Contribution · Application — Software

AI for Dependency Vulnerability Triage

Software composition analysis scanners produce thousands of CVE alerts, most of which don't matter — the vulnerable function is never called, the dependency is test-only, or a fix exists upstream. LLMs can read the CVE description, the call graph, and the package context to prioritize: 'exploitable, fix today' vs 'theoretical, upgrade next sprint'. That triage work used to be a senior engineer's morning; now it's an LLM's minute.

Application facts

Domain
Software
Subdomain
Security
Example stack
Claude Sonnet 4.7 or GPT-5 for triage reasoning · SCA scanner (Snyk, Trivy, GitHub Dependabot, Sonatype) · Static analysis for call-graph reachability (CodeQL, Semgrep) · GitHub / GitLab API for PR drafting · Security dashboard with audit log

Data & infrastructure needs

  • SBOM (SPDX, CycloneDX) of all services
  • CVE feed (NVD, GitHub Advisory, OSV)
  • Source code and call graphs
  • Internal risk scoring rubric

Risks & considerations

  • False reassurance — LLM marks exploitable CVEs as low-risk
  • Prompt injection via malicious CVE descriptions
  • Over-automation of fix PRs breaking production
  • Compliance — SBOM and supply chain attestations (SSDF, EU CRA)
  • Stale data — CVE database lags real exploits

Frequently asked questions

Is AI for vulnerability triage safe?

As a triage copilot, yes — it separates signal from noise and saves AppSec engineers hours. Never let it auto-merge fixes; every security PR gets human review. And monitor for drift — CVE scoring changes, exploits emerge.

What LLM is best for vulnerability triage?

Claude Sonnet 4.7 is cost-effective at volume. For reasoning about complex call graphs, Opus 4.7 or GPT-5. Pair with traditional SAST and SCA tools — LLMs complement, don't replace, deterministic analysis.

Regulatory concerns?

US: NIST SSDF, Executive Order 14028, CISA SBOM guidance. EU: Cyber Resilience Act (CRA), NIS2. India: CERT-In directives, DPDPA for customer data affected by breaches. Supply-chain attestations are becoming table stakes for government contracts.

Sources

  1. NIST — Secure Software Development Framework — accessed 2026-04-20
  2. CERT-In — accessed 2026-04-20
  3. EU Cyber Resilience Act — accessed 2026-04-20

Related

  • AI for API Mock Generation — LLMs read OpenAPI specs and sample responses to generate realistic, stateful API mocks — unblocking front-end and integration teams before the real backend is ready.
  • AI for Legacy Code Modernization — LLMs accelerate COBOL-to-Java, VB6-to-C#, monolith-to-microservices migrations by reading old code, documenting intent, and drafting equivalent modern code with test harnesses.
  • AI for Observability and Root Cause Analysis — SRE teams use LLMs to summarize incidents, correlate logs/traces/metrics, and propose probable root causes — reducing MTTR and capturing tribal knowledge.
  • All Applications — Browse the complete applications library
  • VSET — Programmes offered — B.Tech programs (CSE, AI&ML, AI&DS, Electronics, IIoT)