Add initial support for the VulnerableCode agent

[ziadhany]

The VulnerableCode agent currently focuses on one main task: extracting the correct version range from the vulnerability summary.

[ziadhany]

@pombredanne, this is an initial base for the AI summary improver:

Right now, we have two prompts—one to extract the purl and another to get the affected_versions and fixed_versions—without using RAG.

I think I should also feed the model with agent/purl_db/PURL.rst so it can generate more accurate results. I have already implemented the basics of this step.

However, I encountered a small issue related to testing and evaluating our improver because the model sometimes returns a different output each time.

How should we approach testing it?

There’s just a little work left, and I think this improver will be ready soon.

Input
Summary:

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5
              on big-endian platforms allows remote attackers to obtain sensitive information or cause a
              denial of service (application crash) via crafted input.

Output:

purl: pkg:apache/apr-util@<1.3.5
{
    "affected_versions": ["< 1.3.5"],
    "fixed_versions": [">= 1.3.5"]
}

[ziadhany]

@pombredanne This is a small document for the budget you requested. I used some sources like https://llm-stats.com/, and I think the best option is to avoid running the model locally or in the cloud and instead use an API.

Please let me know if you have any comments on this.
https://docs.google.com/document/d/1JZ49FqjessEyMhdKlp1HmfheITr3qKA8xMbNZIZW7UA/edit?usp=sharing

[keshav-space]

Thanks @ziadhany, This is experimental, let's use https://github.com/aboutcode-org/vulnerablecode-ai-experiments for VulnerableCode agent.