starsofchance/Mistral-Unsloth-QLoRA-adapter

UltiVal: Ministral-8B QLoRA Adapter for Vulnerability Detection

This is a QLoRA adapter fine-tuned from Ministral-8B-Instruct-2410 for detecting security vulnerabilities in source code as part of the UltiVal project.

🚨 Important Note

This is a LoRA adapter, not a standalone model. You must load it together with the base model mistralai/Ministral-8B-Instruct-2410.

📋 Model Details

• Base Model: mistralai/Ministral-8B-Instruct-2410
• Adapter Type: QLoRA (4-bit Low-Rank Adaptation)
• Training Framework: Unsloth
• Task: Security vulnerability detection in source code
• Model Size: ~334MB (adapter only)
• Context Length: 2048 tokens
• Languages: Multi-language code analysis (Python, JavaScript, Java, C/C++, etc.)

🎯 Training Configuration

Parameter	Value
Training Steps	6,000 (best checkpoint)
Total Steps	6,184
Validation Loss	0.5840 (lowest achieved at step 6000)
Final Training Loss	0.4081
Epochs	2
Learning Rate	2e-4 → 1.76e-7 (cosine schedule)
Batch Size	8 (2 × 4 gradient accumulation)
Sequence Length	2048 tokens
LoRA Rank	32
LoRA Alpha	32
LoRA Dropout	0.0
Weight Decay	0.01
Warmup Steps	~5% of total steps

Target Modules

q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj

🔧 Usage

Option 1: Using Unsloth (Recommended)

from unsloth import FastLanguageModel
import torch

# Load base model
model, tokenizer = FastLanguageModel.from_pretrained(
    model_name="mistralai/Ministral-8B-Instruct-2410",
    max_seq_length=2048,
    dtype=None,
    load_in_4bit=True,
)

# Add LoRA configuration
model = FastLanguageModel.get_peft_model(
    model,
    r=32,
    target_modules=["q_proj", "k_proj", "v_proj", "o_proj", 
                   "gate_proj", "up_proj", "down_proj"],
    lora_alpha=32,
    lora_dropout=0,
    bias="none",
    use_gradient_checkpointing="unsloth",
    random_state=3407,
)

# Load the trained adapter
model.load_adapter("starsofchance/Mistral-Unsloth-QLoRA-adapter")

# Enable inference mode
FastLanguageModel.for_inference(model)

Option 2: Using Transformers + PEFT

from transformers import AutoTokenizer, AutoModelForCausalLM
from peft import PeftModel
import torch

# Load base model
base_model = AutoModelForCausalLM.from_pretrained(
    "mistralai/Ministral-8B-Instruct-2410",
    torch_dtype=torch.float16,
    device_map="auto",
    load_in_4bit=True
)

tokenizer = AutoTokenizer.from_pretrained("mistralai/Ministral-8B-Instruct-2410")

# Load LoRA adapter
model = PeftModel.from_pretrained(base_model, "starsofchance/Mistral-Unsloth-QLoRA-adapter")

💻 Inference Example

# Example: SQL Injection Detection
code_snippet = '''
def authenticate_user(username, password):
    query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
    cursor.execute(query)
    return cursor.fetchone()
'''

messages = [
    {"role": "user", "content": f"Analyze this code for security vulnerabilities:\n\n{code_snippet}"}
]

# Tokenize and generate
input_ids = tokenizer.apply_chat_template(
    messages, 
    add_generation_prompt=True, 
    return_tensors="pt"
).to(model.device)

outputs = model.generate(
    input_ids,
    max_new_tokens=512,
    do_sample=False,
    pad_token_id=tokenizer.eos_token_id,
    temperature=0.1
)

response = tokenizer.decode(outputs[0][len(input_ids[0]):], skip_special_tokens=True)
print(response)

Expected Output

This code contains a critical SQL injection vulnerability. The user input (username and password) 
is directly concatenated into the SQL query without any sanitization or parameterization.

**Vulnerability Type**: SQL Injection (CWE-89)
**Severity**: High
**Location**: Line 2, query construction

**How to exploit**: An attacker could input malicious SQL code like:
- Username: `admin' --`
- Password: `anything`

**Secure fix**: Use parameterized queries:
```python
def authenticate_user(username, password):
    query = "SELECT * FROM users WHERE username=? AND password=?"
    cursor.execute(query, (username, password))
    return cursor.fetchone()

## 🛡️ Supported Vulnerability Types

The model is trained to detect various security vulnerabilities including:

| Category | Examples |
|----------|----------|
| **Injection** | SQL Injection, Command Injection, LDAP Injection |
| **XSS** | Reflected XSS, Stored XSS, DOM-based XSS |
| **Authentication** | Weak passwords, Authentication bypass, Session management |
| **Authorization** | Privilege escalation, Access control issues |
| **Cryptography** | Weak encryption, Hardcoded keys, Improper random generation |
| **File Operations** | Path traversal, File inclusion, Unsafe deserialization |
| **Memory Safety** | Buffer overflow, Use after free, Memory leaks |
| **Web Security** | CSRF, SSRF, Insecure redirects |

## 📊 Performance Metrics

### Training Progress
- **Initial Loss**: 1.5544
- **Final Loss**: 0.4081
- **Best Validation Loss**: 0.5840 (step 6000)
- **Training Duration**: ~15 hours
- **Convergence**: Stable convergence with cosine learning rate schedule

### Hardware Requirements
- **Training**: NVIDIA GPU with 4-bit quantization
- **Inference**: Can run on CPU or GPU (GPU recommended for speed)
- **Memory**: ~6GB GPU memory for inference with 4-bit quantization

## 📁 Repository Structure

starsofchance/Mistral-Unsloth-QLoRA-adapter/ ├── adapter_config.json # LoRA configuration ├── adapter_model.safetensors # Trained adapter weights (~334MB) ├── tokenizer.json # Tokenizer configuration ├── tokenizer_config.json # Tokenizer settings ├── special_tokens_map.json # Special tokens mapping └── README.md # This file

## ⚠️ Limitations

1. **Adapter Dependency**: Requires the base model to function
2. **Context Window**: Limited to 2048 tokens
3. **Language Coverage**: Primarily trained on common programming languages
4. **False Positives**: May flag secure code patterns as potentially vulnerable
5. **Novel Vulnerabilities**: May not detect cutting-edge or highly obfuscated attacks
6. **Code Context**: Performance depends on having sufficient code context

## 🔄 Integration Tips

### Batch Processing
```python
def analyze_multiple_files(code_files):
    results = []
    for file_path, code_content in code_files:
        # Analyze each file
        messages = [{"role": "user", "content": f"Analyze for vulnerabilities:\n\n{code_content}"}]
        # ... generate response
        results.append({"file": file_path, "analysis": response})
    return results

Custom Prompting

# For specific vulnerability types
prompt = f"""
Focus on SQL injection vulnerabilities in this code:
{code_snippet}

Provide:
1. Vulnerability assessment (Yes/No)
2. Risk level (Low/Medium/High/Critical)  
3. Specific location
4. Remediation steps
"""

📚 Training Data

The model was fine-tuned on a curated dataset featuring:

• Real-world vulnerabilities from CVE databases
• Secure code patterns for contrast learning
• Multi-language examples across different frameworks
• Detailed explanations with remediation guidance
• Context-rich examples showing vulnerability in realistic scenarios

🎓 Model Lineage

Ministral-8B-Instruct-2410 (Mistral AI)
    ↓
QLoRA Fine-tuning (Unsloth)
    ↓  
UltiVal Vulnerability Detection Adapter

📄 Citation

If you use this model in your research or applications, please cite:

@misc{ultival_mistral_lora_2025,
  title={UltiVal: Ministral-8B QLoRA Adapter for Vulnerability Detection},
  author={StarsOfChance},
  year={2025},
  publisher={Hugging Face},
  url={https://huggingface.co/starsofchance/Mistral-Unsloth-QLoRA-adapter}
}

⚖️ License

This adapter inherits the license from the base model mistralai/Ministral-8B-Instruct-2410. Please refer to the base model's license for specific terms and conditions.

🙏 Acknowledgments

• Unsloth Team: For the efficient LoRA fine-tuning framework
• Mistral AI: For the powerful Ministral-8B-Instruct-2410 base model
• Hugging Face: For the model hosting and PEFT library
• UltiVal Project: Part of ongoing research in automated vulnerability detection

📞 Contact & Support

• Issues: Report bugs or issues in the model repository
• Updates: Follow for model updates and improvements
• Community: Join discussions about vulnerability detection and code security

---

🔒 Security Note: This model is designed to assist in security analysis but should not be the sole method for vulnerability assessment. Always conduct comprehensive security reviews with multiple tools and expert analysis.