aibom-inspector 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- aibom_inspector-0.1.0/LICENSE +201 -0
- aibom_inspector-0.1.0/PKG-INFO +396 -0
- aibom_inspector-0.1.0/README.md +357 -0
- aibom_inspector-0.1.0/pyproject.toml +78 -0
- aibom_inspector-0.1.0/setup.cfg +4 -0
- aibom_inspector-0.1.0/src/aibom_inspector/__init__.py +7 -0
- aibom_inspector-0.1.0/src/aibom_inspector/__main__.py +7 -0
- aibom_inspector-0.1.0/src/aibom_inspector/attestation.py +88 -0
- aibom_inspector-0.1.0/src/aibom_inspector/audit_log.py +124 -0
- aibom_inspector-0.1.0/src/aibom_inspector/bidi_guard.py +74 -0
- aibom_inspector-0.1.0/src/aibom_inspector/cli.py +7 -0
- aibom_inspector-0.1.0/src/aibom_inspector/cli_shim.py +1210 -0
- aibom_inspector-0.1.0/src/aibom_inspector/control_plane.py +90 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/__init__.py +1 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/ai_threat_taxonomy.json +55 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/license_risk_db.json +20 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/model_hash_reputation.json +5 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/model_vulnerability_db.json +5 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data/training_source_fingerprints.json +29 -0
- aibom_inspector-0.1.0/src/aibom_inspector/data_loader.py +28 -0
- aibom_inspector-0.1.0/src/aibom_inspector/dependency_scanner.py +737 -0
- aibom_inspector-0.1.0/src/aibom_inspector/evidence_export.py +55 -0
- aibom_inspector-0.1.0/src/aibom_inspector/feedback.py +60 -0
- aibom_inspector-0.1.0/src/aibom_inspector/framework_mapping.py +214 -0
- aibom_inspector-0.1.0/src/aibom_inspector/integrity.py +98 -0
- aibom_inspector-0.1.0/src/aibom_inspector/ip_protection.py +108 -0
- aibom_inspector-0.1.0/src/aibom_inspector/model_inspector.py +626 -0
- aibom_inspector-0.1.0/src/aibom_inspector/model_risk_db.py +78 -0
- aibom_inspector-0.1.0/src/aibom_inspector/network.py +63 -0
- aibom_inspector-0.1.0/src/aibom_inspector/parsers.py +292 -0
- aibom_inspector-0.1.0/src/aibom_inspector/pickle_inspector.py +129 -0
- aibom_inspector-0.1.0/src/aibom_inspector/policy.py +410 -0
- aibom_inspector-0.1.0/src/aibom_inspector/policy_graph.py +171 -0
- aibom_inspector-0.1.0/src/aibom_inspector/renderers.py +82 -0
- aibom_inspector-0.1.0/src/aibom_inspector/report_enrichment.py +271 -0
- aibom_inspector-0.1.0/src/aibom_inspector/report_loader.py +142 -0
- aibom_inspector-0.1.0/src/aibom_inspector/reporting.py +877 -0
- aibom_inspector-0.1.0/src/aibom_inspector/risk_engine.py +590 -0
- aibom_inspector-0.1.0/src/aibom_inspector/runtime_trace.py +143 -0
- aibom_inspector-0.1.0/src/aibom_inspector/scoring_models.py +229 -0
- aibom_inspector-0.1.0/src/aibom_inspector/stack_discovery.py +398 -0
- aibom_inspector-0.1.0/src/aibom_inspector/tensor_fuzz.py +253 -0
- aibom_inspector-0.1.0/src/aibom_inspector/trust_enforcement.py +64 -0
- aibom_inspector-0.1.0/src/aibom_inspector/trust_root.py +109 -0
- aibom_inspector-0.1.0/src/aibom_inspector/types.py +37 -0
- aibom_inspector-0.1.0/src/aibom_inspector/types_dependencies.py +69 -0
- aibom_inspector-0.1.0/src/aibom_inspector/types_models.py +58 -0
- aibom_inspector-0.1.0/src/aibom_inspector/types_report.py +140 -0
- aibom_inspector-0.1.0/src/aibom_inspector/types_risk.py +143 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/PKG-INFO +396 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/SOURCES.txt +70 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/dependency_links.txt +1 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/entry_points.txt +2 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/requires.txt +19 -0
- aibom_inspector-0.1.0/src/aibom_inspector.egg-info/top_level.txt +1 -0
- aibom_inspector-0.1.0/tests/test_bidi_guard.py +22 -0
- aibom_inspector-0.1.0/tests/test_cli.py +209 -0
- aibom_inspector-0.1.0/tests/test_dependency_scanner.py +201 -0
- aibom_inspector-0.1.0/tests/test_evidence_manifest.py +39 -0
- aibom_inspector-0.1.0/tests/test_evidence_signing.py +45 -0
- aibom_inspector-0.1.0/tests/test_model_inspector.py +48 -0
- aibom_inspector-0.1.0/tests/test_parsers.py +79 -0
- aibom_inspector-0.1.0/tests/test_pickle_inspector.py +30 -0
- aibom_inspector-0.1.0/tests/test_policy_enforcement_graph.py +21 -0
- aibom_inspector-0.1.0/tests/test_policy_graph.py +75 -0
- aibom_inspector-0.1.0/tests/test_policy_simulation.py +56 -0
- aibom_inspector-0.1.0/tests/test_policy_workflow.py +126 -0
- aibom_inspector-0.1.0/tests/test_reporting.py +64 -0
- aibom_inspector-0.1.0/tests/test_risk_engine.py +86 -0
- aibom_inspector-0.1.0/tests/test_scoring_models.py +47 -0
- aibom_inspector-0.1.0/tests/test_stack_discovery.py +36 -0
- aibom_inspector-0.1.0/tests/test_tensor_fuzz.py +120 -0
|
@@ -0,0 +1,201 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
6
|
+
|
|
7
|
+
1. Definitions.
|
|
8
|
+
|
|
9
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
10
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
11
|
+
|
|
12
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
13
|
+
the copyright owner that is granting the License.
|
|
14
|
+
|
|
15
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
16
|
+
other entities that control, are controlled by, or are under common
|
|
17
|
+
control with that entity. For the purposes of this definition,
|
|
18
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
19
|
+
direction or management of such entity, whether by contract or
|
|
20
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
21
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
22
|
+
|
|
23
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
24
|
+
exercising permissions granted by this License.
|
|
25
|
+
|
|
26
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
27
|
+
including but not limited to software source code, documentation
|
|
28
|
+
source, and configuration files.
|
|
29
|
+
|
|
30
|
+
"Object" form shall mean any form resulting from mechanical
|
|
31
|
+
transformation or translation of a Source form, including but
|
|
32
|
+
not limited to compiled object code, generated documentation,
|
|
33
|
+
and conversions to other media types.
|
|
34
|
+
|
|
35
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
36
|
+
Object form, made available under the License, as indicated by a
|
|
37
|
+
copyright notice that is included in or attached to the work
|
|
38
|
+
(an example is provided in the Appendix below).
|
|
39
|
+
|
|
40
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
41
|
+
form, that is based on (or derived from) the Work and for which the
|
|
42
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
43
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
44
|
+
of this License, Derivative Works shall not include works that remain
|
|
45
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
46
|
+
the Work and Derivative Works thereof.
|
|
47
|
+
|
|
48
|
+
"Contribution" shall mean any work of authorship, including
|
|
49
|
+
the original version of the Work and any modifications or additions
|
|
50
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
51
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
52
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
53
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
54
|
+
means any form of electronic, verbal, or written communication sent
|
|
55
|
+
to the Licensor or its representatives, including but not limited to
|
|
56
|
+
communication on electronic mailing lists, source code control systems,
|
|
57
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
58
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
59
|
+
excluding communication that is conspicuously marked or otherwise
|
|
60
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
61
|
+
|
|
62
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
63
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
64
|
+
subsequently incorporated within the Work.
|
|
65
|
+
|
|
66
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
67
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
68
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
69
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
70
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
71
|
+
Work and such Derivative Works in Source or Object form.
|
|
72
|
+
|
|
73
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
74
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
75
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
76
|
+
(except as stated in this section) patent license to make, have made,
|
|
77
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
78
|
+
where such license applies only to those patent claims licensable
|
|
79
|
+
by such Contributor that are necessarily infringed by their
|
|
80
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
|
81
|
+
with the Work to which such Contribution(s) was submitted. If You
|
|
82
|
+
institute patent litigation against any entity (including a
|
|
83
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
84
|
+
or a Contribution incorporated within the Work constitutes direct
|
|
85
|
+
or contributory patent infringement, then any patent licenses
|
|
86
|
+
granted to You under this License for that Work shall terminate
|
|
87
|
+
as of the date such litigation is filed.
|
|
88
|
+
|
|
89
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
90
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
91
|
+
modifications, and in Source or Object form, provided that You
|
|
92
|
+
meet the following conditions:
|
|
93
|
+
|
|
94
|
+
(a) You must give any other recipients of the Work or
|
|
95
|
+
Derivative Works a copy of this License; and
|
|
96
|
+
|
|
97
|
+
(b) You must cause any modified files to carry prominent notices
|
|
98
|
+
stating that You changed the files; and
|
|
99
|
+
|
|
100
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
101
|
+
that You distribute, all copyright, patent, trademark, and
|
|
102
|
+
attribution notices from the Source form of the Work,
|
|
103
|
+
excluding those notices that do not pertain to any part of
|
|
104
|
+
the Derivative Works; and
|
|
105
|
+
|
|
106
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
107
|
+
distribution, then any Derivative Works that You distribute must
|
|
108
|
+
include a readable copy of the attribution notices contained
|
|
109
|
+
within such NOTICE file, excluding those notices that do not
|
|
110
|
+
pertain to any part of the Derivative Works, in at least one
|
|
111
|
+
of the following places: within a NOTICE text file distributed
|
|
112
|
+
as part of the Derivative Works; within the Source form or
|
|
113
|
+
documentation, if provided along with the Derivative Works; or,
|
|
114
|
+
within a display generated by the Derivative Works, if and
|
|
115
|
+
wherever such third-party notices normally appear. The contents
|
|
116
|
+
of the NOTICE file are for informational purposes only and
|
|
117
|
+
do not modify the License. You may add Your own attribution
|
|
118
|
+
notices within Derivative Works that You distribute, alongside
|
|
119
|
+
or as an addendum to the NOTICE text from the Work, provided
|
|
120
|
+
that such additional attribution notices cannot be construed
|
|
121
|
+
as modifying the License.
|
|
122
|
+
|
|
123
|
+
You may add Your own copyright statement to Your modifications and
|
|
124
|
+
may provide additional or different license terms and conditions
|
|
125
|
+
for use, reproduction, or distribution of Your modifications, or
|
|
126
|
+
for any such Derivative Works as a whole, provided Your use,
|
|
127
|
+
reproduction, and distribution of the Work otherwise complies with
|
|
128
|
+
the conditions stated in this License.
|
|
129
|
+
|
|
130
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
131
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
132
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
133
|
+
this License, without any additional terms or conditions.
|
|
134
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
|
135
|
+
the terms of any separate license agreement you may have executed
|
|
136
|
+
with Licensor regarding such Contributions.
|
|
137
|
+
|
|
138
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
139
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
140
|
+
except as required for reasonable and customary use in describing the
|
|
141
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
142
|
+
|
|
143
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
144
|
+
agreed to in writing, Licensor provides the Work (and each
|
|
145
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
146
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
147
|
+
implied, including, without limitation, any warranties or conditions
|
|
148
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
149
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
150
|
+
appropriateness of using or redistributing the Work and assume any
|
|
151
|
+
risks associated with Your exercise of permissions under this License.
|
|
152
|
+
|
|
153
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
154
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
155
|
+
unless required by applicable law (such as deliberate and grossly
|
|
156
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
157
|
+
liable to You for damages, including any direct, indirect, special,
|
|
158
|
+
incidental, or consequential damages of any character arising as a
|
|
159
|
+
result of this License or out of the use or inability to use the
|
|
160
|
+
Work (including but not limited to damages for loss of goodwill,
|
|
161
|
+
work stoppage, computer failure or malfunction, or any and all
|
|
162
|
+
other commercial damages or losses), even if such Contributor
|
|
163
|
+
has been advised of the possibility of such damages.
|
|
164
|
+
|
|
165
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
166
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
167
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
168
|
+
or other liability obligations and/or rights consistent with this
|
|
169
|
+
License. However, in accepting such obligations, You may act only
|
|
170
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
|
171
|
+
of any other Contributor, and only if You agree to indemnify,
|
|
172
|
+
defend, and hold each Contributor harmless for any liability
|
|
173
|
+
incurred by, or claims asserted against, such Contributor by reason
|
|
174
|
+
of your accepting any such warranty or additional liability.
|
|
175
|
+
|
|
176
|
+
END OF TERMS AND CONDITIONS
|
|
177
|
+
|
|
178
|
+
APPENDIX: How to apply the Apache License to your work.
|
|
179
|
+
|
|
180
|
+
To apply the Apache License to your work, attach the following
|
|
181
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
182
|
+
replaced with your own identifying information. (Don't include
|
|
183
|
+
the brackets!) The text should be enclosed in the appropriate
|
|
184
|
+
comment syntax for the file format. We also recommend that a
|
|
185
|
+
file or class name and description of purpose be included on the
|
|
186
|
+
same "printed page" as the copyright notice for easier
|
|
187
|
+
identification within third-party archives.
|
|
188
|
+
|
|
189
|
+
Copyright [yyyy] [name of copyright owner]
|
|
190
|
+
|
|
191
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
192
|
+
you may not use this file except in compliance with the License.
|
|
193
|
+
You may obtain a copy of the License at
|
|
194
|
+
|
|
195
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
196
|
+
|
|
197
|
+
Unless required by applicable law or agreed to in writing, software
|
|
198
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
199
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
200
|
+
See the License for the specific language governing permissions and
|
|
201
|
+
limitations under the License.
|
|
@@ -0,0 +1,396 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: aibom-inspector
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: Security and risk analysis tool for AI projects (AI-BOM).
|
|
5
|
+
Author-email: Jordan Desjarlais <jordandesjarlais.2022@gmail.com>
|
|
6
|
+
Project-URL: Homepage, https://github.com/aibom-inspector/AI-BOM-Inspector
|
|
7
|
+
Project-URL: Repository, https://github.com/aibom-inspector/AI-BOM-Inspector
|
|
8
|
+
Project-URL: Bug Tracker, https://github.com/aibom-inspector/AI-BOM-Inspector/issues
|
|
9
|
+
Keywords: ai,security,supply-chain,bom,risk
|
|
10
|
+
Classifier: Development Status :: 5 - Production/Stable
|
|
11
|
+
Classifier: Intended Audience :: Developers
|
|
12
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
13
|
+
Classifier: Programming Language :: Python
|
|
14
|
+
Classifier: Programming Language :: Python :: 3
|
|
15
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
18
|
+
Classifier: Topic :: Security
|
|
19
|
+
Classifier: Topic :: Software Development :: Build Tools
|
|
20
|
+
Requires-Python: >=3.10
|
|
21
|
+
Description-Content-Type: text/markdown
|
|
22
|
+
License-File: LICENSE
|
|
23
|
+
Requires-Dist: click>=8.1.0
|
|
24
|
+
Requires-Dist: jinja2>=3.1.0
|
|
25
|
+
Requires-Dist: pydantic>=2.6.0
|
|
26
|
+
Requires-Dist: requests>=2.31.0
|
|
27
|
+
Requires-Dist: packaging>=23.0
|
|
28
|
+
Requires-Dist: PyYAML>=6.0.0
|
|
29
|
+
Requires-Dist: tomli>=2.0.1; python_version < "3.11"
|
|
30
|
+
Provides-Extra: huggingface
|
|
31
|
+
Requires-Dist: huggingface_hub>=0.26.0; extra == "huggingface"
|
|
32
|
+
Provides-Extra: dev
|
|
33
|
+
Requires-Dist: build>=1.2.1; extra == "dev"
|
|
34
|
+
Requires-Dist: pytest>=8.0.0; extra == "dev"
|
|
35
|
+
Requires-Dist: ruff>=0.6.0; extra == "dev"
|
|
36
|
+
Requires-Dist: mypy>=1.10.0; extra == "dev"
|
|
37
|
+
Requires-Dist: types-requests>=2.32.0.20240622; extra == "dev"
|
|
38
|
+
Dynamic: license-file
|
|
39
|
+
|
|
40
|
+
# AI-BOM Inspector
|
|
41
|
+
|
|
42
|
+

|
|
43
|
+
|
|
44
|
+
Offline-first SBOM + AI supply-chain risk and license scanner. Privacy posture: default is `--offline` (no network calls) unless you opt into `--online`. Local-first; optional enrichment (OSV/HF/Shadow-UEFI) can be enabled explicitly. Fully offline supported. The "AI" is transparent rules + heuristics with a deterministic executive summary that runs offline; teams can still layer in their own LLM if desired.
|
|
45
|
+
|
|
46
|
+
## Architecture at a glance
|
|
47
|
+
|
|
48
|
+
```mermaid
|
|
49
|
+
graph TD
|
|
50
|
+
A["CLI / API"] --> B["Manifest & SBOM parsers"]
|
|
51
|
+
A --> C["Model metadata loaders"]
|
|
52
|
+
B --> D["Risk engine"]
|
|
53
|
+
C --> D
|
|
54
|
+
D --> E["Report renderers<br/>(JSON, Markdown, HTML, CycloneDX, SPDX)"]
|
|
55
|
+
E --> F["CI gates<br/>(fail-on-score, diff)"]
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
The scanner defaults to local-only analysis: it ingests manifests/SBOMs, can layer in optional OSV/Hugging Face lookups, and emits reports that CI can enforce. Network enrichment (OSV, Hugging Face, Shadow-UEFI-Intel metadata) only occurs when you deliberately pass `--online` and enable the relevant feature flag.
|
|
59
|
+
|
|
60
|
+
## Repository layout
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
ai-bom-inspector/
|
|
64
|
+
crates/
|
|
65
|
+
core/ # parsing, normalization, scoring (Rust extension)
|
|
66
|
+
licenses/ # license rules, SPDX mapping
|
|
67
|
+
advisories/ # CVE ingestion adapters (OSV/NVD/etc)
|
|
68
|
+
report/ # JSON/MD/SARIF outputs + diff support
|
|
69
|
+
src/ # Python package (aibom_inspector)
|
|
70
|
+
policies/
|
|
71
|
+
examples/
|
|
72
|
+
default.yml
|
|
73
|
+
strict.yml
|
|
74
|
+
oss-friendly.yml
|
|
75
|
+
schemas/
|
|
76
|
+
policy.schema.json
|
|
77
|
+
report.schema.json
|
|
78
|
+
integrations/
|
|
79
|
+
github-action/ # composite action wrapper for CI
|
|
80
|
+
pre-commit/ # reusable hook definition
|
|
81
|
+
docs/
|
|
82
|
+
QUICKSTART.md
|
|
83
|
+
POLICY.md
|
|
84
|
+
SCORING.md
|
|
85
|
+
FAQ.md
|
|
86
|
+
.github/
|
|
87
|
+
workflows/
|
|
88
|
+
ci.yml
|
|
89
|
+
scan-pr.yml # runs on PR and posts summary
|
|
90
|
+
tests/
|
|
91
|
+
README.md
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
## What it does
|
|
95
|
+
- Parse dependency manifests across Python (`requirements.txt`, `pyproject.toml`), JavaScript (`package.json` / `package-lock.json`), Go (`go.mod`), and Java (`pom.xml`)
|
|
96
|
+
- Ingest existing SBOMs (`--sbom-file`) and export CycloneDX or SPDX alongside AI-BOM extensions
|
|
97
|
+
- Gather AI model metadata from JSON or explicit Hugging Face IDs and auto-discover model references (OpenAI/Anthropic calls, `from_pretrained` loads, pipeline configs) directly from your repo
|
|
98
|
+
- Apply heuristics for pins, stale models, license posture (permissive vs copyleft vs proprietary vs unknown), and optional CVE lookups via OSV
|
|
99
|
+
- Surface AI model lineage, training data provenance, license ambiguity, and model risk profiles so AI-BOM metadata is front-and-center for governance reviews
|
|
100
|
+
- Inspect model artifacts (safetensors/pickle checkpoints) for poisoned weights or unsafe globals and compute hashes for reputation checks
|
|
101
|
+
- Cross-check models against local vulnerability/advisory feeds, training source fingerprints, and map findings to STRIDE + MITRE ATLAS categories
|
|
102
|
+
- Emit JSON, Markdown, HTML, CycloneDX, or SPDX reports with risk breakdowns driven by explainable heuristics plus a deterministic, offline AI summary (optionally replaceable by your own LLM if desired)
|
|
103
|
+
- Optionally pull firmware research context from [Shadow-UEFI-Intel](https://github.com/MellyFinnese/Shadow-UEFI-Intel) when `--online --enable-shadow-uefi-intel` is used
|
|
104
|
+
- Maintain evidence chain-of-custody with attestations, audit logs, and integrity checks so governance teams can trace decisions end-to-end
|
|
105
|
+
- Provide score explainability artifacts (policy version, intel versions, weight breakdowns, temporal multipliers) to make risk outcomes audit-ready
|
|
106
|
+
- Require org context (asset criticality, data sensitivity, environment) so scores cannot be generated without enterprise context
|
|
107
|
+
|
|
108
|
+
The default reports only use deterministic heuristics; the "AI summary" field is generated offline from the scan findings so teams get an executive-ready summary without hosted inference.
|
|
109
|
+
|
|
110
|
+
## Network behavior
|
|
111
|
+
- Global posture: `--offline` is the default and hard-blocks every remote call. Expect `[OFFLINE_MODE]` / `[CVE_LOOKUP_SKIPPED]` annotations in reports when enrichment is skipped.
|
|
112
|
+
- Opt-in enrichment: add `--online` to allow outbound calls, then enable specific feeds (e.g., `--with-cves`, `--model-id`, `--enable-shadow-uefi-intel`) to choose what actually dials out.
|
|
113
|
+
- Local-only hardening: pass `--local-only` (or keep `--safe-mode` enabled) to enforce zero outbound fetches even if `--online` is set.
|
|
114
|
+
- Endpoints and payloads:
|
|
115
|
+
|
|
116
|
+
| Endpoint | When it fires | Data sent | How to disable |
|
|
117
|
+
| --- | --- | --- | --- |
|
|
118
|
+
| `https://api.osv.dev/v1/query` (or `OSV_API_URL`) | `--online` **and** `--with-cves` | JSON body containing `package.name`, `package.ecosystem`, and `version` for each dependency | Default offline; omit `--with-cves`; keep `--offline`; or point `OSV_API_URL` to an internal mirror |
|
|
119
|
+
| `https://huggingface.co/api/models/<id>` (or `huggingface_hub` SDK) | `--online` with `--model-id` or models whose `source` is `huggingface` | Model identifier only; response cached locally | Default offline; avoid `--online`; or provide a fully populated `models.json` |
|
|
120
|
+
| GitHub API for [Shadow-UEFI-Intel](https://github.com/MellyFinnese/Shadow-UEFI-Intel) | `--online` **and** `--enable-shadow-uefi-intel` | Repository metadata fetch; no project data sent | Default is disabled; leave `--enable-shadow-uefi-intel` off or keep `--offline` enabled |
|
|
121
|
+
| Local model advisory/hash databases (`model_vulnerability_db.json`, `model_hash_reputation.json`) | Always local unless you point to a custom URL | None (local JSON only) | Use defaults or pass `--model-advisory-db` / `--model-hash-db` |
|
|
122
|
+
| Future feeds | Any new integrations (documented as added) | Varies by feed | Default offline; disable the specific feature flag; or run with `--offline` |
|
|
123
|
+
|
|
124
|
+
Timeouts can be tuned via `--osv-timeout`, `--shadow-uefi-timeout`, or the `OSV_API_TIMEOUT` / `SHADOW_UEFI_INTEL_TIMEOUT` environment variables.
|
|
125
|
+
|
|
126
|
+
## Installation
|
|
127
|
+
- **Pinned release from GitHub (current canonical path):**
|
|
128
|
+
```bash
|
|
129
|
+
pip install "aibom-inspector @ git+https://github.com/aibom-inspector/AI-BOM-Inspector.git@main"
|
|
130
|
+
# Prefer a tagged release for CI:
|
|
131
|
+
pip install "aibom-inspector @ git+https://github.com/aibom-inspector/AI-BOM-Inspector.git@v0.1.0"
|
|
132
|
+
```
|
|
133
|
+
- **Editable dev install:**
|
|
134
|
+
```bash
|
|
135
|
+
pip install -e .[dev]
|
|
136
|
+
```
|
|
137
|
+
- **Wheels:** the Rust extension ships as a wheel when you build from source—`python -m build` will produce a `.whl` under `dist/` for airgapped installs.
|
|
138
|
+
- **PyPI readiness:** packaging metadata and wheels are production-ready for internal or public registries; use GitHub release pins above for stable CI installs or build a wheel locally for airgapped environments.
|
|
139
|
+
|
|
140
|
+
## Build + SBOM generation
|
|
141
|
+
- Build a wheel for offline installs:
|
|
142
|
+
```bash
|
|
143
|
+
python -m build
|
|
144
|
+
```
|
|
145
|
+
- Generate a CycloneDX SBOM for this tool:
|
|
146
|
+
```bash
|
|
147
|
+
pip install cyclonedx-bom
|
|
148
|
+
cyclonedx-py -o aibom-inspector-sbom.json
|
|
149
|
+
```
|
|
150
|
+
|
|
151
|
+
## Getting started
|
|
152
|
+
1. Create a `models.json` file if you want to include model metadata (auto-discovery will still pull model IDs out of your code/configs when this is omitted). A ready-to-use sample lives in `examples/models.sample.json`:
|
|
153
|
+
```json
|
|
154
|
+
[
|
|
155
|
+
{"id": "gpt2", "source": "huggingface", "license": "mit", "last_updated": "2024-01-01"},
|
|
156
|
+
{"id": "custom-embedder", "source": "private"}
|
|
157
|
+
]
|
|
158
|
+
```
|
|
159
|
+
2. Run the scanner (auto-detects dependency files when present):
|
|
160
|
+
```bash
|
|
161
|
+
aibom scan --models-file models.json --format html --output report.html
|
|
162
|
+
```
|
|
163
|
+
Run `aibom scan --help` for the full list of options and supported formats.
|
|
164
|
+
|
|
165
|
+
Network calls are off by default; add `--online` (plus flags like `--with-cves` or `--model-id`) if you want remote enrichment.
|
|
166
|
+
|
|
167
|
+
### Who is this for?
|
|
168
|
+
- AppSec and security engineers who want CI/CD-friendly AI-BOMs without shipping code to a third party
|
|
169
|
+
- MLOps/platform teams who need model metadata (license, freshness, advisories) next to dependencies
|
|
170
|
+
- Builders who want tweakable, explainable rules instead of black-box scanners
|
|
171
|
+
|
|
172
|
+
### Why this vs. Snyk & friends?
|
|
173
|
+
- **Small, OSS, local-first**: zero data leaves your laptop or CI box.
|
|
174
|
+
- **AI-stack aware**: treats models as first-class assets instead of opaque blobs.
|
|
175
|
+
- **Customizable rules**: heuristics are readable Python, not black-box policies.
|
|
176
|
+
- **Offline gates + allowlists + model-as-asset scoring**: enforce allowlisted model sources, run fully offline by default, and score models/dependencies together—capabilities that hosted scanners often treat as optional add-ons.
|
|
177
|
+
|
|
178
|
+
## Examples
|
|
179
|
+
- **End-to-end demo** (`examples/demo/`): tiny app with `requirements.txt`, `pyproject.toml`, `package-lock.json`, `go.mod`, `models.json`, and generated `aibom-report.json/md/html`.
|
|
180
|
+
- HTML report snapshot: open `examples/demo/aibom-report.html`
|
|
181
|
+
- Markdown rendering snapshot: see `examples/demo/aibom-report.md`
|
|
182
|
+
- Before/after hygiene comparison: `docs/screenshots/before-after.html`
|
|
183
|
+
|
|
184
|
+
Small JSON excerpt (full file in `examples/demo/aibom-report.json`):
|
|
185
|
+
```json
|
|
186
|
+
{
|
|
187
|
+
"stack_risk_score": 30,
|
|
188
|
+
"risk_breakdown": {"unpinned_deps": 3, "unverified_sources": 0, "unknown_licenses": 1, "stale_models": 1},
|
|
189
|
+
"dependencies": [{"name": "urllib3", "issues": ["[KNOWN_VULN] CVE-2019-11324: CRLF injection when retrieving HTTP headers"]}],
|
|
190
|
+
"models": [{"id": "gpt2", "issues": ["[STALE_MODEL] Model metadata is stale", "[MODEL_VULNERABILITY] Advisory feed match (model_vulnerability_db.json)"]}]
|
|
191
|
+
}
|
|
192
|
+
```
|
|
193
|
+
- **Screenshots:**
|
|
194
|
+
- HTML report: open `examples/demo/aibom-report.html`
|
|
195
|
+
- Markdown rendering: view `examples/demo/aibom-report.md`
|
|
196
|
+
- Before vs. after: open `docs/screenshots/before-after.html`
|
|
197
|
+
- **Sample models file:** `examples/models.sample.json`
|
|
198
|
+
- **Sample Markdown report:** `examples/report.sample.md`
|
|
199
|
+
- **Example commands:**
|
|
200
|
+
- Only dependency scan with autodetection: `aibom scan --format json`
|
|
201
|
+
- Include models from a file: `aibom scan --models-file examples/models.sample.json --format markdown --output report.md`
|
|
202
|
+
- Specify models inline: `aibom scan --online --model-id gpt2 --model-id meta-llama/Llama-3-8B --format html`
|
|
203
|
+
- Enrich CVEs during the scan: `aibom scan --online --with-cves --format json`
|
|
204
|
+
- Use local model advisory and hash feeds: `aibom scan --models-file models.json --model-advisory-db feeds/model_vulnerability_db.json --model-hash-db feeds/model_hash_reputation.json`
|
|
205
|
+
- Apply training source fingerprints: `aibom scan --models-file models.json --training-source-db feeds/training_source_fingerprints.json`
|
|
206
|
+
- Include non-Python manifests: `aibom scan --manifest package-lock.json --manifest go.mod --format json`
|
|
207
|
+
- Import an SBOM: `aibom scan --sbom-file path/to/cyclonedx.json --format html --output merged-report.html`
|
|
208
|
+
- Run fully offline (no OSV/HF calls): `aibom scan --format markdown`
|
|
209
|
+
- Require inputs or fail fast: `aibom scan --require-input`
|
|
210
|
+
- Export CycloneDX: `aibom scan --format cyclonedx --sbom-output aibom-cyclonedx.json`
|
|
211
|
+
- Fail CI if health score < 70: `aibom scan --fail-on-score 70 --format html`
|
|
212
|
+
- Inspect model weights directly (detect NaNs/LSB steganography): `aibom weights my_model.safetensors --json`
|
|
213
|
+
- Quick comparison of two runs: `aibom diff aibom-report-old.json aibom-report-new.json`
|
|
214
|
+
|
|
215
|
+
## Highest-impact capabilities
|
|
216
|
+
See [docs/HIGHEST_IMPACT_NEXT_MOVES.md](docs/HIGHEST_IMPACT_NEXT_MOVES.md) for the capabilities that enable the end-to-end `discover → enforce` loop, policy-as-code UX, and GitHub-native SARIF outputs.
|
|
217
|
+
|
|
218
|
+
## Enterprise trust baseline
|
|
219
|
+
See [docs/ENTERPRISE_TRUST_BASELINE.md](docs/ENTERPRISE_TRUST_BASELINE.md) for the deal-maker controls around provenance/signing, artifact integrity, and dependency trust enforcement that enterprises expect in CI/CD rollouts.
|
|
220
|
+
|
|
221
|
+
## Enterprise control plane
|
|
222
|
+
- [Enterprise Control Plane](docs/ENTERPRISE_CONTROL_PLANE.md): multi-tenant governance, evidence storage, and CI/CD enforcement.
|
|
223
|
+
- [Enterprise roadmap](docs/ENTERPRISE_ROADMAP.md): central policy server, org audit features, dashboards, and web UI milestones.
|
|
224
|
+
- [Open-core boundary](docs/OPEN_CORE_BOUNDARY.md): commercial vs OSS separation and packaging.
|
|
225
|
+
- [AI supply chain threat model](docs/AI_SUPPLY_CHAIN_THREAT_MODEL.md): sales-ready threat taxonomy and control mapping.
|
|
226
|
+
- [Deployment reference](docs/DEPLOYMENT_REFERENCE.md): SaaS/on-prem parity and isolation model.
|
|
227
|
+
- [Policy engine deep dive](docs/POLICY_ENGINE_DEEP_DIVE.md): deterministic enforcement and explainability.
|
|
228
|
+
|
|
229
|
+
### 30-second sample report (before vs. after)
|
|
230
|
+
- **Input SBOM**: lightweight CycloneDX with a few Python and npm components plus a Hugging Face model ID.
|
|
231
|
+
- **Before (messy state)**:
|
|
232
|
+
- Command: `aibom scan --sbom-file examples/demo/aibom-report.json --format markdown --output before.md --fail-on-score 70`
|
|
233
|
+
- Top findings: `MISSING_PIN` for multiple deps, `UNKNOWN_LICENSE` on the model, `STALE_MODEL`, demo `KNOWN_VULN` entry, and `UNVERIFIED_SOURCE`.
|
|
234
|
+
- Outcome: `stack_risk_score` ≈ 50 and exit code **1** because it failed the `--fail-on-score 70` gate.
|
|
235
|
+
- **After (hardened state)**:
|
|
236
|
+
- Command: `aibom scan --sbom-file examples/demo/aibom-report.json --models-file examples/models.sample.json --format markdown --output after.md --fail-on-score 70 --online --with-cves`
|
|
237
|
+
- Top findings: `CVE` hits (if any) plus minor governance nits; pins and licenses quiet down once manifests and model metadata are cleaned up.
|
|
238
|
+
- Outcome: `stack_risk_score` in the high 80s and exit code **0**, making it CI-safe.
|
|
239
|
+
|
|
240
|
+
### AI-BOM extensions
|
|
241
|
+
|
|
242
|
+
CycloneDX and SPDX exports include AI-BOM extension data (e.g., `aibom:source`, license category, risk score, and issues) alongside the standard SBOM fields. See `docs/ai-bom-extensions.md` for the JSON schema and how each extension maps into CycloneDX properties and SPDX summaries.
|
|
243
|
+
|
|
244
|
+
### Standards alignment
|
|
245
|
+
- **AI-BOM schema mapping**: `schemas/report.schema.json` tracks the AI-BOM JSON conventions and is structured to align with the TAIBOM-style trust/attestation fields emerging in the community (e.g., explicit model source, license, provenance, and risk signals).
|
|
246
|
+
- **CycloneDX/SPDX bridges**: the CycloneDX/SPDX exporters project `aibom:*` properties into vendor-neutral fields so the output can slot into existing SBOM pipelines without custom parsers.
|
|
247
|
+
- **Reference-first posture**: schema updates aim to follow the AI-BOM working drafts; additions are scoped so teams can diff their SBOMs against the schema and treat this project as a reference implementation rather than a one-off tool.
|
|
248
|
+
- **Credibility pack**: `docs/credibility-pack/` ships SBOM slices, a repo list, and a scoreboard you can rerun to validate detection heuristics and false-positive rates.
|
|
249
|
+
|
|
250
|
+
### Output formats at a glance
|
|
251
|
+
See `docs/OUTPUTS.md` for a side-by-side JSON, SARIF, and CycloneDX example plus guidance on when to use each.
|
|
252
|
+
|
|
253
|
+
### Adoption defaults
|
|
254
|
+
- **Gates to start with**: fail CI on `--fail-on-score 70`, require allowlisted model sources (`--require-input` plus allowlist rules in `policies/examples/*`), and keep `--offline` as the default posture.
|
|
255
|
+
- **CI vs. local**: run `aibom scan --format json --output aibom-report.json --fail-on-score 70` in CI, then publish CycloneDX/SPDX via `--format cyclonedx` or `--format spdx` for downstream compliance jobs. Locally, add `--format html` or `--format markdown` for readability and iterate with `--diff` against previous runs.
|
|
256
|
+
- **Policy cookbook**: see `docs/POLICY_COOKBOOK.md` for OSS-friendly, enterprise-strict, and regulated defaults that can be copied into your own policy file (HIPAA, SOC 2, ISO/IEC 42001 packs are in `policies/examples/`).
|
|
257
|
+
|
|
258
|
+
Configuration tips:
|
|
259
|
+
|
|
260
|
+
- OSV enrichment uses the public API by default; override with `--osv-url` or `OSV_API_URL` and adjust the HTTP timeout via `--osv-timeout` or `OSV_API_TIMEOUT`.
|
|
261
|
+
- Model risk databases can be swapped via `--model-advisory-db`, `--model-hash-db`, `--license-risk-db`, and `--training-source-db` when you want to point at internal mirrors or curated feeds.
|
|
262
|
+
|
|
263
|
+
## Heuristics & Risk Signals
|
|
264
|
+
AI-BOM Inspector ships with lightweight, explainable checks that map to common AI supply-chain issues:
|
|
265
|
+
|
|
266
|
+
| Code | What it means | Severity |
|
|
267
|
+
| --- | --- | --- |
|
|
268
|
+
| `MISSING_PIN` | Dependency version not pinned with `==`/`~=` | High |
|
|
269
|
+
| `LOOSE_PIN` | Dependency uses a range (`>=`, `<=`, etc.) | Medium |
|
|
270
|
+
| `UNSTABLE_VERSION` | Pre-1.0 releases that may churn | Medium |
|
|
271
|
+
| `KNOWN_VULN` / `CVE` | Known vulnerable versions (built-in heuristics + optional OSV lookup; recommends safer versions when known) | High |
|
|
272
|
+
| `LICENSE_RISK` | Copyleft / reciprocal terms detected for a model | Medium |
|
|
273
|
+
| `MODEL_LICENSE_RESTRICTED` | Restricted or custom model license detected (OpenRAIL, research-only, etc.) | Medium |
|
|
274
|
+
| `PROPRIETARY_AI_RISK` | Proprietary model license may limit auditability or reuse | Medium |
|
|
275
|
+
| `UNKNOWN_LICENSE` | Model or SBOM component lacks license metadata | High |
|
|
276
|
+
| `STALE_MODEL` | Model metadata older than ~9 months | Medium |
|
|
277
|
+
| `UNVERIFIED_SOURCE` | Non-standard model source value | Medium |
|
|
278
|
+
| `MODEL_VULNERABILITY` | Model flagged by a vulnerability/advisory feed | High |
|
|
279
|
+
| `MODEL_HASH_MALICIOUS` | Model hash matches a malicious fingerprint | High |
|
|
280
|
+
| `MODEL_WEIGHT_ANOMALY` | Safetensors inspection detected poisoned/steganographic weights | High |
|
|
281
|
+
| `PICKLE_DANGEROUS_GLOBALS` | Pickle checkpoint references dangerous globals | High |
|
|
282
|
+
| `MODEL_LINEAGE_RISK` | Base model lineage contains license or vulnerability risk | Medium |
|
|
283
|
+
| `MODEL_LINEAGE_UNKNOWN` | Base model lineage not present in scan context | Medium |
|
|
284
|
+
| `FINE_TUNE_INHERITANCE_RISK` | Fine-tune inherits high-risk findings from base model | High |
|
|
285
|
+
| `DATASET_CONTAMINATION_RISK` | Training sources suggest contamination or policy exposure | High |
|
|
286
|
+
| `TRAINING_SOURCE_RISK` | Training source requires additional governance review | Medium |
|
|
287
|
+
| `SUPPLY_CHAIN_ANOMALY` | Model hash mismatch or artifact integrity anomaly detected | High |
|
|
288
|
+
| `MODEL_HASH_INVALID` | Declared model hash is not a valid SHA256 fingerprint | Medium |
|
|
289
|
+
| `MODEL_HASH_MISSING` | Model artifacts present without declared hashes | Medium |
|
|
290
|
+
| `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED` | Scan ran offline or without network dependencies; no remote enrichment performed | Low |
|
|
291
|
+
| `METADATA_UNAVAILABLE` | Model registry/API could not be reached; metadata reused from cache with a warning | Low |
|
|
292
|
+
| `INVALID_SBOM` | SBOM could not be parsed; flagged as an issue instead of crashing the scan | Medium |
|
|
293
|
+
|
|
294
|
+
The report shows a `stack_risk_score` (0–100, higher is healthier) and a `risk_breakdown` capturing unpinned deps, unverified sources, unknown licenses, stale models, and CVE hits. Tune the scoring with `--risk-max-score`, per-severity `--risk-penalty-*` flags, and governance/CVE penalties so teams can calibrate what “red” means for them. Conceptually, this is a health score: penalties are subtracted from the maximum, so `--fail-on-score 70` means “fail if health drops below 70/100.”
|
|
295
|
+
|
|
296
|
+
### How the risk score is computed
|
|
297
|
+
- Start from `risk_settings.max_score` (default 100) and subtract penalties instead of adding danger points.
|
|
298
|
+
- Every dependency/model issue subtracts `risk_settings.penalty_for(severity)` (default high=8, medium=4, low=2).
|
|
299
|
+
- Governance penalties subtract an extra `governance_penalty` for each unpinned dependency and unverified model source; CVE hits subtract `cve_penalty` to emphasize known exploit paths.
|
|
300
|
+
- Active exploitation flags override baseline scoring with `active_exploitation_penalty`, ensuring live exploitation signals dominate baseline severity math.
|
|
301
|
+
- The resulting value is clamped between 0–`max_score`, giving you a “health score” you can fail CI on via `--fail-on-score`.
|
|
302
|
+
|
|
303
|
+
### Recommended scoring policy
|
|
304
|
+
- **Start conservative**: gate on `--fail-on-score 70` while teams pilot the tool; after triage, ratchet up to **80** once noisy signals are addressed.
|
|
305
|
+
- **Respond by signal type**:
|
|
306
|
+
- `MISSING_PIN` / `LOOSE_PIN`: add explicit `==` pins (or `~=` if you must) and commit lockfiles.
|
|
307
|
+
- `UNKNOWN_LICENSE` / `LICENSE_RISK`: annotate licenses in `models.json` and prefer permissive alternatives when available.
|
|
308
|
+
- `STALE_MODEL`: update to a fresher model release or document a waiver in `models.json`.
|
|
309
|
+
- `KNOWN_VULN` / `CVE`: upgrade to the suggested safe version; if blocked, add a comment in your SBOM or pin to a patched fork.
|
|
310
|
+
- `UNVERIFIED_SOURCE`: source models from trusted registries (Hugging Face, internal artifactory) and record provenance.
|
|
311
|
+
- `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED`: rerun with network access before shipping to ensure enrichment isn’t missing critical advisories.
|
|
312
|
+
|
|
313
|
+
### Assumptions and known limitations
|
|
314
|
+
- **Offline mode trades fidelity for privacy:** metadata/CVE lookups are skipped; issues are marked with `OFFLINE_MODE` / `CVE_LOOKUP_SKIPPED` so reviewers know enrichment was suppressed.
|
|
315
|
+
- **SBOM trust but verify:** malformed SBOMs are surfaced as `INVALID_SBOM` issues and ignored otherwise; well-formed CycloneDX/SPDX inputs are merged into the dependency set.
|
|
316
|
+
- **Model metadata freshness depends on registries:** network failures are tolerated and recorded as `METADATA_UNAVAILABLE`, but license/freshness signals may be stale until the registry is reachable again.
|
|
317
|
+
- **Weight inspection is heuristic:** the safetensors scanner samples bits and looks for NaNs/Inf/LSB bias; unusual dtypes or truncated files raise clear errors instead of silently passing.
|
|
318
|
+
|
|
319
|
+
### Threat taxonomy + MITRE ATLAS mapping
|
|
320
|
+
AI-BOM Inspector attaches explicit AI threat categories and STRIDE classifications to model findings. Mappings are surfaced in the report framework section and can be tailored via a local taxonomy file:
|
|
321
|
+
- Default taxonomy: `src/aibom_inspector/data/ai_threat_taxonomy.json`
|
|
322
|
+
- Override: `aibom scan --threat-taxonomy-db path/to/ai_threat_taxonomy.json`
|
|
323
|
+
- MITRE ATLAS controls appear alongside NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, SOC 2, and EU AI Act mappings.
|
|
324
|
+
See `docs/THREAT_TAXONOMY.md` for the default taxonomy and extension guidance.
|
|
325
|
+
|
|
326
|
+
### Model risk databases
|
|
327
|
+
Model risk intelligence is local-first. You can ship curated JSON feeds in-repo or pull them from internal mirrors:
|
|
328
|
+
- **Model vulnerability DB:** `model_vulnerability_db.json` (use `--model-advisory-db` to override)
|
|
329
|
+
- **Model hash reputation DB:** `model_hash_reputation.json` (use `--model-hash-db` to override)
|
|
330
|
+
- **License risk DB:** `license_risk_db.json` (use `--license-risk-db` to override)
|
|
331
|
+
- **Training source fingerprints:** `training_source_fingerprints.json` (use `--training-source-db` to override)
|
|
332
|
+
|
|
333
|
+
### Before vs. after hardening
|
|
334
|
+
|
|
335
|
+
| Scenario | Risk score | Signals |
|
|
336
|
+
| --- | --- | --- |
|
|
337
|
+
| **Messy AI stack** | 48/100 | Unpinned `package-lock.json`, unknown model license, stale model metadata |
|
|
338
|
+
| **Hardened AI stack** | 88/100 | All deps pinned, permissive licenses, fresh model metadata, no advisories |
|
|
339
|
+
|
|
340
|
+
### Example: scanning a real project
|
|
341
|
+
```bash
|
|
342
|
+
aibom scan --requirements requirements.txt --models-file models.json --with-cves --format html --output report.html \
|
|
343
|
+
--risk-penalty-high 10 --risk-penalty-medium 5 --risk-penalty-low 2
|
|
344
|
+
```
|
|
345
|
+
Pair it with `aibom diff report-old.json report-new.json` to highlight PR drift, or run in CI with `--fail-on-score 70`.
|
|
346
|
+
|
|
347
|
+
## Performance & scale signals
|
|
348
|
+
Baseline timings below were captured on the included demo project to give teams a starting point. Re-run in your own CI to capture local baselines:
|
|
349
|
+
|
|
350
|
+
| Scenario | Command | Result |
|
|
351
|
+
| --- | --- | --- |
|
|
352
|
+
| Demo project scan | `PYTHONPATH=src python -m aibom_inspector.cli scan --requirements examples/demo/requirements.txt --pyproject examples/demo/pyproject.toml --manifest examples/demo/package-lock.json --manifest examples/demo/go.mod --models-file examples/demo/models.json --format json --output /tmp/aibom-report.json` | 2.16s real (container, Python 3.10.19) |
|
|
353
|
+
|
|
354
|
+
Use `/usr/bin/time -p` or your CI timing metrics to capture project-specific numbers (dependency count, model count, and total runtime).
|
|
355
|
+
|
|
356
|
+
|
|
357
|
+
## Testing and CI
|
|
358
|
+
- Run unit tests: `pytest`
|
|
359
|
+
- GitHub Action: `.github/workflows/scan-pr.yml` uses the bundled composite action to scan PRs and post a risk comment.
|
|
360
|
+
- One-command SARIF + Markdown upload (offline by default; pair with `--online --with-cves` when you want CVEs):
|
|
361
|
+
```yaml
|
|
362
|
+
name: AI-BOM Inspector
|
|
363
|
+
on: [pull_request]
|
|
364
|
+
jobs:
|
|
365
|
+
scan:
|
|
366
|
+
runs-on: ubuntu-latest
|
|
367
|
+
steps:
|
|
368
|
+
- uses: actions/checkout@v4
|
|
369
|
+
- name: Install AI-BOM Inspector
|
|
370
|
+
run: pip install aibom-inspector
|
|
371
|
+
- name: Scan AI stack and emit SARIF + Markdown
|
|
372
|
+
run: >-
|
|
373
|
+
aibom scan --format sarif --output aibom-report.sarif --markdown-output aibom-report.md
|
|
374
|
+
--fail-on-score 75 --require-input
|
|
375
|
+
- name: Upload SARIF to GitHub Security
|
|
376
|
+
uses: github/codeql-action/upload-sarif@v3
|
|
377
|
+
with:
|
|
378
|
+
sarif_file: aibom-report.sarif
|
|
379
|
+
- name: Upload Markdown artifact
|
|
380
|
+
uses: actions/upload-artifact@v4
|
|
381
|
+
with:
|
|
382
|
+
name: aibom-report
|
|
383
|
+
path: aibom-report.md
|
|
384
|
+
```
|
|
385
|
+
- CI guardrails: keep `--offline` unless you need enrichments; when allowed, add `--online --with-cves` to the scan step and adjust allowlists accordingly.
|
|
386
|
+
|
|
387
|
+
## Releases and distribution
|
|
388
|
+
- **Tagged releases**: we cut signed Git tags for CLI milestones; package metadata lives in `pyproject.toml` and tracks the changelog.
|
|
389
|
+
- **PyPI**: publishing is planned under the `aibom-inspector` name; until then, install from source (`pip install -e .[dev]`) or lock to a tag tarball.
|
|
390
|
+
- **Versioning**: semantic-ish—patch releases for heuristics/docs, minor bumps when report schemas or exit codes change.
|
|
391
|
+
|
|
392
|
+
## Security, governance, and contributions
|
|
393
|
+
- See `SECURITY.md` for how to report vulnerabilities.
|
|
394
|
+
- See `CODE_OF_CONDUCT.md` for community standards.
|
|
395
|
+
- See `CONTRIBUTING.md` for development conventions and how to propose changes.
|
|
396
|
+
- `CHANGELOG.md` tracks notable updates.
|