Add model card with eval results (exact 0.676 / micro 0.702 / macro 0.511)

README.md

@@ -0,0 +1,96 @@
+---
+license: apache-2.0
+base_model: Qwen/Qwen3-8B
+datasets:
+  - eiphuggincve/cve-cwe-consensus
+language:
+  - en
+tags:
+  - cybersecurity
+  - vulnerability
+  - cve
+  - cwe
+  - text-classification
+  - qlora
+  - unsloth
+pipeline_tag: text-generation
+library_name: transformers
+---
+
+# CVE → CWE Classifier (Qwen3-8B)
+
+A QLoRA fine-tune of **Qwen3-8B** that maps a free-text **CVE description** to the **CWE weakness
+ID(s)** it corresponds to. The LoRA adapter is merged into the base and released in 16-bit, so it
+loads directly with `transformers`.
+
+Trained only on labels where **NVD and the CNA agree** after roll-up to **CWE View-1003** — see the
+[`cve-cwe-consensus`](https://huggingface.co/datasets/eiphuggincve/cve-cwe-consensus) dataset.
+
+## Results (held-out test split, 6,802 rows)
+
+| Metric | This model | Prior baseline |
+|---|---|---|
+| Exact-match | **0.676** | 0.29 |
+| Micro-F1 | **0.702** | 0.32 |
+| Macro-F1 (125 CWEs) | **0.511** | 0.067 |
+
+By difficulty (does the description *name* the weakness, or must it be inferred?):
+
+| Stratum | n | Exact-match | Micro-F1 |
+|---|---|---|---|
+| Easy (weakness named) | 2,046 | 0.841 | 0.870 |
+| Hard (must infer) | 4,756 | 0.605 | 0.628 |
+
+The high macro-F1 reflects a dataset that caps majority CWEs (e.g. CWE-79) so rare weaknesses are
+actually learned rather than drowned out.
+
+## Usage
+
+```python
+import torch
+from transformers import AutoModelForCausalLM, AutoTokenizer
+
+mid = "eiphuggincve/cve-cwe-qwen3-8b"
+tok = AutoTokenizer.from_pretrained(mid)
+model = AutoModelForCausalLM.from_pretrained(mid, torch_dtype="auto", device_map="auto")
+
+messages = [
+    {"role": "system", "content": "You are a vulnerability analyst. Given a CVE description, "
+                                   "reply with only the CWE ID(s) it maps to, comma-separated."},
+    {"role": "user", "content": "A SQL injection vulnerability in the login endpoint allows an "
+                                "unauthenticated attacker to execute arbitrary SQL via the username parameter."},
+]
+inputs = tok.apply_chat_template(messages, add_generation_prompt=True, return_tensors="pt").to(model.device)
+out = model.generate(inputs, max_new_tokens=32, do_sample=False)
+print(tok.decode(out[0][inputs.shape[-1]:], skip_special_tokens=True))
+# -> CWE-89
+```
+
+## Training
+
+- **Base:** `Qwen/Qwen3-8B` (trained 4-bit via `unsloth/qwen3-8b-unsloth-bnb-4bit`)
+- **Method:** QLoRA (4-bit) with Unsloth, merged to 16-bit · released checkpoint: **checkpoint-960** (final; eval loss declined monotonically through training)
+- **Dataset:** [`eiphuggincve/cve-cwe-consensus`](https://huggingface.co/datasets/eiphuggincve/cve-cwe-consensus) — 69,386 rows (55,810 / 6,774 / 6,802), majority CWEs capped at 2,500
+- **Epochs:** 2 · **Context:** 512 · **LR:** 2e-4 · **Optimizer:** AdamW 8-bit · **Scheduler:** linear · **Batch:** 32 · **Weight decay:** 0.01 · **Seed:** 3407
+- **LoRA:** rank 16 / alpha 32 / dropout 0 · **Packing:** on · **Train-on-completions-only:** off
+
+## Prompt format
+
+ChatML (Qwen3 standard). System prompt fixed; the description is the only user input — never feed the
+label or CVE-ID.
+
+- **system:** `You are a vulnerability analyst. Given a CVE description, reply with only the CWE ID(s) it maps to, comma-separated.`
+- **user:** the CVE description
+- **assistant:** `CWE-79, CWE-80`
+
+## Limitations
+
+- CWEs below the dataset's 50-example floor are not in the label space and won't be predicted.
+- Outputs CWE IDs as text and can occasionally emit a malformed/non-existent ID — validate against
+  the official CWE list.
+- English-only; descriptions only (no code, CVSS, or references).
+- A triage/assist aid, not an authoritative CWE assignment — human-review before acting.
+
+## License
+
+Apache-2.0 (inherited from Qwen3-8B). Dataset derives from public upstreams (NVD, MITRE CVE/CWE).