Testing 0.2.1

[andresghelarducci]

Hi ,
I tested trivy 0.69.1 with vens 0.2.1 with a report.json with 99 vulnerabilties with llama3.2 .I had to rebuild from sources because IN RHEL/Alma 8 glibc is 2.28 while standard vens binary searches for 2.32 and 2.34 ( maybe you can build including needed glibc?).
As you can see from below logs first results came after 3 minutes then after 1.5 hours command finished with an error that I attached at the bottom
Looks like the second prompt generated for the second group of 10 vulns contained more than 400 CVE generating a huge prompt

trivy vens generate --config-file context.yml --llm ollama report.json output.vex.json
time=2026-02-22T12:51:47.341+01:00 level=INFO msg="Config loaded" project=prescreening exposure=internet data_sensitivity=medium business_criticality=high
time=2026-02-22T12:51:47.351+01:00 level=INFO msg="Processing vulnerabilities" count=99
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68973 threat_agent=8 vulnerability=7 technical_impact=8 business_impact=9 likelihood=7.50 impact=8.50 score=63.75 severity=critical vector=SL:8/M:8/O:8/S:8/ED:7/EE:7/A:7/ID:2/LC:8/LI:8/LAV:8/LAC:8/FD:9/RD:9/NC:9/PV:9
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68972 threat_agent=3 vulnerability=4 technical_impact=4 business_impact=6 likelihood=3.50 impact=5.00 score=17.50 severity=low vector=SL:3/M:3/O:3/S:3/ED:4/EE:4/A:4/ID:5/LC:4/LI:4/LAV:4/LAC:4/FD:6/RD:6/NC:6/PV:6
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68973 threat_agent=8 vulnerability=7 technical_impact=8 business_impact=9 likelihood=7.50 impact=8.50 score=63.75 severity=critical vector=SL:8/M:8/O:8/S:8/ED:7/EE:7/A:7/ID:2/LC:8/LI:8/LAV:8/LAC:8/FD:9/RD:9/NC:9/PV:9
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68972 threat_agent=3 vulnerability=4 technical_impact=4 business_impact=6 likelihood=3.50 impact=5.00 score=17.50 severity=low vector=SL:3/M:3/O:3/S:3/ED:4/EE:4/A:4/ID:5/LC:4/LI:4/LAV:4/LAC:4/FD:6/RD:6/NC:6/PV:6
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68973 threat_agent=8 vulnerability=7 technical_impact=8 business_impact=9 likelihood=7.50 impact=8.50 score=63.75 severity=critical vector=SL:8/M:8/O:8/S:8/ED:7/EE:7/A:7/ID:2/LC:8/LI:8/LAV:8/LAC:8/FD:9/RD:9/NC:9/PV:9
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68972 threat_agent=3 vulnerability=4 technical_impact=4 business_impact=6 likelihood=3.50 impact=5.00 score=17.50 severity=low vector=SL:3/M:3/O:3/S:3/ED:4/EE:4/A:4/ID:5/LC:4/LI:4/LAV:4/LAC:4/FD:6/RD:6/NC:6/PV:6
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68973 threat_agent=8 vulnerability=7 technical_impact=8 business_impact=9 likelihood=7.50 impact=8.50 score=63.75 severity=critical vector=SL:8/M:8/O:8/S:8/ED:7/EE:7/A:7/ID:2/LC:8/LI:8/LAV:8/LAC:8/FD:9/RD:9/NC:9/PV:9
time=2026-02-22T12:54:47.447+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68972 threat_agent=3 vulnerability=4 technical_impact=4 business_impact=6 likelihood=3.50 impact=5.00 score=17.50 severity=low vector=SL:3/M:3/O:3/S:3/ED:4/EE:4/A:4/ID:5/LC:4/LI:4/LAV:4/LAC:4/FD:6/RD:6/NC:6/PV:6
time=2026-02-22T12:55:51.925+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68973 threat_agent=8 vulnerability=7 technical_impact=8 business_impact=9 likelihood=7.50 impact=8.50 score=63.75 severity=critical vector=SL:8/M:8/O:8/S:8/ED:7/EE:7/A:7/ID:2/LC:8/LI:8/LAV:8/LAC:8/FD:9/RD:9/NC:9/PV:9
time=2026-02-22T12:55:51.925+01:00 level=INFO msg=vuln_risk_score vuln=CVE-2025-68972 threat_agent=3 vulnerability=4 technical_impact=4 business_impact=6 likelihood=3.50 impact=5.00 score=17.50 severity=low vector=SL:3/M:3/O:3/S:3/ED:4/EE:4/A:4/ID:5/LC:4/LI:4/LAV:4/LAC:4/FD:6/RD:6/NC:6/PV:6

last_log_row.txt

[fahedouch]

Hi @andresghelarducci,

I would like to see your last prompt, can you provide the --debug-dir data ?

For your information, the file last_log_row.txt shows a catastrophic failure from a previous run where the LLM entered an infinite loop, repeating the same CVE 429 times without any analysis.

I just tested Ollama with the model lama3.2, and it managed to generate OWASP scores for 75 CVEs in about 2 minutes and 40 seconds without any problem.

So I suspect there is an issue with your Ollama configuration or your local model.

Which model did you use to run Ollama? Are you running it on GPU or CPU?

[andresghelarducci]

Hi @fahedouch ,
I am using latest ollama container version running using llama3.2, it looks that is working ( see below image).
If you want I can share the trivy file I used as input ( I will clean some info)
I run a CPU only deployment in a machine with 32GB RAM
Attached you can find --debug-dir logs ( same error after 1.5 hour)

system.prompt.txt

human.prompt.txt

[fahedouch]

If you want I can share the trivy file I used as input ( I will clean some info)

Yes please.

Can you test with a GPU? It seems to be more powerful and efficient. I'm afraid that the time taken by Ollama on CPU could cause problems. I tested with CPU on my machine and just generating a VEX for 70 CVEs takes more than an hour.

[andresghelarducci]

Hi ,
here is the file I use for testing, for test with GPU it will take some days

report.json

[fahedouch]

Hi,

here is my configuration:

• macOS (36 Go and 14 CPU)
• tested using docker because I can't run on CPU on my host because my Mac will automatically fallback to Metal
• I allocated to docker 14 CPU et 16 Go of memory

on CPU:
I tested your report, and it's extremely slow. I'm stuck on the first API call (the Docker virtualization layer may be complicating things).

on GPU:
if is very fast ~5 minutes compared to CPU.

I don't know yet if the task performed by vens is too heavy for CPU usage, or if there's some configuration needed on the Ollama side to speed things up.