This repo is superseded by anicka/cve-backport-codegen-qwen25-32b which has the latest v3 model. This repo is kept for legacy access to v1/v2 GGUFs and the merged safetensors.
CVE Backport Code Generation — Qwen2.5-Coder-32B (legacy)
Fine-tuned Qwen2.5-Coder-32B-Instruct for security patch backporting via per-hunk code generation.
Instead of generating unified diffs directly, this model takes a vulnerable code region and a fix description, and outputs the fixed version of the code. A programmatic diff then produces the final patch. This plays to LLM strengths in code completion and avoids format-sensitivity issues.
Quick Start
The easiest way to use this model is with the cve-backport-tool CLI, which handles the full pipeline: parse upstream patch, extract per-hunk regions, call the model, and reconstruct a unified diff.
# Download and serve the model
./setup.sh
# Generate a backport patch
python3 cve-backport.py \
--cve CVE-2024-2398 \
--package curl-7.66.0 \
--patch upstream.patch \
--source-dir /path/to/curl-7.66.0/ \
--backend openai --port 8403
GGUF Downloads
| File | Quant | Size | Notes |
|---|---|---|---|
cve-backport-codegen-v3-q8_0.gguf |
Q8_0 | 33 GB | Recommended (v3, 35K dataset, 98% precision) |
cve-backport-codegen-v2-q8_0.gguf |
Q8_0 | 33 GB | v2 (24K dataset) |
cve-backport-codegen-v1-q8_0.gguf |
Q8_0 | 33 GB | v1 (17K dataset) |
Evaluation
Per-hunk evaluation on held-out test cases the model never saw during training:
| Metric | v1 | v2 | v3 |
|---|---|---|---|
| Average recall | 91% | 94% | 94% |
| Average precision | — | 93% | 98% |
| Exact match | — | 15/20 | 16/20 |
| Perfect hunks (>=95%) | 16/18 | 17/20 | 17/20 |
| Fail (<10%) | 1/18 | 0/20 | 0/20 |
v3 was trained on 35,667 cleaned examples with LR=1e-4 (lowered from 2e-4 for stability with larger dataset). Same recall as v2, but significantly higher precision (98% vs 93%) — the model makes fewer spurious changes.
By tier:
- Identical (upstream patch applies directly): 95% recall, 98% precision
- Adapted (line numbers/context differ): 89% recall, 97% precision
Prompt Format
ChatML format. Each prompt covers one hunk region with 15 lines of context padding:
System:
You are a security patch backporting assistant.
Given vulnerable source code and a description of the upstream fix, output the FIXED version of the code.
Rules:
- Output ONLY the fixed code, nothing else — no explanations, no markdown fences
- Preserve exact formatting, indentation, and style of the original
- Make ONLY the changes described in the fix — do not modify anything else
- Do not add comments about what you changed
User:
## File: lib/ftp.c
## Lines: 2836-2912
```c
{vulnerable code region with 15-line padding}
```
## Fix
CVE-2017-8817: FTP wildcard matching — zero terminate the entry path
```diff
{upstream patch}
```
Assistant: The fixed code (same region with the security fix applied).
Training
| Base model | Qwen2.5-Coder-32B-Instruct |
| Method | QLoRA (4-bit NF4, r=64, alpha=128) |
| Epochs | 2 |
| Learning rate | 2e-4 |
| Max sequence length | 4,096 tokens |
| Batch size | 1 (gradient accumulation 8) |
| Training examples | 14,458 train + 2,549 eval |
| Training time | 13.2 hours |
| Hardware | NVIDIA H100 NVL 94GB |
| Final train loss | 0.0137 |
| Final eval loss | 0.00699 |
Files
| File | Size | Description |
|---|---|---|
model-*.safetensors |
62 GB total | Full merged model (BF16) |
cve-backport-codegen-v1-q8_0.gguf |
33 GB | Q8_0 quantized GGUF for llama.cpp/ollama |
The Q8_0 GGUF fits on a single L40 48GB or A100 80GB GPU with 8k context.
Usage
With the CLI tool (recommended)
The cve-backport-tool automates the full pipeline:
git clone https://github.com/anicka-net/cve-backport-tool.git
cd cve-backport-tool
./setup.sh # downloads GGUF, registers with ollama
python3 cve-backport.py \
--cve CVE-2024-1234 \
--package openssl-1.1.1d \
--patch upstream.patch \
--source-dir /path/to/openssl-1.1.1d/
With llama-server
llama-server --model cve-backport-codegen-v1-q8_0.gguf \
--port 8403 --n-gpu-layers 99 --ctx-size 8192
With transformers
from transformers import AutoModelForCausalLM, AutoTokenizer
import torch
model = AutoModelForCausalLM.from_pretrained(
"anicka/cve-backport-codegen-qwen25-32b-v1",
torch_dtype=torch.bfloat16, device_map="auto"
)
tokenizer = AutoTokenizer.from_pretrained(
"anicka/cve-backport-codegen-qwen25-32b-v1"
)
messages = [
{"role": "system", "content": "You are a security patch backporting assistant..."},
{"role": "user", "content": "## File: lib/url.c\n## Lines: 100-130\n\n```c\n...\n```\n\n## Fix\nCVE-2024-1234: ..."},
]
text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True)
inputs = tokenizer(text, return_tensors="pt").to(model.device)
outputs = model.generate(**inputs, max_new_tokens=2048, temperature=0.0, do_sample=False)
print(tokenizer.decode(outputs[0][inputs["input_ids"].shape[1]:], skip_special_tokens=True))
Training Data
anicka/cve-backport-codegen-dataset — 35,667 per-hunk examples from openSUSE maintenance patches, covering 90+ packages and 2,300+ CVEs.
Intended Use
This model assists with security patch backporting in Linux distribution maintenance. It is a research tool — all generated patches must be reviewed by a maintainer before application.
License
Apache-2.0 (inherited from Qwen2.5-Coder-32B-Instruct).
- Downloads last month
- 46
Model tree for anicka/cve-backport-codegen-qwen25-32b-v1
Base model
Qwen/Qwen2.5-32B