name	exploitiq-reports
description	Use when the user wants to list, filter, inspect, retry, or delete CVE analysis reports from the ExploitIQ service. Covers checking report status, reviewing past analyses, triaging results, retrying failures, or cleaning up old reports.

ExploitIQ Reports

Manage CVE analysis reports: list, filter, inspect, retry, and delete.

Determine Intent

From the user's input, determine which operation to perform:

List / Filter Reports

Call mcp__exploitiq__list_cve_reports with any filters the user specified:

vulnId — filter by CVE ID
imageName — filter by image/repo name
imageTag — filter by image tag / commit
status — filter by status: completed, sent, failed, queued, expired, pending
exploitIqStatus — filter by verdict: TRUE, FALSE, UNKNOWN
productId — filter by product ID
inputType — filter by report type: repository (source code analysis) or rpm (RPM package checker)
rpmPackage — filter by RPM package name-version-release substring (case-insensitive)
page — page number (0-based)
pageSize — items per page
sortBy — array of "field:direction" strings

Response: `Array<Report>`

Each item in the array has these fields:

id          — MongoDB ObjectId (hex string), use for retry/delete operations
scanId      — Scan ID, use for get_cve_report_by_scan_id
startedAt   — ISO timestamp
completedAt — ISO timestamp
imageName   — Image/repo name
imageTag    — Image tag or commit hash
state       — Analysis state
vulns[]     — Array of VulnResult:
  .vulnId                — CVE ID
  .justification.status  — "true", "false", or "unknown"
  .justification.label   — Justification label
metadata    — User-provided metadata (Record<string, string>)
gitRepo     — (optional) Git repository URL
ref         — (optional) Git reference
submittedAt — (optional) Submission timestamp

Present results as a table, mapping fields to columns:

Scan ID	CVE	Repo	Status	Verdict	Date
`scanId`	`vulns[0].vulnId`	`imageName`	`state`	`vulns[0].justification.status`	`startedAt`

If there are multiple pages, note the total count and current page.

If results are returned, ask: "Want to inspect any of these reports in detail?"

Get Specific Report

Call mcp__exploitiq__get_cve_report_by_scan_id with the scan ID the user provided.

Response: `ReportWithStatus`

{
  "report": { <FullReport document> },
  "status": "completed"  // completed, queued, sent, expired, failed, pending, unknown
}

The report field is a raw MongoDB document. Key fields to extract for display:

Input data:

report.input.scan.id                          — Scan ID
report.input.scan.vulns[].vuln_id             — CVE ID
report.input.scan.vulns[].package_name        — Package name
report.input.scan.vulns[].package_version     — Package version
report.input.scan.vulns[].severity            — CRITICAL, HIGH, MEDIUM, LOW
report.input.image.ecosystem                  — Ecosystem (nodejs, java, etc.)
report.input.image.name                       — Image/repo name
report.input.image.source_info[].git_repo     — Repository URL

Analysis results (one per vulnerability in report.output.analysis[]):

report.output.analysis[i].vuln_id             — CVE ID
report.output.analysis[i].justification       — Verdict:
  .status                                     — "TRUE" (vulnerable), "FALSE" (not vulnerable), "UNKNOWN"
  .label                                      — "vulnerable", "not_vulnerable", "uncertain"
  .reason                                     — Explanation (markdown)
report.output.analysis[i].summary             — Analysis summary/conclusion (markdown)
report.output.analysis[i].checklist[]         — Checklist items:
  .input                                      — Question text
  .response                                   — Answer/finding text
  .intermediate_steps                         — Investigation steps (string or null)
report.output.analysis[i].cvss                — CVSS info (may be null):
  .score                                      — Score as string (e.g., "8.7")
  .vector_string                              — CVSS vector string
report.output.analysis[i].intel_score         — Intel score (number or null)

Error data (when status is failed):

report.error.message                          — Error message
report.error.type                             — Error type

Present the report in this format:

Analysis Result

CVE: report.input.scan.vulns[0].vuln_id Package: report.input.scan.vulns[0].package_name vreport.input.scan.vulns[0].package_version Ecosystem: report.input.image.ecosystem CVSS Score: analysis[i].cvss.score (analysis[i].cvss.vector_string) Verdict: analysis[i].justification.status — Vulnerable (TRUE) / Not Vulnerable (FALSE) / Uncertain (UNKNOWN)

Justification

analysis[i].justification.reason

Summary

analysis[i].summary

Checklist

#	Question	Answer
1	`checklist[0].input`	`checklist[0].response`

If intermediate_steps is present and non-null for any item, show it below the table under "Investigation Details".

If any field is missing or empty, note it as "Not available".

Retry a Failed/Expired Report

Call mcp__exploitiq__retry_cve_analysis with the report's MongoDB ObjectId (id field from list, or _id from the full report document — a 24-character hex string). Do NOT use the scan ID.
The response is a plain string (new report ID) or null.
Tell the user the retry was submitted.
Ask: "Want me to poll for updated results?"
If yes, poll using mcp__exploitiq__get_cve_report_by_scan_id every 30 seconds (up to 60 minutes) until status is completed, failed, or expired.

Delete a Report

Confirm with the user: "Are you sure you want to delete report ? This cannot be undone."
If confirmed, call mcp__exploitiq__delete_cve_report with the report's MongoDB ObjectId (id field from list, or _id from the full report — 24-character hex string).
Confirm deletion to the user.

name	exploitiq-reports
description	Use when the user wants to list, filter, inspect, retry, or delete CVE analysis reports from the ExploitIQ service. Covers checking report status, reviewing past analyses, triaging results, retrying failures, or cleaning up old reports.