add full model card with metadata & usage details
Browse files
README.md
ADDED
|
@@ -0,0 +1,78 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
license: apache-2.0
|
| 3 |
+
library_name: transformers
|
| 4 |
+
base_model: unsloth/Qwen2.5-Coder-7B-Instruct
|
| 5 |
+
pipeline_tag: text-generation
|
| 6 |
+
tags:
|
| 7 |
+
- vulnzap
|
| 8 |
+
- security
|
| 9 |
+
- code-fix
|
| 10 |
+
- gguf
|
| 11 |
+
datasets:
|
| 12 |
+
- custom
|
| 13 |
+
model_type: gguf
|
| 14 |
+
quantized_by: unsloth
|
| 15 |
+
---
|
| 16 |
+
# VulnZap Faraday Mini 1
|
| 17 |
+
|
| 18 |
+
**VulnZap Faraday Mini 1** is a 4‑bit **GGUF** LoRA‑finetuned snapshot of
|
| 19 |
+
[`unsloth/Qwen2.5‑Coder‑7B‑Instruct`](https://huggingface.co/unsloth/Qwen2.5-Coder-7B-Instruct),
|
| 20 |
+
trained on ~363 security‑oriented code snippets and patches.
|
| 21 |
+
|
| 22 |
+
## intended use
|
| 23 |
+
|
| 24 |
+
* **Patch suggestion** – given a vulnerable code block, return a fixed version.
|
| 25 |
+
* **Risk explanation** – describe *why* the snippet is vulnerable and how the patch mitigates it.
|
| 26 |
+
* **CWE classification** – identify vulnerability class from raw code.
|
| 27 |
+
|
| 28 |
+
Not designed for general chat; it excels at short, code‑focused prompts.
|
| 29 |
+
|
| 30 |
+
## training details
|
| 31 |
+
|
| 32 |
+
* **Base model**: Qwen 2.5 Coder 7 B (instruction‑tuned)
|
| 33 |
+
* **Fine‑tuning**: LoRA (r = 64, α = 128) with
|
| 34 |
+
[Unsloth](https://github.com/unslothai/unsloth) on A100 40 GB
|
| 35 |
+
* **Sequence length**: 4 096 tokens
|
| 36 |
+
* **Epochs**: 3 (effective batch = 8)
|
| 37 |
+
* **Quantisation**: `Q4_K_M` via Unsloth’s GGUF exporter
|
| 38 |
+
* **Date**: 2025-07-19
|
| 39 |
+
|
| 40 |
+
## example
|
| 41 |
+
|
| 42 |
+
```text
|
| 43 |
+
### task: patch the vulnerability
|
| 44 |
+
### language: typescript
|
| 45 |
+
### cwe: CWE‑434 – unrestricted file upload
|
| 46 |
+
### code
|
| 47 |
+
import express from 'express';
|
| 48 |
+
import multer from 'multer';
|
| 49 |
+
const upload = multer();
|
| 50 |
+
app.post('/upload', upload.single('file'), (req, res) => {
|
| 51 |
+
/* vulnerable: accepts any file type without checks */
|
| 52 |
+
});
|
| 53 |
+
### response
|
| 54 |
+
<assistant outputs fixed code here>
|
| 55 |
+
````
|
| 56 |
+
|
| 57 |
+
## evaluation
|
| 58 |
+
|
| 59 |
+
* manual spot‑checks on 50 held‑out snippets show
|
| 60 |
+
|
| 61 |
+
* **100 %** patch compiles,
|
| 62 |
+
* **76 %** fully resolves the vulnerability.
|
| 63 |
+
|
| 64 |
+
(Automatic benchmarks will be added soon.)
|
| 65 |
+
|
| 66 |
+
## limitations & bias
|
| 67 |
+
|
| 68 |
+
* trained on open‑source repos → may under‑perform on exotic frameworks
|
| 69 |
+
* no guarantee the patch is production‑ready; always review before deploying
|
| 70 |
+
* doesn’t reason about business‑logic flaws beyond the CWE classes seen in fine‑tuning data
|
| 71 |
+
|
| 72 |
+
## license
|
| 73 |
+
|
| 74 |
+
Apache 2.0 for both the adapter and the exported GGUF.
|
| 75 |
+
|
| 76 |
+
---
|
| 77 |
+
|
| 78 |
+
*(c) 2025 PlawLabs – questions: yaz \[at] plawlabs.com*
|