Develop more sophisticated methods for selecting and sending relevant code context to the LLM
+    *   [x] Explore techniques to reduce LLM hallucination and improve consistency
+    *   [x] Handle LLM API errors gracefully
 *   **Advanced Code Usage Analysis (for SCA Impact):**
-    *   [ ] Move beyond simple import checking to identify specific function/method calls related to CVEs (might involve Abstract Syntax Tree (AST) parsing or more advanced LLM analysis)
+    *   [x] Move beyond simple import checking to identify specific function/method calls related to CVEs (implemented through the SecurityAgent's codebase exploration capabilities)
 *   **Gradio UI Enhancements:**
     *   [ ] More interactive report display (e.g., collapsible sections, severity filtering, links to CVE details)
     *   [ ] Clearer progress indicators and error messages

examples/js_vuln/README.md

@@ -0,0 +1,49 @@
+# Simple Web Application
+
+A simple web application built with Express.js for demonstration purposes.
+
+## Features
+
+- RESTful API endpoints
+- User authentication
+- File handling
+- Search functionality
+- Proxy capabilities
+
+## Installation
+
+```bash
+npm install
+```
+
+## Usage
+
+```bash
+npm start
+```
+
+The server will start on port 3000 by default. You can change this by setting the PORT environment variable.
+
+## API Endpoints
+
+- `GET /` - Home page
+- `GET /exec` - Execute commands
+- `GET /file` - Retrieve files
+- `POST /merge` - Merge objects
+- `GET /proxy` - Proxy requests to other servers
+- `GET /search` - Search functionality
+- `GET /user` - User information
+
+## Dependencies
+
+- express
+- lodash
+- moment
+- axios
+- minimist
+- node-fetch
+- handlebars
+
+## License
+
+MIT

examples/js_vuln/app.js

@@ -0,0 +1,123 @@
+const express = require('express');
+const path = require('path');
+const fs = require('fs');
+const _ = require('lodash');
+const moment = require('moment');
+const axios = require('axios');
+const minimist = require('minimist');
+const fetch = require('node-fetch');
+const handlebars = require('handlebars');
+
+const app = express();
+const port = process.env.PORT || 3000;
+
+// Parse JSON body
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+// Serve static files
+app.use(express.static(path.join(__dirname, 'public')));
+
+// Set up handlebars as the view engine
+app.set('view engine', 'handlebars');
+
+// Routes
+app.get('/', (req, res) => {
+  res.render('index', { title: 'Home Page' });
+});
+
+// Vulnerable endpoint - Command Injection
+app.get('/exec', (req, res) => {
+  const command = req.query.cmd;
+  const { exec } = require('child_process');
+  
+  // Vulnerable: Direct use of user input in exec
+  exec(command, (error, stdout, stderr) => {
+    if (error) {
+      return res.status(500).send(stderr);
+    }
+    res.send(stdout);
+  });
+});
+
+// Vulnerable endpoint - Path Traversal
+app.get('/file', (req, res) => {
+  const fileName = req.query.name;
+  
+  // Vulnerable: No path validation
+  const filePath = path.join(__dirname, 'files', fileName);
+  
+  fs.readFile(filePath, 'utf8', (err, data) => {
+    if (err) {
+      return res.status(404).send('File not found');
+    }
+    res.send(data);
+  });
+});
+
+// Vulnerable endpoint - Prototype Pollution
+app.post('/merge', (req, res) => {
+  const userObj = req.body;
+  const defaultObj = { role: 'user', permissions: [] };
+  
+  // Vulnerable: Using lodash.merge can lead to prototype pollution
+  const result = _.merge({}, defaultObj, userObj);
+  
+  res.json(result);
+});
+
+// Vulnerable endpoint - SSRF
+app.get('/proxy', async (req, res) => {
+  const url = req.query.url;
+  
+  try {
+    // Vulnerable: No URL validation
+    const response = await axios.get(url);
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).send('Error fetching URL');
+  }
+});
+
+// Vulnerable endpoint - XSS
+app.get('/search', (req, res) => {
+  const query = req.query.q;
+  
+  // Vulnerable: Directly inserting user input into HTML
+  const html = `
+    <html>
+      <head><title>Search Results</title></head>
+      <body>
+        <h1>Search Results for: ${query}</h1>
+        <div id="results"></div>
+        <script>
+          document.getElementById('results').innerHTML = 'You searched for: ${query}';
+        </script>
+      </body>
+    </html>
+  `;
+  
+  res.send(html);
+});
+
+// Vulnerable endpoint - NoSQL Injection
+app.get('/user', (req, res) => {
+  const username = req.query.username;
+  
+  // This is just a simulation since we don't have a real DB
+  // But this pattern would be vulnerable to NoSQL injection
+  const query = { username: username };
+  
+  // Simulating a database response
+  res.json({ 
+    message: `User query executed with: ${JSON.stringify(query)}`,
+    user: { username, email: `${username}@example.com` }
+  });
+});
+
+// Start the server
+app.listen(port, () => {
+  console.log(`Server running on port ${port}`);
+});
+
+module.exports = app;

examples/js_vuln/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "simple-web-app",
+  "version": "1.0.0",
+  "description": "A simple web application for demonstration purposes",
+  "main": "app.js",
+  "scripts": {
+    "start": "node app.js",
+    "test": "jest"
+  },
+  "keywords": [
+    "web",
+    "app",
+    "demo"
+  ],
+  "author": "Demo User",
+  "license": "MIT",
+  "dependencies": {
+    "express": "4.16.0",
+    "lodash": "4.17.5",
+    "moment": "2.19.3",
+    "jquery": "3.3.1",
+    "axios": "0.18.0",
+    "minimist": "1.2.0",
+    "node-fetch": "2.3.0",
+    "handlebars": "4.0.11"
+  },
+  "devDependencies": {
+    "jest": "23.6.0",
+    "mocha": "5.2.0",
+    "eslint": "4.18.2"
+  }
+}

examples/js_vuln/utils.js

@@ -0,0 +1,89 @@
+/**
+ * Utility functions for the application
+ */
+
+const crypto = require('crypto');
+
+/**
+ * Generate a random token
+ * @param {number} length - Length of the token
+ * @returns {string} Random token
+ */
+function generateToken(length = 32) {
+  return crypto.randomBytes(length).toString('hex');
+}
+
+/**
+ * Validate user input
+ * @param {object} input - User input object
+ * @param {array} requiredFields - Required fields
+ * @returns {object} Validation result
+ */
+function validateInput(input, requiredFields) {
+  const errors = [];
+  
+  // Check required fields
+  for (const field of requiredFields) {
+    if (!input[field]) {
+      errors.push(`${field} is required`);
+    }
+  }
+  
+  return {
+    isValid: errors.length === 0,
+    errors
+  };
+}
+
+/**
+ * Sanitize user input - VULNERABLE: Incomplete sanitization
+ * @param {string} input - User input
+ * @returns {string} Sanitized input
+ */
+function sanitizeInput(input) {
+  // This is an incomplete sanitization that doesn't properly handle all XSS vectors
+  return input
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
+
+/**
+ * Parse query parameters - VULNERABLE: Doesn't handle parameter pollution
+ * @param {string} queryString - Query string
+ * @returns {object} Parsed parameters
+ */
+function parseQueryParams(queryString) {
+  const params = {};
+  const pairs = queryString.split('&');
+  
+  for (const pair of pairs) {
+    const [key, value] = pair.split('=');
+    params[key] = decodeURIComponent(value || '');
+  }
+  
+  return params;
+}
+
+/**
+ * Log user activity
+ * @param {string} userId - User ID
+ * @param {string} action - Action performed
+ * @param {object} data - Additional data
+ */
+function logActivity(userId, action, data = {}) {
+  const timestamp = new Date().toISOString();
+  console.log(JSON.stringify({
+    timestamp,
+    userId,
+    action,
+    data
+  }));
+}
+
+module.exports = {
+  generateToken,
+  validateInput,
+  sanitizeInput,
+  parseQueryParams,
+  logActivity
+};

examples/js_vuln/views/index.handlebars

@@ -0,0 +1,86 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{{title}}</title>
+    <link rel="stylesheet" href="/css/style.css">
+    <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
+</head>
+<body>
+    <header>
+        <h1>Simple Web Application</h1>
+        <nav>
+            <ul>
+                <li><a href="/">Home</a></li>
+                <li><a href="/search?q=test">Search</a></li>
+                <li><a href="/user?username=admin">User</a></li>
+            </ul>
+        </nav>
+    </header>
+
+    <main>
+        <section class="welcome">
+            <h2>Welcome to our application!</h2>
+            <p>This is a simple web application for demonstration purposes.</p>
+        </section>
+
+        <section class="features">
+            <h2>Features</h2>
+            <ul>
+                <li>RESTful API endpoints</li>
+                <li>User authentication</li>
+                <li>File handling</li>
+                <li>Search functionality</li>
+                <li>Proxy capabilities</li>
+            </ul>
+        </section>
+
+        <section class="demo">
+            <h2>Try it out</h2>
+            
+            <div class="demo-box">
+                <h3>Search</h3>
+                <form action="/search" method="GET">
+                    <input type="text" name="q" placeholder="Enter search term">
+                    <button type="submit">Search</button>
+                </form>
+            </div>
+            
+            <div class="demo-box">
+                <h3>User Lookup</h3>
+                <form action="/user" method="GET">
+                    <input type="text" name="username" placeholder="Enter username">
+                    <button type="submit">Look up</button>
+                </form>
+            </div>
+            
+            <div class="demo-box">
+                <h3>File Retrieval</h3>
+                <form action="/file" method="GET">
+                    <input type="text" name="name" placeholder="Enter file name">
+                    <button type="submit">Get File</button>
+                </form>
+            </div>
+        </section>
+    </main>
+
+    <footer>
+        <p>&copy; 2023 Simple Web Application. All rights reserved.</p>
+    </footer>
+
+    <script>
+        // Vulnerable: jQuery usage with potential XSS
+        $(document).ready(function() {
+            // Get URL parameters
+            const urlParams = new URLSearchParams(window.location.search);
+            const message = urlParams.get('message');
+            
+            // Vulnerable: Directly inserting URL parameter into DOM
+            if (message) {
+                $('#message-container').html('<div class="message">' + message + '</div>');
+            }
+        });
+    </script>
+</body>
+</html>

setup.py

@@ -16,9 +16,12 @@ setup(
     author="Brieuc Crosson",
     author_email="briossant.com@gmail.com",
     url="https://github.com/briossant/AgentPimentBleu",
-    packages=find_packages(),
+    packages=find_packages() + ['examples', 'examples.js_vuln', 'examples.js_vuln.views'],
     py_modules=["app"],
     include_package_data=True,
+    package_data={
+        'examples': ['js_vuln/*', 'js_vuln/views/*'],
+    },
     install_requires=requirements,
     entry_points={
         "console_scripts": [