PyPI - modelaudit - Versions diffs - 0.2.30__tar.gz → 0.2.32__tar.gz - Mend

modelaudit 0.2.30tar.gz → 0.2.32tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (601) hide show

{modelaudit-0.2.30 → modelaudit-0.2.32}/.github/workflows/README.md RENAMED Viewed

@@ -12,4 +12,4 @@
 PRs run a reduced test matrix (Python 3.10 + 3.13). Main branch runs the full matrix (3.10–3.13). Documentation-only changes skip the full test suite.
-The performance workflow posts a sticky benchmark summary comment on same-repo PRs and uploads raw benchmark JSON as workflow artifacts.
+The performance workflow posts a sticky benchmark summary comment on same-repo PRs, uploads benchmark JSON plus Markdown summaries as workflow artifacts, and reports regressions or missing benchmarks without blocking the PR.

{modelaudit-0.2.30 → modelaudit-0.2.32}/.github/workflows/perf.yml RENAMED Viewed

@@ -4,7 +4,10 @@ on:
   pull_request:
     paths:
       - "modelaudit/**"
-      - "tests/**"
+      - "tests/benchmarks/**"
+      - "tests/helpers/**"
+      - "tests/conftest.py"
+      - "tests/test_benchmark_report.py"
       - "scripts/benchmark_report.py"
       - "pyproject.toml"
       - "uv.lock"
@@ -12,6 +15,16 @@ on:
   push:
     branches:
       - main
+    paths:
+      - "modelaudit/**"
+      - "tests/benchmarks/**"
+      - "tests/helpers/**"
+      - "tests/conftest.py"
+      - "tests/test_benchmark_report.py"
+      - "scripts/benchmark_report.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/perf.yml"
   workflow_dispatch:
 permissions:
@@ -42,19 +55,32 @@ jobs:
         run: |
           uv python pin 3.11
+      - name: Prepare benchmark temp directories
+        id: paths
+        run: |
+          artifact_dir="$RUNNER_TEMP/modelaudit-benchmarks"
+          base_worktree="$RUNNER_TEMP/modelaudit-base"
+          echo "BENCHMARK_ARTIFACT_DIR=$artifact_dir" >> "$GITHUB_ENV"
+          echo "BENCHMARK_BASE_WORKTREE=$base_worktree" >> "$GITHUB_ENV"
+          echo "artifact_dir=$artifact_dir" >> "$GITHUB_OUTPUT"
+          echo "base_worktree=$base_worktree" >> "$GITHUB_OUTPUT"
+          rm -rf "$artifact_dir" "$base_worktree"
+          mkdir -p "$artifact_dir"
       - name: Benchmark base commit
         if: github.event_name == 'pull_request'
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
         run: |
-          git worktree add /tmp/modelaudit-base "${{ github.event.pull_request.base.sha }}"
-          cd /tmp/modelaudit-base
-          if [ ! -f tests/benchmarks/test_scan_benchmarks.py ]; then
+          set -euo pipefail
+          git worktree add --detach "$BENCHMARK_BASE_WORKTREE" "$BASE_SHA"
+          if [ ! -f "$BENCHMARK_BASE_WORKTREE/tests/benchmarks/test_scan_benchmarks.py" ]; then
             echo "Base branch does not include the benchmark suite yet; skipping baseline run."
             exit 0
           fi
-          uv python pin 3.11
-          uv run --locked --with pytest-benchmark pytest \
+          uv run --directory "$BENCHMARK_BASE_WORKTREE" --python 3.11 --locked --with pytest-benchmark pytest \
             tests/benchmarks/test_scan_benchmarks.py \
-            --benchmark-json=/tmp/benchmark-base.json \
+            --benchmark-json="$BENCHMARK_ARTIFACT_DIR/benchmark-base.json" \
             -q
       - name: Benchmark current commit
@@ -62,43 +88,51 @@ jobs:
           # Keep this lane single-process; pytest-benchmark disables itself under xdist.
           uv run --locked --with pytest-benchmark pytest \
             tests/benchmarks/test_scan_benchmarks.py \
-            --benchmark-json=/tmp/benchmark-head.json \
+            --benchmark-json="$BENCHMARK_ARTIFACT_DIR/benchmark-head.json" \
             -q
       - name: Compare against base
         id: compare
         if: github.event_name == 'pull_request'
-        continue-on-error: true
         run: |
-          if [ -f /tmp/benchmark-base.json ]; then
-            set +e
+          {
+            echo "[Workflow run and artifacts](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID})"
+            echo
+          } > "$BENCHMARK_ARTIFACT_DIR/benchmark-comment.md"
+          if [ -f "$BENCHMARK_ARTIFACT_DIR/benchmark-base.json" ]; then
             uv run --locked python scripts/benchmark_report.py \
-              --current /tmp/benchmark-head.json \
-              --baseline /tmp/benchmark-base.json \
+              --current "$BENCHMARK_ARTIFACT_DIR/benchmark-head.json" \
+              --baseline "$BENCHMARK_ARTIFACT_DIR/benchmark-base.json" \
               --threshold 0.15 \
-              --summary-file /tmp/benchmark-comment.md
-            compare_exit=$?
-            set -e
+              --summary-file "$BENCHMARK_ARTIFACT_DIR/benchmark-compare.md"
           else
             {
               echo "Base branch does not include the benchmark suite yet; showing current results only."
               echo
-            } > /tmp/benchmark-comment.md
+            } > "$BENCHMARK_ARTIFACT_DIR/benchmark-current.md"
             uv run --locked python scripts/benchmark_report.py \
-              --current /tmp/benchmark-head.json \
-              --summary-file /tmp/benchmark-current.md
-            cat /tmp/benchmark-current.md >> /tmp/benchmark-comment.md
-            compare_exit=0
+              --current "$BENCHMARK_ARTIFACT_DIR/benchmark-head.json" \
+              --summary-file "$BENCHMARK_ARTIFACT_DIR/benchmark-current-report.md"
+            cat "$BENCHMARK_ARTIFACT_DIR/benchmark-current.md" >> "$BENCHMARK_ARTIFACT_DIR/benchmark-comment.md"
+            cat "$BENCHMARK_ARTIFACT_DIR/benchmark-current-report.md" >> "$BENCHMARK_ARTIFACT_DIR/benchmark-comment.md"
+          fi
+          if [ -f "$BENCHMARK_ARTIFACT_DIR/benchmark-compare.md" ]; then
+            cat "$BENCHMARK_ARTIFACT_DIR/benchmark-compare.md" >> "$BENCHMARK_ARTIFACT_DIR/benchmark-comment.md"
           fi
-          cat /tmp/benchmark-comment.md >> "$GITHUB_STEP_SUMMARY"
-          exit "$compare_exit"
+          cat "$BENCHMARK_ARTIFACT_DIR/benchmark-comment.md" >> "$GITHUB_STEP_SUMMARY"
       - name: Summarize current results
         if: github.event_name != 'pull_request'
         run: |
+          {
+            echo "[Workflow run and artifacts](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID})"
+            echo
+          } > "$BENCHMARK_ARTIFACT_DIR/benchmark-summary.md"
           uv run --locked python scripts/benchmark_report.py \
-            --current /tmp/benchmark-head.json \
-            --summary-file "$GITHUB_STEP_SUMMARY"
+            --current "$BENCHMARK_ARTIFACT_DIR/benchmark-head.json" \
+            --summary-file "$BENCHMARK_ARTIFACT_DIR/benchmark-current.md"
+          cat "$BENCHMARK_ARTIFACT_DIR/benchmark-current.md" >> "$BENCHMARK_ARTIFACT_DIR/benchmark-summary.md"
+          cat "$BENCHMARK_ARTIFACT_DIR/benchmark-summary.md" >> "$GITHUB_STEP_SUMMARY"
       - name: Comment benchmark summary on PR
         if: >
@@ -107,7 +141,7 @@ jobs:
           github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v8
         env:
-          COMMENT_BODY_PATH: /tmp/benchmark-comment.md
+          COMMENT_BODY_PATH: ${{ steps.paths.outputs.artifact_dir }}/benchmark-comment.md
         with:
           script: |
             const fs = require("fs")
@@ -149,15 +183,14 @@ jobs:
       - name: Upload benchmark artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: benchmark-results-python-3.11
-          path: |
-            /tmp/benchmark-head.json
-            /tmp/benchmark-base.json
+          path: ${{ steps.paths.outputs.artifact_dir }}
           if-no-files-found: error
           retention-days: 14
-      - name: Fail on benchmark regression
-        if: github.event_name == 'pull_request' && steps.compare.outcome == 'failure'
-        run: exit 1
+      - name: Cleanup benchmark base worktree
+        if: always() && github.event_name == 'pull_request'
+        run: |
+          git worktree remove --force "$BENCHMARK_BASE_WORKTREE" || true

modelaudit-0.2.32/.release-please-manifest.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  ".": "0.2.32"
+}

{modelaudit-0.2.30 → modelaudit-0.2.32}/AGENTS.md RENAMED Viewed

@@ -55,9 +55,7 @@ git checkout -b feat/your-feature-name  # or fix/, chore/, test/
 # Commit (conventional)
 git commit -m "feat: add scanner for XYZ format
-Description here.
-Co-Authored-By: Claude <noreply@anthropic.com>"
+Description here."
 # PR (after validation) - ALL changes go through PRs
 git push -u origin feat/your-feature-name
@@ -130,7 +128,7 @@ When adding CVE detections to existing scanners, follow these rules distilled fr
 - **Doc/comment guards:** Use majority-line analysis (>50% doc lines via `_is_primarily_documentation()`), not substring checks — `"#" in content` is trivially bypassable by embedding a comment token in a payload.
 - **`STACK_GLOBAL` handling:** These opcodes have `arg=None` in pickletools; reconstruct `module.class` by walking backwards to find preceding `SHORT_BINUNICODE`/`BINUNICODE` ops.
 - **Dict short-circuit scope:** Track which op produces the `SETITEM` target — an unrelated `EMPTY_DICT` in the lookback window must not suppress detection of a `SETITEM` targeting a `REDUCE`/`NEWOBJ` result.
-- **Version comparison:** Handle PEP 440 prerelease tags (`a`, `b`, `rc`, `dev`) — `2.10.0a0` is still vulnerable, not the fix.
+- **Version comparison:** Handle PEP 440 prerelease tags (`a`, `b`, `rc`, `dev`) — for a framework/library version gate, a prerelease like `2.10.0a0` is still vulnerable, not the fix.
 - **Bounded reads:** Cap archive member reads for metadata validation (10 MB) to prevent memory spikes on large pickles.
 - **Pattern registration:** New CVE pattern lists must be added to `validate_patterns()` in `suspicious_symbols.py`.

{modelaudit-0.2.30 → modelaudit-0.2.32}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,64 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.2.32](https://github.com/promptfoo/modelaudit/compare/v0.2.31...v0.2.32) (2026-04-05)
+### Bug Fixes
+- detect punctuated TensorRT tmp paths ([#867](https://github.com/promptfoo/modelaudit/issues/867)) ([9607530](https://github.com/promptfoo/modelaudit/commit/96075302de2d71b228be97e49698d6a1ad6b35bf))
+- fail closed on OpenVINO DOCTYPE parse errors ([#864](https://github.com/promptfoo/modelaudit/issues/864)) ([f5b19c4](https://github.com/promptfoo/modelaudit/commit/f5b19c48c7eab876e29f1f474c555b902fa9b6ce))
+- ignore OCI metadata URLs during layer discovery ([#866](https://github.com/promptfoo/modelaudit/issues/866)) ([0b24e3f](https://github.com/promptfoo/modelaudit/commit/0b24e3f7a0e013541bce100b64f1d69558bd807d))
+- reduce PMML subprocess extension false positives ([#869](https://github.com/promptfoo/modelaudit/issues/869)) ([5e6f79d](https://github.com/promptfoo/modelaudit/commit/5e6f79dc134267202b5a4b841a8946af865ebd15))
+- tolerate bounded CoreML custom block truncation ([#868](https://github.com/promptfoo/modelaudit/issues/868)) ([34df06d](https://github.com/promptfoo/modelaudit/commit/34df06dd2c12b69815a2a15f1273085856bebf64))
+## [Unreleased]
+### Bug Fixes
+- avoid CoreML nested parse failures on bounded-read truncation
+- detect punctuation-delimited TensorRT `/tmp` plugin paths
+- avoid PMML `<Extension>` false positives for benign `subprocess` prose while preserving `subprocess.getoutput()`, `subprocess.getstatusoutput()`, and `importlib.import_module("subprocess")` detections
+## [0.2.31](https://github.com/promptfoo/modelaudit/compare/v0.2.30...v0.2.31) (2026-04-04)
+### Bug Fixes
+- clean up CodeQL quality findings ([#862](https://github.com/promptfoo/modelaudit/issues/862)) ([5fbcb10](https://github.com/promptfoo/modelaudit/commit/5fbcb101322791831fbf6159bab454231a7f01f0))
+- detect long-gap protocol-0 pickle tails ([#844](https://github.com/promptfoo/modelaudit/issues/844)) ([cbc24b2](https://github.com/promptfoo/modelaudit/commit/cbc24b2af187055622b3776b3e49cca0c43ce9b7))
+- detect protocol 0/1 pickles with trailing junk ([#827](https://github.com/promptfoo/modelaudit/issues/827)) ([d07869d](https://github.com/promptfoo/modelaudit/commit/d07869dadc80de567db894dd8ceda9de53038a71))
+- fail closed on conflicting Keras ZIP config aliases ([#847](https://github.com/promptfoo/modelaudit/issues/847)) ([ab426b8](https://github.com/promptfoo/modelaudit/commit/ab426b8230b1766b4a7678803c90c45256bcdf54))
+- harden content-routed .keras ZIP recursive scans ([#828](https://github.com/promptfoo/modelaudit/issues/828)) ([a607df7](https://github.com/promptfoo/modelaudit/commit/a607df7e8f94623c7802ef3af90896e1b4c564cc))
+- harden CoreML scanner ([#859](https://github.com/promptfoo/modelaudit/issues/859)) ([50da953](https://github.com/promptfoo/modelaudit/commit/50da95393c6b0be318cb33535e12d16a361663ac))
+- harden Flax msgpack stream scanning ([#842](https://github.com/promptfoo/modelaudit/issues/842)) ([34e4595](https://github.com/promptfoo/modelaudit/commit/34e4595b2017f272c951a45c6f89a0fa8997f8d5))
+- harden JAX checkpoint scanner heuristics ([#837](https://github.com/promptfoo/modelaudit/issues/837)) ([1042c20](https://github.com/promptfoo/modelaudit/commit/1042c20c48ce09613125967623c715babc7b9da8))
+- harden Joblib raw/compressed pickle analysis ([#841](https://github.com/promptfoo/modelaudit/issues/841)) ([9d16470](https://github.com/promptfoo/modelaudit/commit/9d164701345aebef8ad03421ac66cbcca6c61aed))
+- harden Keras H5 scanner ([#848](https://github.com/promptfoo/modelaudit/issues/848)) ([aa0ef28](https://github.com/promptfoo/modelaudit/commit/aa0ef2878593e639a5b868a4be2d5de7a6c9c23b))
+- harden MAR duplicate-member analysis ([#830](https://github.com/promptfoo/modelaudit/issues/830)) ([8d4e056](https://github.com/promptfoo/modelaudit/commit/8d4e0567f1df15405f429cefe3cd894aada3b712))
+- harden NeMo target checks and YAML bounds ([#839](https://github.com/promptfoo/modelaudit/issues/839)) ([63ff67d](https://github.com/promptfoo/modelaudit/commit/63ff67d45aa7d454e63781c71039839c35e74892))
+- harden OCI layer scanner ([#856](https://github.com/promptfoo/modelaudit/issues/856)) ([637a4da](https://github.com/promptfoo/modelaudit/commit/637a4daa72047c15598660320f2f12de6a43e627))
+- harden ONNX scanner ([#857](https://github.com/promptfoo/modelaudit/issues/857)) ([de304a7](https://github.com/promptfoo/modelaudit/commit/de304a77513abf551e96a1828f57fdfdd11150c2))
+- harden OpenVINO scanner ([#852](https://github.com/promptfoo/modelaudit/issues/852)) ([a97b76e](https://github.com/promptfoo/modelaudit/commit/a97b76efc44940d70b6cc0f485485d5c5ff7b550))
+- harden PMML scanner ([#860](https://github.com/promptfoo/modelaudit/issues/860)) ([cbcd88a](https://github.com/promptfoo/modelaudit/commit/cbcd88a91cc8b3f9986554b255be366fcae672a8))
+- harden post-budget pickle tail scan bounds ([16d6db3](https://github.com/promptfoo/modelaudit/commit/16d6db39a6263bc923415d34f7501765550e3564))
+- harden PyTorch binary chunk scanning ([#846](https://github.com/promptfoo/modelaudit/issues/846)) ([930c0bf](https://github.com/promptfoo/modelaudit/commit/930c0bf32b53fbc32252c1b2d98aa1f30716eece))
+- harden SevenZip scanner ([#855](https://github.com/promptfoo/modelaudit/issues/855)) ([8d0c362](https://github.com/promptfoo/modelaudit/commit/8d0c362770f4261eefd7461309e7de09b923587d))
+- harden skops archive routing, recursion, and scanner reporting ([#829](https://github.com/promptfoo/modelaudit/issues/829)) ([fb13f68](https://github.com/promptfoo/modelaudit/commit/fb13f6880fdf80e2e78f5f3f30d9b31c2cff17a3))
+- harden Skops CVE status and card fallback detection ([#843](https://github.com/promptfoo/modelaudit/issues/843)) ([9dd964f](https://github.com/promptfoo/modelaudit/commit/9dd964f0aff86092178578f5b952418a6ec52200))
+- harden TAR scanner ([#854](https://github.com/promptfoo/modelaudit/issues/854)) ([219ce54](https://github.com/promptfoo/modelaudit/commit/219ce54446385e87739beacb2b9a8629cde31abb))
+- harden TensorFlow MetaGraph scanner ([#850](https://github.com/promptfoo/modelaudit/issues/850)) ([2dacc9d](https://github.com/promptfoo/modelaudit/commit/2dacc9dcf844ff8ecd335ad1604519b07fc95432))
+- harden TensorFlow SavedModel scanner ([#849](https://github.com/promptfoo/modelaudit/issues/849)) ([f42b7f2](https://github.com/promptfoo/modelaudit/commit/f42b7f2aa560ff72f495a330870478f9028d4fc3))
+- harden TensorRT scanner ([#858](https://github.com/promptfoo/modelaudit/issues/858)) ([c923b55](https://github.com/promptfoo/modelaudit/commit/c923b55df6e8101f40728cbad254d708eea515c5))
+- harden TFLite scanner ([#851](https://github.com/promptfoo/modelaudit/issues/851)) ([b1b1060](https://github.com/promptfoo/modelaudit/commit/b1b1060ae746047becec36356c6a3d3c8227c723))
+- harden TorchServe MAR handler and manifest analysis ([#840](https://github.com/promptfoo/modelaudit/issues/840)) ([6fc0437](https://github.com/promptfoo/modelaudit/commit/6fc04375fd4709869766418e1873231623458e59))
+- harden ZIP scanner ([#853](https://github.com/promptfoo/modelaudit/issues/853)) ([4ccec1a](https://github.com/promptfoo/modelaudit/commit/4ccec1afcd66b2bac3c75f6bd635f34b446090ea))
+- reject raw trailers in zlib wrappers ([#838](https://github.com/promptfoo/modelaudit/issues/838)) ([3b15e2e](https://github.com/promptfoo/modelaudit/commit/3b15e2e1d148d1c700c6d5300655b5e4bb388d70))
+- scan duplicate PyTorch ZIP members ([#845](https://github.com/promptfoo/modelaudit/issues/845)) ([4f63b22](https://github.com/promptfoo/modelaudit/commit/4f63b2277b8d843411d833d00bcf33615b8fb17b))
+### Documentation
+- remove Claude-specific commit trailer ([#834](https://github.com/promptfoo/modelaudit/issues/834)) ([d891025](https://github.com/promptfoo/modelaudit/commit/d891025791128245f293057f4849b481806292c7))
+- simplify CLAUDE shim ([#835](https://github.com/promptfoo/modelaudit/issues/835)) ([616ee31](https://github.com/promptfoo/modelaudit/commit/616ee318019e188f90ee1d41b2a2aaaee9c9444e))
 ## [0.2.30](https://github.com/promptfoo/modelaudit/compare/v0.2.29...v0.2.30) (2026-03-30)
 ### Bug Fixes
@@ -107,10 +165,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
+- **security:** route renamed TFLite FlatBuffers by magic bytes, enforce scanner file-size limits before model reads, and fail closed instead of propagating malformed structure traversal exceptions
+- **onnx:** fail closed on CRITICAL findings, detect `PyFunc` operators and Windows absolute external-data paths, validate external tensor slices with the current ONNX dtype API, and avoid Python-op substring false positives
+- **tensorrt:** route `.trt` engines, detect case-variant and UTF-16 suspicious strings, and avoid substring false positives in benign engine metadata
+- **coreml:** detect Python 3 command metadata, Windows and bundle-macro linked-model escapes, malformed custom-code protobuf blocks, and custom layers nested under pipeline wrappers while preserving safe-key metadata URL inspection
+- **pmml:** enforce max-file-size limits, inspect namespaced Extension/script tags, ignore DOCTYPE/ENTITY text inside XML comments/CDATA, avoid recursive text-walk crashes on deeply nested Extension trees, and fail closed when CRITICAL PMML findings are present
+- **gguf:** fall back to the GGUF spec default tensor-data alignment after rejecting invalid `general.alignment` metadata values
+- **security:** detect protocol 0/1 pickle streams hidden behind long separator gaps after an initial safe pickle stream
+- **security:** preserve failed status for malicious Skops CVE detections and avoid CVE-2025-54886 false positives on benign README/model-card text such as "download"
+- **security:** enforce Flax msgpack scanner file-size limits before full reads, scan trailing msgpack stream objects with a bounded object-count cap, downgrade benign container-like trailing-object findings to INFO, and preserve failed status when CRITICAL findings are reported
+- **security:** route `.joblib` files through the Joblib scanner, scan raw protocol-0/1 payloads directly, support gzip/bzip2/lzma/zlib wrappers with bounded output and trailing-data checks, preserve embedded Pickle finding locations, and fail closed on undecodable/trailing-wrapper errors
+- **security:** detect direct `getattr(module, "dangerous")` handler calls in TorchServe MAR archives, parse conflicting duplicate manifests without silently downgrading hidden handlers, and suppress collision warnings for byte-identical duplicate manifests
+- **security:** reduce NeMo Hydra `_target_` false positives by matching suspicious identifiers on token boundaries, preserve CVE-2025-23304 details on suspicious-target findings, and reject oversized YAML members before parsing
+- **security:** detect protocol 0/1 pickle streams with trivial opcode prefixes even when `STOP` is followed by trailing junk, while preserving plain-text near-match rejection
+- **security:** detect protocol 0/1 pickle streams whose dangerous opcode appears after large trivial padding or after a non-trivial probe-boundary prelude, reject all-trivial no-`STOP` probe prefixes, and preserve rule codes across cached scan-result round trips
+- **license:** bound binary header scans and reuse compiled patterns to avoid full-file regex passes on large model archives
 - **security:** stop iterating malformed TFLite models after excessive subgraph counts are detected
+- **openvino:** route forbidden-DOCTYPE IR XML into the OpenVINO scanner, fail closed on XML parse errors, and suppress warning-level format-validation noise for benign `.xml` models with no distinctive magic bytes
+- **security:** fail closed on conflicting duplicate or alias Keras root members so benign trailing `config.json` entries cannot hide malicious earlier configs, while accepting byte-identical duplicates without warning noise
+- **security:** detect PyTorch binary code and blacklist patterns that straddle chunk boundaries, avoid duplicate overlap reports, and return `success=False` when CRITICAL findings are present
+- **security:** scan every duplicate PyTorch ZIP member by physical archive entry and report conflicting duplicate names at INFO severity so benign trailing `data.pkl` entries cannot shadow malicious earlier payloads without making benign-but-conflicting duplicates warning-fail by themselves
+- **security:** route misnamed Skops ZIPs by bounded schema sniffing, treat encrypted Skops-like schema members as non-matches instead of crashing routing, recurse into embedded members while preserving Skops-specific CVE checks, avoid tiny nested `.bin` false positives on clean archive members, preserve nested-member byte accounting, and preserve CLI `scanner_names` in aggregated JSON output
+- **pickle:** bound post-budget global fallback state, retained findings, and deadline checks to prevent crafted pickle tails from exhausting scanner memory or flooding logs
 - **pickle:** mark timeout-, budget-, recursion-, and resource-limited pickle scans as inconclusive so clean-looking partial analysis returns exit code 2 unless real security findings were reported
 - route misnamed ZIP, HDF5, and 7z files through content-aware scanner selection
+- **security:** recursively scan all members of content-routed `.keras` ZIP archives with bounded per-member extraction, prefer canonical root members over normalized aliases, and fail closed on ambiguous duplicate aliases so embedded payloads and `./config.json` entries are not skipped
+- **security:** scan duplicate ZIP entries by physical archive member instead of resolving repeated names to the final entry, preventing shadowed payloads from being skipped during recursive archive analysis
+- bound Keras `config.json` and `metadata.json` member reads before JSON parsing
+- **openvino:** parse XML roots for long-prolog routing, enforce size limits before parsing, scan nested layer attributes for external library references, and avoid importlib substring false positives
+- **zip:** propagate nested critical findings and incomplete archive traversal to `success=False`, and bound symlink-target reads before path validation
+- **tar:** propagate nested critical findings and partial archive traversal to `success=False`, continue after per-entry extraction errors, and normalize malformed archive-limit configs to safe defaults
+- route oversized config-only Keras ZIP archives by bounded config-prefix sniffing instead of falling back to the generic ZIP scanner
 - preserve disguised model files during directory prefiltering without promoting document ZIPs
+- fail closed on duplicate 7z entries, nested critical findings, probe-limit truncation, and malformed 7z safety-limit configs
+- **oci:** fail closed on nested findings and partial layer traversal, content-sniff misnamed layer members, normalize cosmetic layer-ref suffix changes, and reject oversized members before temp extraction
+- **oci:** ignore non-layer metadata strings ending in `.tar.gz` when collecting manifest layer refs so benign URLs do not become false missing-layer failures
 - recurse into nested 7z members even when their filenames use misleading extensions
 - fail closed on extreme-size files when a scanner lacks bounded large-file analysis
 - harden scan-cache invalidation and skip caching operational scan failures
@@ -118,11 +207,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - avoid materializing streaming directory iterators in memory
 - fail closed when JFrog folder downloads return only partial results
 - **keras:** anchor safe Lambda normalization regexes in H5 scanning so appended statements (for example `; __import__(...)`) cannot bypass dangerous-code analysis
+- **keras:** harden Keras H5 scanning by propagating CRITICAL findings to `success=False`, scanning wrapper-owned nested layers, parsing prerelease fix-boundary versions correctly, and matching suspicious module/config tokens without benign substring false positives
 - complete primary header-format routing in `core.py` so all registered model formats map to scanner IDs (including OpenVINO/PMML/CNTK/LightGBM/Torch7/CatBoost/RKNN/MXNet/NeMo/Llamafile/TFLite/CoreML/Paddle/TensorRT/Flax/R/ExecuTorch/7z/compressed/skops/joblib/xgboost/jax_checkpoint), add `.skops` extension detection coverage without spurious ZIP mismatch noise, and route ZIP-backed PyTorch `.ckpt`/`.pkl` containers through the PyTorch ZIP path
 - **security:** track pickle `BUILD`-driven `__setstate__` mutation on non-safe globals and block tree-model opcode-threshold escalation when dangerous globals are present in-stream
 - **safetensors:** include BOOL, BF16, F8_E4M3, and F8_E5M2 dtypes in tensor-size validation so malformed offsets are no longer skipped
 - harden pickle symbolic stack simulation by ignoring stack-neutral opcodes and using unknown sentinels for unhandled stack pushes
 - **security:** scan TensorFlow SavedModel `assets/` and `assets.extra/` directories for executable-like content (shebang scripts, ELF/Mach-O binaries, pickle magic, and embedded Python source patterns)
+- **security:** make TensorFlow SavedModel scans fail closed on CRITICAL findings, avoid substring false positives in PyFunc function references, and treat `blacklist_patterns=None` as disabled instead of emitting DEBUG read errors
 - **security:** enforce SafeTensors `MAX_HEADER_BYTES` during `scan()` and skip regex-heavy metadata-content analysis when headers exceed the configured limit to reduce header-based DoS risk
 - emit a one-time warning when the HuggingFace whitelist snapshot is older than 90 days while preserving existing whitelist severity downgrades
 - treat pickle scan timeouts as unsuccessful while preserving post-budget tail scans after opcode truncation
@@ -173,6 +264,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **security:** harden TensorFlow weight extraction limits to bound actual tensor payload materialization, including malformed `tensor_content` and string-backed tensors, and continue scanning past oversized `Const` nodes
 - **security:** stream TAR members to temp files under size limits instead of buffering whole entries in memory during scan
 - **security:** inspect TensorFlow SavedModel function definitions when scanning for dangerous ops and protobuf string abuse, with function-aware finding locations
+- **security:** route oversized TensorFlow MetaGraph files to fail-closed parse-budget scans, inspect `AttrValue.func.name` references in executable ops, and restore oversized-attribute anomaly detection after bounded string decoding
 - **cli:** include streamed artifacts as SBOM components when `scan --stream --sbom` is used
 - **cli:** exclude HuggingFace download cache bookkeeping files from remote SBOMs and asset lists
 - **cli:** add `--no-whitelist` and `--strict` whitelist/caching hardening so CI scans can disable HF severity downgrades and force uncached analysis

modelaudit-0.2.32/CLAUDE.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ @AGENTS.md

{modelaudit-0.2.30 → modelaudit-0.2.32}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: modelaudit
-Version: 0.2.30
+Version: 0.2.32
 Summary: Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files
 Project-URL: Repository, https://github.com/promptfoo/modelaudit
 Project-URL: Homepage, https://github.com/promptfoo/modelaudit

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/cli.py RENAMED Viewed

@@ -297,13 +297,11 @@ class DefaultCommandGroup(click.Group):
 @click.version_option(__version__)
 def cli() -> None:
     """Static scanner for ML models"""
-    pass
 @cli.group()
 def auth() -> None:
     """Manage authentication"""
-    pass
 @auth.command()
@@ -430,7 +428,6 @@ def whoami() -> None:
 @cli.group()
 def cache() -> None:
     """Manage scan results cache"""
-    pass
 @cache.command()

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/core.py RENAMED Viewed

@@ -26,6 +26,7 @@ from modelaudit.utils.file.detection import (
     is_executorch_archive,
     is_keras_zip_archive,
     is_pytorch_zip_archive,
+    is_skops_archive,
     is_torchserve_mar_archive,
     validate_file_type,
 )
@@ -261,8 +262,12 @@ def _select_preferred_scanner_id(path: str, header_format: str, ext: str) -> str
             return "pytorch_zip"
         if is_executorch_archive(path):
             return "executorch"
+        if is_skops_archive(path):
+            return "skops"
         if ext == ".skops":
             return "skops"
+        if ext == ".joblib":
+            return "joblib"
         if ext == ".bin":
             # ZIP-backed torch.save() .bin files are routed through the pickle scanner,
@@ -273,6 +278,12 @@ def _select_preferred_scanner_id(path: str, header_format: str, ext: str) -> str
     if header_format == "hdf5":
         return "keras_h5"
+    if ext == ".joblib" and header_format in {"compressed", "pickle"}:
+        return "joblib"
+    if header_format == "tar" and ext == ".nemo":
+        return "nemo"
     return HEADER_FORMAT_TO_SCANNER_ID.get(header_format)
@@ -507,9 +518,15 @@ def _group_checks_by_asset(checks_list: list[Any]) -> dict[tuple[str, str], list
         location = check.get("location", "")
         primary_asset = _extract_primary_asset_from_location(location)
         details = check.get("details")
+        zip_entry_id = details.get("zip_entry_id") if isinstance(details, dict) else None
         zip_entry = details.get("zip_entry") if isinstance(details, dict) else None
-        asset_group = f"{primary_asset}:{zip_entry}" if isinstance(zip_entry, str) and zip_entry else primary_asset
+        if isinstance(zip_entry_id, str) and zip_entry_id:
+            asset_group = f"{primary_asset}:{zip_entry_id}"
+        elif isinstance(zip_entry, str) and zip_entry:
+            asset_group = f"{primary_asset}:{zip_entry}"
+        else:
+            asset_group = primary_asset
         group_key = (check_name, asset_group)
         check_groups[group_key].append(check)
@@ -1126,9 +1143,6 @@ def scan_model_directory_or_file(
                             )
                             _add_error_asset_to_results(results, file_path)
-                # This section is now handled by the content grouping logic above
-                pass
             # Final progress update for directory scan
             if progress_callback and not limit_reached and total_files is not None and total_files > 0:
                 progress_callback(

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/detectors/jit_script.py RENAMED Viewed

@@ -366,7 +366,11 @@ class JITScriptDetector:
             )
         # Check for Python operators (ONNX-Script)
-        if b"PythonOp" in data or b"PyOp" in data:
+        python_op_pattern = re.compile(
+            rb"(?<![A-Za-z0-9_])(?:PyFunc(?:Stateless)?|EagerPyFunc|PythonOp|PyOp)(?:V[0-9]+)?(?![A-Za-z0-9_])",
+            re.IGNORECASE,
+        )
+        if python_op_pattern.search(data):
             findings.append(
                 create_jit_finding(
                     message="Python operator in ONNX model - can execute arbitrary code",

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/detectors/secrets.py RENAMED Viewed

@@ -276,8 +276,10 @@ class SecretsDetector:
             "AKIAIOSFODNN7EXAMPLE",  # AWS example access key
             "bPxRfiCYEXAMPLEKEY",  # AWS example secret key
             # JWT.io example token (without signature part)
-            "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
-            "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
+            (
+                "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
+                "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ"
+            ),
             "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",  # JWT.io example signature
         ]
         if any(example in text for example in example_secrets):

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/integrations/license_checker.py RENAMED Viewed

@@ -1,3 +1,4 @@
+import itertools
 import json
 import os
 import re
@@ -115,6 +116,55 @@ UNLICENSED_INDICATORS = [
 SPDX_LICENSE_PATH = Path(__file__).parent.parent / "config" / "data" / "spdx_licenses.json"
 SPDX_LICENSE_URL = "https://raw.githubusercontent.com/spdx/license-list-data/master/json/licenses.json"
 _SPDX_LICENSES: dict[str, Any] | None = None
+_LICENSE_HEADER_MAX_BYTES = 64 * 1024
+_LICENSE_BINARY_CONTROL_BYTE_RATIO = 0.30
+_LICENSE_TEXT_CONTROL_BYTES = frozenset({0x09, 0x0A, 0x0C, 0x0D})
+_COMPILED_LICENSE_PATTERNS = tuple(
+    (re.compile(pattern, re.IGNORECASE | re.MULTILINE), info) for pattern, info in LICENSE_PATTERNS.items()
+)
+_COMPILED_COPYRIGHT_PATTERNS = tuple(
+    re.compile(pattern, re.IGNORECASE | re.MULTILINE) for pattern in COPYRIGHT_PATTERNS
+)
+def _looks_like_binary_header_sample(sample: bytes) -> bool:
+    """Return True when a bounded prefix is likely binary payload data."""
+    if not sample:
+        return False
+    if b"\x00" in sample:
+        return True
+    control_bytes = sum(1 for byte in sample if byte < 0x20 and byte not in _LICENSE_TEXT_CONTROL_BYTES)
+    return (control_bytes / len(sample)) >= _LICENSE_BINARY_CONTROL_BYTE_RATIO
+def _read_header_text(file_path: str, max_lines: int) -> str | None:
+    """Read a text header while bounding binary payload scans."""
+    if max_lines <= 0:
+        return ""
+    try:
+        with open(file_path, "rb") as f:
+            header_sample = f.read(_LICENSE_HEADER_MAX_BYTES)
+            has_more_bytes = bool(header_sample) and len(header_sample) >= _LICENSE_HEADER_MAX_BYTES and bool(f.read(1))
+    except OSError:
+        return None
+    if _looks_like_binary_header_sample(header_sample):
+        return header_sample.decode("utf-8", errors="ignore")
+    decoded_header = header_sample.decode("utf-8", errors="ignore")
+    if not has_more_bytes:
+        return "".join(decoded_header.splitlines(keepends=True)[:max_lines])
+    # Likely text files should keep the original line-oriented behavior so
+    # long one-line headers are not silently truncated by the binary cap.
+    try:
+        with open(file_path, encoding="utf-8", errors="ignore") as f:
+            return "".join(itertools.islice(f, max_lines))
+    except OSError:
+        return None
 def load_spdx_license_data(download: bool = False) -> dict[str, Any]:
@@ -190,26 +240,13 @@ def scan_for_license_headers(file_path: str, max_lines: int = 50) -> list[Licens
     """
     licenses: list[LicenseInfo] = []
-    try:
-        with open(file_path, encoding="utf-8", errors="ignore") as f:
-            content = ""
-            for i, line in enumerate(f):
-                if i >= max_lines:
-                    break
-                content += line
-    except (OSError, UnicodeDecodeError):
-        # Try reading as binary for files that might not be text
-        try:
-            with open(file_path, "rb") as f:
-                binary_content = f.read(1024 * 10)  # Read first 10KB
-                content = binary_content.decode("utf-8", errors="ignore")
-        except Exception:
-            return licenses
+    content = _read_header_text(file_path, max_lines)
+    if content is None:
+        return licenses
     # Search for license patterns
-    for pattern, info in LICENSE_PATTERNS.items():
-        matches = re.findall(pattern, content, re.IGNORECASE | re.MULTILINE)
-        if matches:
+    for pattern_re, info in _COMPILED_LICENSE_PATTERNS:
+        if pattern_re.search(content):
             license_info = LicenseInfo(
                 spdx_id=str(info["spdx_id"]) if info["spdx_id"] else None,
                 name=str(info["name"]) if info["name"] else None,
@@ -240,19 +277,13 @@ def extract_copyright_notices(
     """
     copyrights: list[CopyrightInfo] = []
-    try:
-        with open(file_path, encoding="utf-8", errors="ignore") as f:
-            content = ""
-            for i, line in enumerate(f):
-                if i >= max_lines:
-                    break
-                content += line
-    except Exception:
+    content = _read_header_text(file_path, max_lines)
+    if content is None:
         return copyrights
     # Search for copyright patterns
-    for pattern in COPYRIGHT_PATTERNS:
-        matches = re.findall(pattern, content, re.IGNORECASE | re.MULTILINE)
+    for pattern_re in _COMPILED_COPYRIGHT_PATTERNS:
+        matches = pattern_re.findall(content)
         for match in matches:
             if len(match) >= 2:
                 year = match[0].strip()

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/models.py RENAMED Viewed

@@ -437,7 +437,23 @@ class ModelAuditResultModel(BaseModel, DictCompatMixin):
                 self.file_metadata[path] = metadata
         # Track scanner names (avoid duplicates)
-        for scanner in results_dict.get("scanners", []):
+        def _normalize_scanner_names(value: Any) -> list[str]:
+            """Coerce scanner metadata into a list of scanner names."""
+            if value is None:
+                return []
+            if isinstance(value, str):
+                return [value]
+            if isinstance(value, list | tuple):
+                return [scanner for scanner in value if isinstance(scanner, str)]
+            if isinstance(value, set):
+                return sorted(scanner for scanner in value if isinstance(scanner, str))
+            return []
+        merged_scanners = [
+            *_normalize_scanner_names(results_dict.get("scanners")),
+            *_normalize_scanner_names(results_dict.get("scanner_names")),
+        ]
+        for scanner in merged_scanners:
             if scanner and scanner not in self.scanner_names and scanner != "unknown":
                 self.scanner_names.append(scanner)

{modelaudit-0.2.30 → modelaudit-0.2.32}/modelaudit/progress/base.py RENAMED Viewed

@@ -141,7 +141,6 @@ class ProgressReporter(ABC):
         Args:
             stats: Current progress statistics
         """
-        pass
     @abstractmethod
     def report_phase_change(self, old_phase: ProgressPhase, new_phase: ProgressPhase) -> None:
@@ -151,7 +150,6 @@ class ProgressReporter(ABC):
             old_phase: Previous phase
             new_phase: New phase
         """
-        pass
     @abstractmethod
     def report_completion(self, stats: ProgressStats) -> None:
@@ -160,7 +158,6 @@ class ProgressReporter(ABC):
         Args:
             stats: Final progress statistics
         """
-        pass
     @abstractmethod
     def report_error(self, error: Exception, stats: ProgressStats) -> None:
@@ -170,7 +167,6 @@ class ProgressReporter(ABC):
             error: The error that occurred
             stats: Progress statistics at time of error
         """
-        pass
     def should_update(self) -> bool:
         """Check if enough time has passed for an update."""

modelaudit 0.2.30__tar.gz → 0.2.32__tar.gz

modelaudit 0.2.30tar.gz → 0.2.32tar.gz