CVE Backport Model (Phase 3)
Fine-tuned Qwen2.5-Coder-32B-Instruct for backporting upstream CVE security patches to older SUSE/openSUSE package versions.
Given an upstream patch, CVE details, and optionally source code from the target version, the model generates an adapted backport patch in SUSE Index: quilt format.
Quick start
# Install ollama
curl -fsSL https://ollama.com/install.sh | sh
# Download the GGUF (~33 GB)
pip install huggingface-hub
huggingface-cli download anicka/cve-backport-qwen32b-phase3 \
cve-backport-phase3-q8_0.gguf --local-dir .
# Create Modelfile
cat > Modelfile << 'MODELFILE'
FROM ./cve-backport-phase3-q8_0.gguf
PARAMETER temperature 0.3
PARAMETER top_p 0.9
PARAMETER num_ctx 16384
PARAMETER stop "<|im_end|>"
PARAMETER stop "<|endoftext|>"
SYSTEM """You are a security patch backporting assistant for SUSE/openSUSE.
Given a CVE description and an upstream fix, adapt the patch to work with
the target SUSE package version. Output the backported patch in unified
diff format. If the upstream fix applies directly, output it unchanged."""
MODELFILE
# Import and run
ollama create cve-backport-phase3:q8_0 -f Modelfile
For a ready-to-use CLI tool, see cve-backport-tool.
Model details
| Base model | Qwen2.5-Coder-32B-Instruct |
| Fine-tuning | QLoRA (4-bit NF4, r=16, alpha=32, 3 epochs, lr=1e-4) |
| Training data | 1,883 train + 148 eval examples |
| Source context | 42% of examples include target source code |
| Max sequence length | 12,288 tokens (training), 16,384 tokens (inference) |
| Hardware | A100-SXM4-80GB (vast.ai) |
| GGUF quantization | Q8_0 (~33 GB) |
Training phases
- Phase 1 — Reasoning-only (440 examples). Learned format but not patch logic.
- Phase 2 — Pure transformation: upstream patch in, SUSE backport out (959 examples, then enriched to 1,883).
- Phase 3 (this model) — Source-context-aware: adds relevant functions from the target source tree to the prompt (1,883 examples, 42% with source context).
Evaluation
Blind evaluation on 7 CVEs never seen during training:
| CVE | Package | Patch size | Result |
|---|---|---|---|
| CVE-2022-29824 | libxml2 (buf.c, tree.c) | 338 lines | Excellent |
| CVE-2021-3518 | libxml2 (xinclude.c) | 35 lines | Excellent |
| CVE-2022-23308 | libxml2 (valid.c) | 194 lines | Excellent |
| CVE-2024-25062 | libxml2 (xmlreader.c) | 26 lines | Fail |
| CVE-2023-46218 | curl (cookie.c) | 48 lines | Partial |
| CVE-2022-40303 | libxml2 (parser.c) | 615 lines | Partial |
| CVE-2022-0318 | vim (ops.c) | 76 lines | Fail |
3 excellent, 2 partial, 2 fail. Strongest on packages well-represented in training data (libxml2, openssl) with medium-sized patches (35-350 lines).
Limitations
- Very small patches (1-2 hunks) tend to trigger over-generation
- Large API differences between versions (curl 7.x vs 8.x) produce incorrect context lines
- Very large patches (600+ lines) hit the output token limit
- Best on C userspace packages; limited coverage outside training distribution
- Always review output before applying
VRAM requirements
| Format | Size | Minimum GPU |
|---|---|---|
| Q8_0 (recommended) | ~33 GB | L40 48GB (with CPU offload) |
| Q4_K_M | ~20 GB | RTX 3090/4090 24GB |
| bf16 (native) | ~65 GB | A100 80GB |
Links
- CLI tool — ready-to-use inference tool with setup script
- Training data — 2,031 examples with per-example licenses
- openSUSE Build Service — source of training patches
License
Model weights are derived from Qwen2.5-Coder-32B-Instruct (Apache 2.0). Training data is from publicly available openSUSE maintenance patches under various open source licenses (see dataset card).
- Downloads last month
- 74
8-bit
Model tree for anicka/cve-backport-qwen32b-phase3
Base model
Qwen/Qwen2.5-32B