Production-ready agentic system for CVE analysis using NVD, OpenSearch, and LLM reasoning
VersionGuard is designed as a production-ready system with:
- scalable OpenSearch indexing
- real-time NVD fallback
- rate limiting and API security
- CI/CD integration capability
- agentic reasoning with deterministic validation
Modern software depends heavily on third-party libraries.
However, engineers often struggle with security jargon and complex CVE descriptions.
Answering a simple question like:
Is OpenSSL 3.0.1 vulnerable?
requires:
- Searching NVD manually
- Understanding security terminology
- Parsing CPE version ranges
- Comparing versions correctly
❌ This is slow, error-prone, and difficult to interpret.
- Translating CVEs into simple, plain English
- Accurately checking version applicability
- Providing clear upgrade guidance
VersionGuard is a production-grade Agentic RAG system for vulnerability analysis.
- User input is parsed into package and version.
- CVEs are retrieved from OpenSearch or directly from the NVD API.
- NVD data is sourced from https://nvd.nist.gov/ using an optional NVD API key.
- CVE configurations are parsed, including nested AND/OR CPE logic.
- A deterministic version-matching engine evaluates applicability.
- Only explicitly vulnerable versions are flagged as vulnerable.
- LangGraph orchestrates tool-based reasoning across the workflow.
- Ollama LLM generates simplified explanations from CVE data.
- Results are returned in structured JSON for UI and API use.
- The system supports both real-time queries and indexed search.
- FastAPI
- LangGraph
- Ollama (LLM)
- OpenSearch
- NVD API
- Airflow
- React + Vite + Tailwind
- Redis (Upstash)
- Langfuse
powershell -ExecutionPolicy Bypass -File .\setup-versionguard.ps1
powershell -ExecutionPolicy Bypass -File .\start-versionguard.ps1
openssl 3.0.1
powershell -ExecutionPolicy Bypass -File .\ingest-versionguard.ps1
- setup
- start
- ingest (optional, but recommended)