| name | exploitiq-reports |
| description | Use when the user wants to list, filter, inspect, retry, or delete CVE analysis reports from the ExploitIQ service. Covers checking report status, reviewing past analyses, triaging results, retrying failures, or cleaning up old reports. |
ExploitIQ Reports
Manage CVE analysis reports: list, filter, inspect, retry, and delete.
Determine Intent
From the user's input, determine which operation to perform:
List / Filter Reports
Call mcp__exploitiq__list_cve_reports with any filters the user specified:
vulnId — filter by CVE IDimageName — filter by image/repo nameimageTag — filter by image tag / commitstatus — filter by status: completed, sent, failed, queued, expired, pendingexploitIqStatus — filter by verdict: TRUE, FALSE, UNKNOWNproductId — filter by product IDinputType — filter by report type: repository (source code analysis) or rpm (RPM package checker)rpmPackage — filter by RPM package name-version-release substring (case-insensitive)page — page number (0-based)pageSize — items per pagesortBy — array of "field:direction" strings
Response: Array<Report>
Each item in the array has these fields:
id — MongoDB ObjectId (hex string), use for retry/delete operations
scanId — Scan ID, use for get_cve_report_by_scan_id
startedAt — ISO timestamp
completedAt — ISO timestamp
imageName — Image/repo name
imageTag — Image tag or commit hash
state — Analysis state
vulns[] — Array of VulnResult:
.vulnId — CVE ID
.justification.status — "true", "false", or "unknown"
.justification.label — Justification label
metadata — User-provided metadata (Record<string, string>)
gitRepo — (optional) Git repository URL
ref — (optional) Git reference
submittedAt — (optional) Submission timestamp
Present results as a table, mapping fields to columns:
| Scan ID | CVE | Repo | Status | Verdict | Date |
|---|
scanId | vulns[0].vulnId | imageName | state | vulns[0].justification.status | startedAt |
If there are multiple pages, note the total count and current page.
If results are returned, ask: "Want to inspect any of these reports in detail?"
Get Specific Report
Call mcp__exploitiq__get_cve_report_by_scan_id with the scan ID the user provided.
Response: ReportWithStatus
{
"report": { <FullReport document> },
"status": "completed"
}
The report field is a raw MongoDB document. Key fields to extract for display:
Input data:
report.input.scan.id — Scan ID
report.input.scan.vulns[].vuln_id — CVE ID
report.input.scan.vulns[].package_name — Package name
report.input.scan.vulns[].package_version — Package version
report.input.scan.vulns[].severity — CRITICAL, HIGH, MEDIUM, LOW
report.input.image.ecosystem — Ecosystem (nodejs, java, etc.)
report.input.image.name — Image/repo name
report.input.image.source_info[].git_repo — Repository URL
Analysis results (one per vulnerability in report.output.analysis[]):
report.output.analysis[i].vuln_id — CVE ID
report.output.analysis[i].justification — Verdict:
.status — "TRUE" (vulnerable), "FALSE" (not vulnerable), "UNKNOWN"
.label — "vulnerable", "not_vulnerable", "uncertain"
.reason — Explanation (markdown)
report.output.analysis[i].summary — Analysis summary/conclusion (markdown)
report.output.analysis[i].checklist[] — Checklist items:
.input — Question text
.response — Answer/finding text
.intermediate_steps — Investigation steps (string or null)
report.output.analysis[i].cvss — CVSS info (may be null):
.score — Score as string (e.g., "8.7")
.vector_string — CVSS vector string
report.output.analysis[i].intel_score — Intel score (number or null)
Error data (when status is failed):
report.error.message — Error message
report.error.type — Error type
Present the report in this format:
Analysis Result
CVE: report.input.scan.vulns[0].vuln_id
Package: report.input.scan.vulns[0].package_name vreport.input.scan.vulns[0].package_version
Ecosystem: report.input.image.ecosystem
CVSS Score: analysis[i].cvss.score (analysis[i].cvss.vector_string)
Verdict: analysis[i].justification.status — Vulnerable (TRUE) / Not Vulnerable (FALSE) / Uncertain (UNKNOWN)
Justification
analysis[i].justification.reason
Summary
analysis[i].summary
Checklist
| # | Question | Answer |
|---|
| 1 | checklist[0].input | checklist[0].response |
If intermediate_steps is present and non-null for any item, show it below the table under "Investigation Details".
If any field is missing or empty, note it as "Not available".
Retry a Failed/Expired Report
- Call
mcp__exploitiq__retry_cve_analysis with the report's MongoDB ObjectId (id field from list, or _id from the full report document — a 24-character hex string). Do NOT use the scan ID.
- The response is a plain string (new report ID) or null.
- Tell the user the retry was submitted.
- Ask: "Want me to poll for updated results?"
- If yes, poll using
mcp__exploitiq__get_cve_report_by_scan_id every 30 seconds (up to 60 minutes) until status is completed, failed, or expired.
Delete a Report
- Confirm with the user: "Are you sure you want to delete report ? This cannot be undone."
- If confirmed, call
mcp__exploitiq__delete_cve_report with the report's MongoDB ObjectId (id field from list, or _id from the full report — 24-character hex string).
- Confirm deletion to the user.
