exploitiq-reports

ExploitIQ Reports

Manage CVE analysis reports: list, filter, inspect, retry, and delete.

Determine Intent

From the user's input, determine which operation to perform:

List / Filter Reports

Call mcp__exploitiq__list_cve_reports with any filters the user specified:

• vulnId — filter by CVE ID
• imageName — filter by image/repo name
• imageTag — filter by image tag / commit
• status — filter by status: completed, sent, failed, queued, expired, pending
• exploitIqStatus — filter by verdict: TRUE, FALSE, UNKNOWN
• productId — filter by product ID
• inputType — filter by report type: repository (source code analysis) or rpm (RPM package checker)
• rpmPackage — filter by RPM package name-version-release substring (case-insensitive)
• page — page number (0-based)
• pageSize — items per page
• sortBy — array of "field:direction" strings

Response: Array<Report>

Each item in the array has these fields:

id          — MongoDB ObjectId (hex string), use for retry/delete operations
scanId      — Scan ID, use for get_cve_report_by_scan_id
startedAt   — ISO timestamp
completedAt — ISO timestamp
imageName   — Image/repo name
imageTag    — Image tag or commit hash
state       — Analysis state
vulns[]     — Array of VulnResult:
  .vulnId                — CVE ID
  .justification.status  — "true", "false", or "unknown"
  .justification.label   — Justification label
metadata    — User-provided metadata (Record<string, string>)
gitRepo     — (optional) Git repository URL
ref         — (optional) Git reference
submittedAt — (optional) Submission timestamp

Present results as a table, mapping fields to columns:

Scan ID	CVE	Repo	Status	Verdict	Date
scanId	vulns[0].vulnId	imageName	state	vulns[0].justification.status	startedAt

If there are multiple pages, note the total count and current page.

If results are returned, ask: "Want to inspect any of these reports in detail?"

Get Specific Report

Call mcp__exploitiq__get_cve_report_by_scan_id with the scan ID the user provided.

Response: ReportWithStatus

{
  "report": { <FullReport document> },
  "status": "completed"  // completed, queued, sent, expired, failed, pending, unknown
}

The report field is a raw MongoDB document. Key fields to extract for display:

Input data:

report.input.scan.id                          — Scan ID
report.input.scan.vulns[].vuln_id             — CVE ID
report.input.scan.vulns[].package_name        — Package name
report.input.scan.vulns[].package_version     — Package version
report.input.scan.vulns[].severity            — CRITICAL, HIGH, MEDIUM, LOW
report.input.image.ecosystem                  — Ecosystem (nodejs, java, etc.)
report.input.image.name                       — Image/repo name
report.input.image.source_info[].git_repo     — Repository URL

Analysis results (one per vulnerability in report.output.analysis[]):

report.output.analysis[i].vuln_id             — CVE ID
report.output.analysis[i].justification       — Verdict:
  .status                                     — "TRUE" (vulnerable), "FALSE" (not vulnerable), "UNKNOWN"
  .label                                      — "vulnerable", "not_vulnerable", "uncertain"
  .reason                                     — Explanation (markdown)
report.output.analysis[i].summary             — Analysis summary/conclusion (markdown)
report.output.analysis[i].checklist[]         — Checklist items:
  .input                                      — Question text
  .response                                   — Answer/finding text
  .intermediate_steps                         — Investigation steps (string or null)
report.output.analysis[i].cvss                — CVSS info (may be null):
  .score                                      — Score as string (e.g., "8.7")
  .vector_string                              — CVSS vector string
report.output.analysis[i].intel_score         — Intel score (number or null)

Error data (when status is failed):

report.error.message                          — Error message
report.error.type                             — Error type

Present the report in this format:

Analysis Result

CVE: report.input.scan.vulns[0].vuln_id Package: report.input.scan.vulns[0].package_name vreport.input.scan.vulns[0].package_version Ecosystem: report.input.image.ecosystem CVSS Score: analysis[i].cvss.score (analysis[i].cvss.vector_string) Verdict: analysis[i].justification.status — Vulnerable (TRUE) / Not Vulnerable (FALSE) / Uncertain (UNKNOWN)

Justification

analysis[i].justification.reason

Summary

analysis[i].summary

Checklist

#	Question	Answer
1	checklist[0].input	checklist[0].response

If intermediate_steps is present and non-null for any item, show it below the table under "Investigation Details".

If any field is missing or empty, note it as "Not available".

Retry a Failed/Expired Report

1. Call mcp__exploitiq__retry_cve_analysis with the report's MongoDB ObjectId (id field from list, or _id from the full report document — a 24-character hex string). Do NOT use the scan ID.
2. The response is a plain string (new report ID) or null.
3. Tell the user the retry was submitted.
4. Ask: "Want me to poll for updated results?"
5. If yes, poll using mcp__exploitiq__get_cve_report_by_scan_id every 30 seconds (up to 60 minutes) until status is completed, failed, or expired.

Delete a Report

1. Confirm with the user: "Are you sure you want to delete report ? This cannot be undone."
2. If confirmed, call mcp__exploitiq__delete_cve_report with the report's MongoDB ObjectId (id field from list, or _id from the full report — 24-character hex string).
3. Confirm deletion to the user.