PyPI - modelaudit - Versions diffs - 0.2.31__tar.gz → 0.2.32__tar.gz - Mend

modelaudit 0.2.31tar.gz → 0.2.32tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (591) hide show

modelaudit-0.2.32/.release-please-manifest.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  ".": "0.2.32"
+}

{modelaudit-0.2.31 → modelaudit-0.2.32}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.2.32](https://github.com/promptfoo/modelaudit/compare/v0.2.31...v0.2.32) (2026-04-05)
+### Bug Fixes
+- detect punctuated TensorRT tmp paths ([#867](https://github.com/promptfoo/modelaudit/issues/867)) ([9607530](https://github.com/promptfoo/modelaudit/commit/96075302de2d71b228be97e49698d6a1ad6b35bf))
+- fail closed on OpenVINO DOCTYPE parse errors ([#864](https://github.com/promptfoo/modelaudit/issues/864)) ([f5b19c4](https://github.com/promptfoo/modelaudit/commit/f5b19c48c7eab876e29f1f474c555b902fa9b6ce))
+- ignore OCI metadata URLs during layer discovery ([#866](https://github.com/promptfoo/modelaudit/issues/866)) ([0b24e3f](https://github.com/promptfoo/modelaudit/commit/0b24e3f7a0e013541bce100b64f1d69558bd807d))
+- reduce PMML subprocess extension false positives ([#869](https://github.com/promptfoo/modelaudit/issues/869)) ([5e6f79d](https://github.com/promptfoo/modelaudit/commit/5e6f79dc134267202b5a4b841a8946af865ebd15))
+- tolerate bounded CoreML custom block truncation ([#868](https://github.com/promptfoo/modelaudit/issues/868)) ([34df06d](https://github.com/promptfoo/modelaudit/commit/34df06dd2c12b69815a2a15f1273085856bebf64))
+## [Unreleased]
+### Bug Fixes
+- avoid CoreML nested parse failures on bounded-read truncation
+- detect punctuation-delimited TensorRT `/tmp` plugin paths
+- avoid PMML `<Extension>` false positives for benign `subprocess` prose while preserving `subprocess.getoutput()`, `subprocess.getstatusoutput()`, and `importlib.import_module("subprocess")` detections
 ## [0.2.31](https://github.com/promptfoo/modelaudit/compare/v0.2.30...v0.2.31) (2026-04-04)
 ### Bug Fixes
@@ -163,6 +181,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **security:** detect protocol 0/1 pickle streams whose dangerous opcode appears after large trivial padding or after a non-trivial probe-boundary prelude, reject all-trivial no-`STOP` probe prefixes, and preserve rule codes across cached scan-result round trips
 - **license:** bound binary header scans and reuse compiled patterns to avoid full-file regex passes on large model archives
 - **security:** stop iterating malformed TFLite models after excessive subgraph counts are detected
+- **openvino:** route forbidden-DOCTYPE IR XML into the OpenVINO scanner, fail closed on XML parse errors, and suppress warning-level format-validation noise for benign `.xml` models with no distinctive magic bytes
 - **security:** fail closed on conflicting duplicate or alias Keras root members so benign trailing `config.json` entries cannot hide malicious earlier configs, while accepting byte-identical duplicates without warning noise
 - **security:** detect PyTorch binary code and blacklist patterns that straddle chunk boundaries, avoid duplicate overlap reports, and return `success=False` when CRITICAL findings are present
 - **security:** scan every duplicate PyTorch ZIP member by physical archive entry and report conflicting duplicate names at INFO severity so benign trailing `data.pkl` entries cannot shadow malicious earlier payloads without making benign-but-conflicting duplicates warning-fail by themselves
@@ -180,6 +199,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - preserve disguised model files during directory prefiltering without promoting document ZIPs
 - fail closed on duplicate 7z entries, nested critical findings, probe-limit truncation, and malformed 7z safety-limit configs
 - **oci:** fail closed on nested findings and partial layer traversal, content-sniff misnamed layer members, normalize cosmetic layer-ref suffix changes, and reject oversized members before temp extraction
+- **oci:** ignore non-layer metadata strings ending in `.tar.gz` when collecting manifest layer refs so benign URLs do not become false missing-layer failures
 - recurse into nested 7z members even when their filenames use misleading extensions
 - fail closed on extreme-size files when a scanner lacks bounded large-file analysis
 - harden scan-cache invalidation and skip caching operational scan failures

{modelaudit-0.2.31 → modelaudit-0.2.32}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: modelaudit
-Version: 0.2.31
+Version: 0.2.32
 Summary: Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files
 Project-URL: Repository, https://github.com/promptfoo/modelaudit
 Project-URL: Homepage, https://github.com/promptfoo/modelaudit

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/scanners/coreml_scanner.py RENAMED Viewed

@@ -198,6 +198,7 @@ class CoreMLScanner(BaseScanner):
     MAX_USER_METADATA_ENTRIES: ClassVar[int] = 512
     MAX_RECURSIVE_MESSAGE_DEPTH: ClassVar[int] = 16
     MAX_RECURSIVE_PROTOBUF_DEPTH: ClassVar[int] = 64
+    _allow_truncated_field_parse = False
     # CoreML model oneof fields from Model.proto
     MODEL_TYPE_FIELDS: ClassVar[frozenset[int]] = frozenset(
@@ -339,6 +340,7 @@ class CoreMLScanner(BaseScanner):
         result = self._create_result()
         self.current_file_path = path
         file_size = self.get_file_size(path)
+        self._allow_truncated_field_parse = file_size > self.MAX_PARSE_BYTES
         result.metadata["file_size"] = file_size
         # Add file integrity check for compliance.
@@ -362,6 +364,7 @@ class CoreMLScanner(BaseScanner):
             return result
         if file_size > self.MAX_PARSE_BYTES:
+            result.metadata["coreml_bounded_read_truncated"] = True
             result.add_check(
                 name="CoreML Bounded Parse Window",
                 passed=True,
@@ -438,9 +441,11 @@ class CoreMLScanner(BaseScanner):
                 model_path=model_path,
             )
-        traversal_truncated = bool(result.metadata.get("coreml_traversal_truncated"))
+        scan_truncated = bool(
+            result.metadata.get("coreml_bounded_read_truncated") or result.metadata.get("coreml_traversal_truncated")
+        )
-        if metadata_findings == 0 and not traversal_truncated:
+        if metadata_findings == 0 and not scan_truncated:
             result.add_check(
                 name="CoreML Metadata Security Check",
                 passed=True,
@@ -448,7 +453,7 @@ class CoreMLScanner(BaseScanner):
                 location=path,
             )
-        if custom_findings == 0 and not traversal_truncated:
+        if custom_findings == 0 and not scan_truncated:
             result.add_check(
                 name="CoreML Custom Code Path Check",
                 passed=True,
@@ -456,7 +461,7 @@ class CoreMLScanner(BaseScanner):
                 location=path,
             )
-        if linked_path_findings == 0 and not traversal_truncated:
+        if linked_path_findings == 0 and not scan_truncated:
             result.add_check(
                 name="CoreML Linked Model Path Check",
                 passed=True,
@@ -609,6 +614,22 @@ class CoreMLScanner(BaseScanner):
             "has_custom_model": has_custom_model,
         }
+    def _parse_field_message(
+        self,
+        field: _ProtoField,
+        *,
+        max_fields: int,
+    ) -> tuple[list[_ProtoField], str | None]:
+        payload = field.value
+        if not isinstance(payload, bytes):
+            return [], None
+        return _parse_message(
+            payload,
+            max_fields=max_fields,
+            allow_truncated=self._allow_truncated_field_parse and field.truncated,
+        )
     def _analyze_description(
         self,
         top_fields: list[_ProtoField],
@@ -623,11 +644,10 @@ class CoreMLScanner(BaseScanner):
         if not description_messages:
             return findings
-        description_payload = description_messages[0].value
-        if not isinstance(description_payload, bytes):
-            return findings
-        desc_fields, desc_error = _parse_message(description_payload, max_fields=self.MAX_NESTED_FIELDS)
+        desc_fields, desc_error = self._parse_field_message(
+            description_messages[0],
+            max_fields=self.MAX_NESTED_FIELDS,
+        )
         if desc_error:
             result.add_check(
                 name="CoreML Description Parse",
@@ -643,11 +663,10 @@ class CoreMLScanner(BaseScanner):
         if not metadata_messages:
             return findings
-        metadata_payload = metadata_messages[0].value
-        if not isinstance(metadata_payload, bytes):
-            return findings
-        metadata_fields, metadata_error = _parse_message(metadata_payload, max_fields=self.MAX_NESTED_FIELDS)
+        metadata_fields, metadata_error = self._parse_field_message(
+            metadata_messages[0],
+            max_fields=self.MAX_NESTED_FIELDS,
+        )
         if metadata_error:
             result.add_check(
                 name="CoreML Metadata Parse",
@@ -694,11 +713,7 @@ class CoreMLScanner(BaseScanner):
         user_defined: dict[str, str] = {}
         user_defined_fields = _len_fields(metadata_fields, 100)[: self.MAX_USER_METADATA_ENTRIES]
         for index, entry_field in enumerate(user_defined_fields):
-            entry_payload = entry_field.value
-            if not isinstance(entry_payload, bytes):
-                continue
-            entry_fields, entry_error = _parse_message(entry_payload, max_fields=32)
+            entry_fields, entry_error = self._parse_field_message(entry_field, max_fields=32)
             if entry_error:
                 result.add_check(
                     name="CoreML User Metadata Entry Parse",
@@ -862,12 +877,9 @@ class CoreMLScanner(BaseScanner):
         for model_field in top_fields:
             if model_field.field_number not in self.NEURAL_NETWORK_FIELDS or model_field.wire_type != 2:
                 continue
-            payload = model_field.value
-            if not isinstance(payload, bytes):
-                continue
-            network_fields, network_error = _parse_message(
-                payload, max_fields=self.MAX_NESTED_FIELDS, allow_truncated=False
+            network_fields, network_error = self._parse_field_message(
+                model_field,
+                max_fields=self.MAX_NESTED_FIELDS,
             )
             if network_error:
                 result.add_check(
@@ -886,12 +898,10 @@ class CoreMLScanner(BaseScanner):
             layer_fields = _len_fields(network_fields, 1)
             for layer_index, layer_field in enumerate(layer_fields):
-                layer_payload = layer_field.value
-                if not isinstance(layer_payload, bytes):
-                    continue
                 layer_count += 1
-                parsed_layer, layer_error = _parse_message(
-                    layer_payload, max_fields=self.MAX_NESTED_FIELDS, allow_truncated=False
+                parsed_layer, layer_error = self._parse_field_message(
+                    layer_field,
+                    max_fields=self.MAX_NESTED_FIELDS,
                 )
                 if layer_error:
                     result.add_check(
@@ -917,14 +927,10 @@ class CoreMLScanner(BaseScanner):
                 custom_fields = _len_fields(parsed_layer, 500)
                 for custom_field in custom_fields:
-                    custom_payload = custom_field.value
-                    if not isinstance(custom_payload, bytes):
-                        continue
                     custom_layer_count += 1
-                    parsed_custom, custom_error = _parse_message(
-                        custom_payload,
+                    parsed_custom, custom_error = self._parse_field_message(
+                        custom_field,
                         max_fields=self.MAX_NESTED_FIELDS,
-                        allow_truncated=False,
                     )
                     if custom_error:
                         result.add_check(
@@ -979,12 +985,9 @@ class CoreMLScanner(BaseScanner):
         custom_model_fields = _len_fields(top_fields, self.CUSTOM_MODEL_FIELD)
         for custom_model_field in custom_model_fields:
-            payload = custom_model_field.value
-            if not isinstance(payload, bytes):
-                continue
-            custom_model, custom_model_error = _parse_message(
-                payload, max_fields=self.MAX_NESTED_FIELDS, allow_truncated=False
+            custom_model, custom_model_error = self._parse_field_message(
+                custom_model_field,
+                max_fields=self.MAX_NESTED_FIELDS,
             )
             if custom_model_error:
                 result.add_check(
@@ -1053,11 +1056,7 @@ class CoreMLScanner(BaseScanner):
         parameter_entries = _len_fields(message_fields, 30)
         for entry_index, parameter_entry in enumerate(parameter_entries):
-            entry_payload = parameter_entry.value
-            if not isinstance(entry_payload, bytes):
-                continue
-            entry_fields, entry_error = _parse_message(entry_payload, max_fields=32, allow_truncated=False)
+            entry_fields, entry_error = self._parse_field_message(parameter_entry, max_fields=32)
             if entry_error:
                 result.add_check(
                     name="CoreML Custom Parameter Entry Parse",
@@ -1079,12 +1078,11 @@ class CoreMLScanner(BaseScanner):
                 continue
             raw_key = key_fields[0].value
-            raw_value = value_fields[0].value
-            if not isinstance(raw_key, bytes) or not isinstance(raw_value, bytes):
+            if not isinstance(raw_key, bytes):
                 continue
             param_key = _decode_string(raw_key, max_length=256)
-            value_message_fields, value_error = _parse_message(raw_value, max_fields=32, allow_truncated=False)
+            value_message_fields, value_error = self._parse_field_message(value_fields[0], max_fields=32)
             if value_error:
                 result.add_check(
                     name="CoreML Custom Parameter Value Parse",
@@ -1151,11 +1149,7 @@ class CoreMLScanner(BaseScanner):
         base_dir = Path(path).resolve().parent
         for linked_model_field in linked_model_fields:
-            payload = linked_model_field.value
-            if not isinstance(payload, bytes):
-                continue
-            linked_model_message, parse_error = _parse_message(payload, max_fields=64, allow_truncated=False)
+            linked_model_message, parse_error = self._parse_field_message(linked_model_field, max_fields=64)
             if parse_error:
                 result.add_check(
                     name="CoreML Linked Model Parse",
@@ -1173,11 +1167,10 @@ class CoreMLScanner(BaseScanner):
             linked_model_file_fields = _len_fields(linked_model_message, 1)
             for linked_model_file_field in linked_model_file_fields:
-                file_payload = linked_model_file_field.value
-                if not isinstance(file_payload, bytes):
-                    continue
-                linked_model_file, file_error = _parse_message(file_payload, max_fields=64, allow_truncated=False)
+                linked_model_file, file_error = self._parse_field_message(
+                    linked_model_file_field,
+                    max_fields=64,
+                )
                 if file_error:
                     result.add_check(
                         name="CoreML Linked Model File Parse",
@@ -1225,11 +1218,7 @@ class CoreMLScanner(BaseScanner):
         if not parameter_fields:
             return None
-        payload = parameter_fields[0].value
-        if not isinstance(payload, bytes):
-            return None
-        parsed_parameter, parse_error = _parse_message(payload, max_fields=16, allow_truncated=False)
+        parsed_parameter, parse_error = self._parse_field_message(parameter_fields[0], max_fields=16)
         if parse_error:
             return None

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/scanners/oci_layer_scanner.py RENAMED Viewed

@@ -110,6 +110,40 @@ class OciLayerScanner(BaseScanner):
         """Trim manifest layer refs so cosmetic suffix whitespace cannot hide .tar.gz layers."""
         return layer_ref.strip().rstrip(" .")
+    @classmethod
+    def _collect_layer_paths(cls, manifest_data: Any) -> list[str]:
+        """Collect layer refs from manifest layer fields without treating arbitrary strings as layers."""
+        layer_paths: list[str] = []
+        def _append_layer_ref(value: Any) -> None:
+            if isinstance(value, str) and cls._normalize_layer_ref(value).lower().endswith(cls._LAYER_ARCHIVE_SUFFIX):
+                layer_paths.append(value)
+        def _collect_layer_value(value: Any) -> None:
+            if isinstance(value, str):
+                _append_layer_ref(value)
+            elif isinstance(value, list):
+                for item in value:
+                    _collect_layer_value(item)
+            elif isinstance(value, dict):
+                for key, item in value.items():
+                    if str(key).lower() in {"layers", "urls"}:
+                        _collect_layer_value(item)
+        def _walk_manifest(obj: Any) -> None:
+            if isinstance(obj, dict):
+                for key, value in obj.items():
+                    if str(key).lower() == "layers":
+                        _collect_layer_value(value)
+                    elif isinstance(value, (dict, list)):
+                        _walk_manifest(value)
+            elif isinstance(obj, list):
+                for item in obj:
+                    _walk_manifest(item)
+        _walk_manifest(manifest_data)
+        return layer_paths
     @staticmethod
     def _rewrite_embedded_location(
         location: str | None,
@@ -233,20 +267,7 @@ class OciLayerScanner(BaseScanner):
             result.finish(success=False)
             return result
-        # Find layer paths ending with .tar.gz
-        layer_paths: list[str] = []
-        def _search(obj: Any) -> None:
-            if isinstance(obj, dict):
-                for v in obj.values():
-                    _search(v)
-            elif isinstance(obj, list):
-                for item in obj:
-                    _search(item)
-            elif isinstance(obj, str) and self._normalize_layer_ref(obj).lower().endswith(self._LAYER_ARCHIVE_SUFFIX):
-                layer_paths.append(obj)
-        _search(manifest_data)
+        layer_paths = self._collect_layer_paths(manifest_data)
         manifest_dir = os.path.dirname(path)
         scan_complete = True

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/scanners/openvino_scanner.py RENAMED Viewed

@@ -40,6 +40,77 @@ def _local_tag_name(tag: str) -> str:
     return tag.rsplit("}", 1)[-1].lower()
+def _skip_doctype_declaration(xml_prefix: bytes, start_offset: int) -> int | None:
+    """Skip a DOCTYPE declaration without expanding entities."""
+    index = start_offset + len(b"<!DOCTYPE")
+    bracket_depth = 0
+    quote_char: int | None = None
+    while index < len(xml_prefix):
+        byte = xml_prefix[index]
+        if quote_char is not None:
+            if byte == quote_char:
+                quote_char = None
+        elif byte in {ord("'"), ord('"')}:
+            quote_char = byte
+        elif byte == ord("["):
+            bracket_depth += 1
+        elif byte == ord("]") and bracket_depth > 0:
+            bracket_depth -= 1
+        elif byte == ord(">") and bracket_depth == 0:
+            return index + 1
+        index += 1
+    return None
+def _looks_like_openvino_xml_prefix(xml_prefix: bytes) -> bool:
+    """Sniff the first root element without relying on entity-expanding XML parsing."""
+    index = 3 if xml_prefix.startswith(b"\xef\xbb\xbf") else 0
+    prefix_length = len(xml_prefix)
+    while index < prefix_length:
+        while index < prefix_length and chr(xml_prefix[index]).isspace():
+            index += 1
+        if xml_prefix.startswith(b"<?", index):
+            end_offset = xml_prefix.find(b"?>", index + 2)
+            if end_offset == -1:
+                return False
+            index = end_offset + 2
+            continue
+        if xml_prefix.startswith(b"<!--", index):
+            end_offset = xml_prefix.find(b"-->", index + 4)
+            if end_offset == -1:
+                return False
+            index = end_offset + 3
+            continue
+        if xml_prefix[index : index + len(b"<!DOCTYPE")].upper() == b"<!DOCTYPE":
+            next_index = _skip_doctype_declaration(xml_prefix, index)
+            if next_index is None:
+                return False
+            index = next_index
+            continue
+        break
+    if index >= prefix_length or xml_prefix[index : index + 1] != b"<":
+        return False
+    if xml_prefix[index + 1 : index + 2] in {b"/", b"!", b"?"}:
+        return False
+    tag_end = index + 1
+    while tag_end < prefix_length and xml_prefix[tag_end : tag_end + 1] not in b" \t\r\n\f/>":
+        tag_end += 1
+    if tag_end == index + 1:
+        return False
+    root_tag = xml_prefix[index + 1 : tag_end].decode("utf-8", "ignore")
+    return _local_tag_name(root_tag) in _OPENVINO_ROOT_TAGS
 def _iter_element_attributes(layer: Any) -> Iterator[tuple[str, str, str]]:
     """Yield normalized attributes from a layer and its nested config nodes."""
     for element in layer.iter():
@@ -68,8 +139,11 @@ class OpenVinoScanner(BaseScanner):
         try:
             with open(path, "rb") as xml_file:
                 xml_prefix = xml_file.read(cls.CAN_HANDLE_MAX_PARSE_BYTES)
-                for _event, element in DefusedET.iterparse(BytesIO(xml_prefix), events=("start",)):
-                    return _local_tag_name(str(element.tag)) in _OPENVINO_ROOT_TAGS
+                try:
+                    for _event, element in DefusedET.iterparse(BytesIO(xml_prefix), events=("start",)):
+                        return _local_tag_name(str(element.tag)) in _OPENVINO_ROOT_TAGS
+                except Exception:
+                    return _looks_like_openvino_xml_prefix(xml_prefix)
         except Exception:
             return False
@@ -105,6 +179,8 @@ class OpenVinoScanner(BaseScanner):
             tree = DefusedET.parse(path)
             root = tree.getroot()
         except Exception as e:  # pragma: no cover - parse errors
+            result.metadata["operational_error"] = True
+            result.metadata["operational_error_reason"] = "openvino_xml_parse_failed"
             result.add_check(
                 name="OpenVINO XML Parse",
                 passed=False,

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/scanners/pmml_scanner.py RENAMED Viewed

@@ -27,7 +27,9 @@ SUSPICIOUS_PATTERNS = [
     r"exec\s*\(",
     r"eval\s*\(",
     r"import\s+os",
-    r"subprocess",
+    r"\b(?:importlib\s*\.\s*)?import_module\s*\(\s*['\"]subprocess['\"]\s*\)",
+    r"\b(?:from\s+subprocess\s+import|import\s+subprocess)\b",
+    r"\bsubprocess\s*\.\s*(?:popen|run|call|check_call|check_output|getoutput|getstatusoutput)\s*\(",
     r"__import__",
     r"system\s*\(",
 ]

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/scanners/tensorrt_scanner.py RENAMED Viewed

@@ -11,11 +11,11 @@ from .base import BaseScanner, IssueSeverity, ScanResult
 SUSPICIOUS_PATTERN_RULES: tuple[tuple[str, re.Pattern[str]], ...] = (
     ("../", re.compile(r"(?<![A-Za-z0-9_.-])(?:\.\./|\.\.\\)", re.IGNORECASE)),
-    ("/tmp/", re.compile(r"(?:^|[\s'\"=:])(?:/tmp/|(?:[A-Za-z]:)?\\tmp\\)", re.IGNORECASE)),
+    ("/tmp/", re.compile(r"(?<![A-Za-z0-9_.-])(?:/tmp/|(?:[A-Za-z]:)?\\tmp\\)", re.IGNORECASE)),
     (
         ".so",
         re.compile(
-            r"(?<![A-Za-z0-9_.-])(?:[A-Za-z0-9_+.-]+)?\.so(?:\.[A-Za-z0-9_+.-]+)?(?![A-Za-z0-9_.-])",
+            r"(?<![A-Za-z0-9_.-])(?:[A-Za-z0-9_+.-]+)?\.so(?:\.[0-9]+(?:\.[0-9]+)*)?(?![A-Za-z0-9_.-])",
             re.IGNORECASE,
         ),
     ),

{modelaudit-0.2.31 → modelaudit-0.2.32}/modelaudit/utils/file/detection.py RENAMED Viewed

@@ -1382,6 +1382,11 @@ def validate_file_type(path: str) -> bool:
         if ext_format == "pmml" and header_format == "pmml":
             return True
+        # OpenVINO IR XML can be identified structurally by the dedicated scanner
+        # even when bounded magic-byte detection returns unknown for normal XML.
+        if ext_format == "openvino":
+            return header_format in {"openvino", "unknown"}
         if ext_format == "torchserve_mar":
             return header_format == "torchserve_mar"

{modelaudit-0.2.31 → modelaudit-0.2.32}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "modelaudit"
-version = "0.2.31"
+version = "0.2.32"
 description = "Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files"
 authors = [
     { name = "Ian Webster", email = "ian@promptfoo.dev" },

{modelaudit-0.2.31 → modelaudit-0.2.32}/tests/scanners/test_coreml_scanner.py RENAMED Viewed

@@ -539,6 +539,30 @@ def test_coreml_scanner_recursion_limit_succeeds_just_below_limit(tmp_path: Path
     )
+def test_coreml_scanner_oversized_truncated_benign_layers_do_not_fail_closed(tmp_path: Path) -> None:
+    oversized_layer = _build_layer("safe_layer_" + "A" * (CoreMLScanner.MAX_PARSE_BYTES + 2048))
+    model_path = _write_model(
+        tmp_path / "oversized_truncated_benign.mlmodel",
+        _build_model(
+            description=_build_description(metadata=_build_metadata()),
+            neural_network=_build_neural_network(layers=[oversized_layer]),
+        ),
+    )
+    result = CoreMLScanner().scan(str(model_path))
+    assert result.success is True
+    assert result.metadata.get("coreml_bounded_read_truncated") is True
+    assert not any(
+        issue.severity == IssueSeverity.CRITICAL and "Unable to parse CoreML neural network block" in issue.message
+        for issue in result.issues
+    )
+    assert any(
+        check.name == "CoreML Bounded Parse Window" and check.status.value == "passed" for check in result.checks
+    )
+    assert not any(check.name == "CoreML Custom Code Path Check" for check in result.checks)
 def test_coreml_scanner_malformed_custom_model_fails_closed(tmp_path: Path) -> None:
     model_path = _write_model(
         tmp_path / "malformed_custom_model.mlmodel",
@@ -581,6 +605,35 @@ def test_coreml_scanner_truncated_linked_model_file_fails_closed(tmp_path: Path)
     )
+def test_coreml_scanner_truncated_nested_linked_model_fails_closed_without_bounded_read(tmp_path: Path) -> None:
+    malformed_nested_model = (
+        _field_varint(1, 8)
+        + _field_bytes(2, _build_description(metadata=_build_metadata()))
+        + _encode_varint((556 << 3) | 2)
+        + _encode_varint(8)
+        + b"\x0a\x05abc"
+    )
+    model_path = _write_model(
+        tmp_path / "nested_malformed_linked_model.mlmodel",
+        _build_model(
+            description=_build_description(metadata=_build_metadata()),
+            pipeline_wrapper=_build_pipeline_wrapper(malformed_nested_model),
+        ),
+    )
+    result = CoreMLScanner().scan(str(model_path))
+    assert result.success is False
+    assert result.metadata.get("coreml_bounded_read_truncated") is not True
+    assert any(
+        issue.severity == IssueSeverity.CRITICAL
+        and "Unable to parse CoreML linked-model block" in issue.message
+        and "][1:0][556]" in issue.details.get("field_path", "")
+        and issue.details.get("parse_error") == "truncated length-delimited field 1"
+        for issue in result.issues
+    )
 def test_coreml_scanner_corrupt_protobuf_handling(tmp_path: Path) -> None:
     corrupt_path = tmp_path / "corrupt.mlmodel"
     # Truncated length-delimited field

{modelaudit-0.2.31 → modelaudit-0.2.32}/tests/scanners/test_oci_layer_scanner.py RENAMED Viewed

@@ -294,6 +294,33 @@ class TestOciLayerScanner:
         assert result.success is True
+    def test_scan_manifest_ignores_non_layer_tar_gz_metadata_strings(self, tmp_path: Path) -> None:
+        """Metadata URLs ending in .tar.gz should not be treated as required local layer files."""
+        safe_file = tmp_path / "safe.txt"
+        safe_file.write_text("Safe content")
+        layer_path = tmp_path / "layer.tar.gz"
+        with tarfile.open(layer_path, "w:gz") as tar:
+            tar.add(safe_file, arcname="safe.txt")
+        manifest = {
+            "layers": ["layer.tar.gz"],
+            "homepage": "https://cdn.example.com/not-a-local-layer.tar.gz",
+            "metadata": {
+                "release_notes": "https://cdn.example.com/docs.tar.gz",
+                "labels": ["stable", "https://cdn.example.com/archive.tar.gz"],
+            },
+        }
+        manifest_path = tmp_path / "metadata-url.manifest"
+        manifest_path.write_text(json.dumps(manifest))
+        result = OciLayerScanner().scan(str(manifest_path))
+        assert result.success is True
+        assert not any("not-a-local-layer.tar.gz" in issue.message for issue in result.issues)
+        assert not any("docs.tar.gz" in issue.message for issue in result.issues)
+        assert not any("archive.tar.gz" in issue.message for issue in result.issues)
     def test_scan_layer_with_non_scannable_files(self, tmp_path):
         """Test scanning layer containing files that don't match any scanner."""
         # Create a random binary file

modelaudit 0.2.31__tar.gz → 0.2.32__tar.gz

modelaudit 0.2.31tar.gz → 0.2.32tar.gz