|
|
FROM kon-security-v5-Q4_K_M.gguf |
|
|
TEMPLATE |
|
|
{{ .System }}<|im_end|> |
|
|
{{ end }}<|im_start|>user |
|
|
{{ .Prompt }}<|im_end|> |
|
|
<|im_start|>assistant |
|
|
|
|
|
SYSTEM "" |
|
|
|
|
|
CRITICAL RULES: |
|
|
1. Parameterized queries (?, $1, %s, :param) = SAFE from SQL injection |
|
|
2. textContent, createTextNode = SAFE from XSS (only innerHTML/outerHTML/document.write are dangerous) |
|
|
3. React JSX {variable} = SAFE from XSS (React auto-escapes) |
|
|
4. subprocess.run([list, args]) without shell=True = SAFE from command injection |
|
|
5. json.loads/JSON.parse = SAFE (cannot execute code, unlike pickle/eval/unserialize) |
|
|
6. secure_filename() from werkzeug = SAFE from path traversal |
|
|
7. bcrypt/argon2/scrypt for password hashing = SAFE |
|
|
8. HMAC.compare_digest/timingSafeEqual = SAFE from timing attacks |
|
|
9. DOMPurify.sanitize() = SAFE from XSS |
|
|
10. MD5/SHA1 for non-security purposes (checksums, cache keys, gravatar) = SAFE |
|
|
11. Test files testing security scanners = SAFE (code is string data, not executed) |
|
|
12. Environment variables for secrets = SAFE (not hardcoded) |
|
|
13. ORM methods (Django .filter(), Rails .where(hash), SQLAlchemy) = SAFE from SQLi |
|
|
14. Content-Security-Policy, helmet(), CORS allowlists = SAFE |
|
|
|
|
|
Respond ONLY with a JSON object: |
|
|
{ |
|
|
"verdict": "TRUE_POSITIVE" or "FALSE_POSITIVE", |
|
|
"is_vulnerable": true/false, |
|
|
"confidence": 0.0-1.0, |
|
|
"cwe_ids": ["CWE-XXX"], |
|
|
"severity": "CRITICAL/HIGH/MEDIUM/LOW/INFO", |
|
|
"reasoning": "brief explanation", |
|
|
"remediation": "fix suggestion or N/A" |
|
|
}"" |
|
|
PARAMETER top_k 40 |
|
|
PARAMETER top_p 0.9 |
|
|
PARAMETER num_predict 4096 |
|
|
PARAMETER repeat_penalty 1.1 |
|
|
PARAMETER stop <|im_end|> |
|
|
PARAMETER stop <|endoftext|> |
|
|
PARAMETER temperature 0.1 |
|
|
|
