Classroom Glossary Public page

Week 6: Building the Reproduction Tool (CVE Detector)

You build the defensible reproduction tool. A Python detector that scans a target environment, identifies whether the installed LangChain version is in the affected range, and emits a structured report (JSON or YAML) per the Seitz-and-Arnold instrumentation discipline.

Reading

  • Seitz and Arnold, Black Hat Python, Chapter 10 (structured-output instrumentation). Critical reading.
  • PEP 440 (Python version specifiers) for the affected-version range comparison.
  • The academy CVE-detector tool template (cohort archive).

Lecture

Roughly three hours across two sessions. Key arc:

  • The CVE-detector tool template from the academy scaffolding.
  • Detecting installed versions: pip-list, pip show, importlib.metadata.version.
  • The affected-version range comparison. Why semver matters.
  • The structured-output discipline. JSON or YAML, named fields, one-line remediation pointer.
  • Skipping patched installs without false-positives. The detector's quality bar.

Lab pack

Lab Pack 6 builds the CVE detector tool. See Lab Pack 6.

Tools you will use

  • A clean Python virtualenv for tool development separate from your Module-4 vulnerable virtualenv.
  • Your favourite Python testing framework (pytest is the academy default).
  • Optional: the academy pcap analyzer for inspecting the detector tool reach-out behavior in a network test.

OWASP LLM and ASI anchor

The detector tool is the practitioner's instantiation of the OWASP-recommended SBOM (Software Bill of Materials) vulnerability scan pattern, scoped to a single CVE for pedagogical clarity. The capstone report's tool section cites the academy CVE-detector tool template.

Reflection prompts

  1. What is the smallest reliable signal that a target has the vulnerable LangChain installed?
  2. What false-positive cases does your tool need to handle?
  3. If a target has the vulnerable version installed but never invokes the Jinja2 path, is the install vulnerable? Defend your answer.

What is next

Module 7 generalises the bug class across languages. You reproduce CVE-2025-9556 in Gonja (the Go templating library) and pair it with your Python target.