modelaudit 0.2.35__tar.gz → 0.2.37__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- modelaudit-0.2.37/.release-please-manifest.json +3 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/AGENTS.md +3 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/CHANGELOG.md +65 -22
- {modelaudit-0.2.35 → modelaudit-0.2.37}/Dockerfile +1 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/Dockerfile.full +1 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/Dockerfile.tensorflow +1 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/PKG-INFO +2 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/architecture.md +5 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/new-scanner-quickstart.md +2 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/format-gap-plans/coreml-mlmodel.md +2 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/format-gap-plans/mxnet-models.md +2 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/format-gap-plans/torchserve-mar.md +4 -4
- modelaudit-0.2.37/docs/maintainers/scanner-cve-gap-analysis-2026-04-11.md +130 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cli.py +76 -40
- modelaudit-0.2.37/modelaudit/config/constants.py +21 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/explanations.py +36 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/core.py +83 -614
- modelaudit-0.2.37/modelaudit/core_results.py +507 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/network_comm.py +238 -19
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/suspicious_symbols.py +9 -4
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/jfrog.py +11 -5
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/sarif_formatter.py +60 -11
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/metadata_extractor.py +12 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/rule_catalog.py +7 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanner_registry_metadata.py +98 -2
- modelaudit-0.2.37/modelaudit/scanners/__init__.py +450 -0
- modelaudit-0.2.37/modelaudit/scanners/_evidence_redaction.py +97 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/archive_dispatch.py +42 -44
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/base.py +5 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/catboost_scanner.py +24 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/flax_msgpack_scanner.py +45 -11
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/gguf_scanner.py +32 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/joblib_scanner.py +13 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/keras_utils.py +6 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/keras_zip_scanner.py +111 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/lightgbm_scanner.py +33 -5
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/llamafile_scanner.py +11 -6
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/manifest_scanner.py +31 -5
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/metadata_scanner.py +26 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/mxnet_scanner.py +83 -0
- modelaudit-0.2.37/modelaudit/scanners/nemo_scanner.py +967 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/numpy_scanner.py +16 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/onnx_scanner.py +68 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/openvino_scanner.py +81 -9
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pickle_scanner.py +301 -77
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/picklescan_adapter.py +23 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pmml_scanner.py +181 -22
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pytorch_zip_scanner.py +390 -21
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/r_serialized_scanner.py +21 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/rknn_scanner.py +2 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/rule_mapper.py +3 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/safetensors_scanner.py +3 -9
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/torchserve_mar_scanner.py +42 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/zip_scanner.py +24 -6
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/detection.py +10 -146
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/streaming.py +2 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/result_conversion.py +3 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/retry.py +7 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/model_extensions.py +2 -8
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/cloud_storage.py +117 -64
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/dvc.py +10 -22
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/huggingface.py +17 -5
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/huggingface_paths.py +40 -11
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/jfrog.py +80 -22
- {modelaudit-0.2.35 → modelaudit-0.2.37}/package-lock.json +3 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/engine/policy.py +6 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/engine/scanner.py +102 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/engine/stream.py +10 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/options.py +13 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/tests/test_api.py +169 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/pyproject.toml +2 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_network_comm_detector.py +182 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_suspicious_symbols.py +16 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_jfrog.py +36 -6
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_jfrog_integration.py +48 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_sarif_formatter.py +31 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_catboost_scanner.py +25 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_flax_msgpack_scanner.py +102 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_gguf_scanner.py +61 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_joblib_scanner.py +7 -6
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_keras_h5_scanner.py +72 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_keras_zip_scanner.py +250 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_lightgbm_scanner.py +25 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_llamafile_scanner.py +26 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_manifest_scanner.py +79 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_metadata_scanner.py +21 -4
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_mxnet_scanner.py +66 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_nemo_scanner.py +388 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_numpy_scanner.py +31 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_onnx_scanner.py +100 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_openvino_scanner.py +139 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_pickle_scanner.py +411 -70
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_picklescan_adapter.py +56 -22
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_pmml_scanner.py +302 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_pytorch_zip_scanner.py +692 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_r_serialized_scanner.py +27 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_rknn_scanner.py +34 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_rule_mapper.py +5 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_safetensors_scanner.py +105 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_scanner_registry.py +104 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_tar_scanner.py +31 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_torchserve_mar_scanner.py +54 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_zip_scanner.py +257 -6
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli.py +139 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_core.py +49 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_core_asset_extraction.py +3 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_directory_file_filtering.py +21 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_exit_codes.py +45 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_huggingface_extensions.py +4 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_lazy_loading_integration.py +8 -9
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_metadata_extractor.py +29 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_network_comm_integration.py +62 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_pickle_context_filtering.py +26 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_rules.py +2 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_streaming_scan.py +141 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_telemetry.py +1 -1
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_filetype.py +9 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_streaming_analysis.py +57 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/sources/test_cloud_storage.py +183 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/sources/test_dvc_integration.py +15 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/sources/test_huggingface.py +30 -3
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/test_result_conversion.py +14 -2
- {modelaudit-0.2.35 → modelaudit-0.2.37}/uv.lock +352 -467
- modelaudit-0.2.35/.release-please-manifest.json +0 -3
- modelaudit-0.2.35/modelaudit/config/constants.py +0 -64
- modelaudit-0.2.35/modelaudit/scanners/__init__.py +0 -919
- modelaudit-0.2.35/modelaudit/scanners/nemo_scanner.py +0 -451
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.dockerignore +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.editorconfig +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.gitattributes +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/CODEOWNERS +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/ISSUE_TEMPLATE/bug_report.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/ISSUE_TEMPLATE/feature_request.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/PULL_REQUEST_TEMPLATE.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/markdown-link-check-config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/README.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/codeql.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/docker-image-test.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/docker-publish.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/docs-check.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/nightly.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/perf.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/release-please.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/test.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.github/workflows/validate-pr-title.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.gitignore +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.mailmap +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.modelaudit.toml.example +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/.prettierignore +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/CLAUDE.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/CODE_OF_CONDUCT.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/CONTRIBUTING.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/LICENSE +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/MAINTAINERS.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/MANIFEST.in +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/README.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/RULES.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/SECURITY.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/SUPPORT.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/THIRD_PARTY_NOTICES.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/codecov.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docker-compose.yml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docker-entrypoint.sh +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/dependencies.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/picklescan-package-split.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/release-process.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/agents/repo-correctness-audit.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/cve-gap-pr-plan-2026-03-20.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/cve-process.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/dependency-policy.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/format-gap-plans/tensorflow-metagraph.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/maintainers/triage-playbook.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/security/threat-model.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/user/compatibility-matrix.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/user/metadata-extraction.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/user/offline-air-gapped.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/docs/user/security-model.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/__main__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/anomaly_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/enhanced_pattern_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/entropy_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/framework_patterns.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/integrated_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/ml_context_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/opcode_sequence_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/semantic_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/analysis/unified_context.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/auth/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/auth/client.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/auth/config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/adaptive_cache_keys.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/batch_operations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/cache_manager.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/cache_policy.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/optimized_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/scan_results_cache.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/cache/trusted_config_store.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/data/spdx_licenses.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/generated_keras_layers.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/local_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/name_blacklist.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/config/rule_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/cve_patterns.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/jit_script.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/detectors/secrets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/license_checker.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/mlflow.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/integrations/sbom_generator.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/models.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/base.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/console.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/file.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/hooks.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/progress/multi_phase.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/LICENSE +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/NOTICE +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/py.typed +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/allocation_description_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/api_def_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/attr_value_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/cost_graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/cpp_shape_inference_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/dataset_metadata_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/dataset_options_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/dataset_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/device_attributes_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/full_type_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/function_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/graph_debug_info_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/graph_transfer_info_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/kernel_def_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/log_memory_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/model_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/node_def_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/op_def_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/optimized_function_graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/reader_base_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/resource_handle_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/step_stats_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/tensor_description_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/tensor_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/tensor_shape_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/tensor_slice_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/types_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/variable_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/framework/versions_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/cluster_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/composite_tensor_variant_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/control_flow_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/core_platform_payloads_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/critical_section_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/data_service_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/debug_event_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/debug_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/device_filters_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/device_properties_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/fingerprint_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/meta_graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/named_tensor_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/remote_tensor_handle_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/rewriter_config_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/saved_model_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/saved_object_graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/saver_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/service_config_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/snapshot_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/struct_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/tensor_bundle_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/trackable_object_graph_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/transport_options_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/protos/tensorflow/core/protobuf/verifier_config_pb2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/py.typed +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/rules.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanner_results.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/_archive_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/_archive_locations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/_archive_outcomes.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/_string_extraction.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/archive_member_security.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/cntk_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/compressed_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/coreml_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/executorch_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/jax_checkpoint_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/jinja2_template_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/keras_h5_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/oci_layer_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/paddle_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pickle_support/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pickle_support/opcode_stream.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pytorch_binary_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pytorch_zip_support/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/pytorch_zip_support/archive_members.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/sevenzip_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/skops_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/tar_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/tensorrt_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/text_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/tf_metagraph_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/tf_savedmodel_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/tflite_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/torch7_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/weight_distribution_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/scanners/xgboost_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/telemetry.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/_path_hardening.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/auto_defaults.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/_compression.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/filtering.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/handlers.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/file/large_file_handler.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/auto_defaults.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/cache_decorator.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/code_validation.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/disk_space.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/file_hash.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/file_iterator.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/interrupt_handler.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/ml_context.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/secure_hasher.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/helpers/types.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/lfs.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/_huggingface_cache.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/sources/pytorch_hub.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/utils/tensorflow_compat.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/version.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/whitelists/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/whitelists/huggingface_organizations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/modelaudit/whitelists/huggingface_popular.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/package.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/README.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/pyproject.toml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/api.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/engine/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/engine/nested.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/py.typed +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/src/modelaudit_picklescan/report.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/tests/conftest.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/tests/test_import_boundary.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/tests/test_options.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/tests/test_report.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/packages/modelaudit-picklescan/uv.lock +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/pyproject.toml.example +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/release-please-config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/renovate.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/README.md +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/benchmark_report.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/check_circular_imports.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/compare_pickle_scanners.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/compare_pickle_scanners_fixture_labels.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/compile_tensorflow_protos.sh +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/fetch_hf_org_models.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/fetch_hf_top_models.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/generate_keras_layer_inventory.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/jax_flax_scanning_demo.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/scripts/minimal_circular_check.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_analysis_modules.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_anomaly_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_enhanced_pattern_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_entropy_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_framework_patterns.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_ml_context_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_opcode_sequence_analyzer.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/analysis/test_unified_context.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit1_basic_torch_bypass.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit2_advanced_torch_bypass.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit3_sophisticated_hybrid.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit4_supply_chain_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit5_ultra_high_confidence.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit6_ordereddict_bypass.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit7_nested_collections.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit9_manual_construction.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/exploits/exploit_ultimate_50pct.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_7z_test_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_advanced_pickle_tests.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_evil_pickle.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_jinja2_test_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_nested_pickle_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_os_alias_tests.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_safe_nested_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_safetensors_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/generators/generate_security_assets.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/bypass_pocs/gen_bypass_v4.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/memo_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/multiple_stream_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/nt_alias_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/posix_alias_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/pickles/stack_global_attack.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/archives/path_traversal.zip +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/archives/safe_model.zip +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/chatml_format.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/complex_legitimate.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/conditional_system.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/huggingface_llama.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/simple_roles.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign/special_tokens.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign_conditional_format.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign_huggingface_chat.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign_simple_template.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/benign_template.j2 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/edge_cases/empty_template.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/edge_cases/malformed_template.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/edge_cases/multiple_templates.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/edge_cases/no_template.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/edge_cases/oversized_template.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/attr_bypass.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/combined_attack.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/config_exploit.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/cve_2024_34359_original.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/direct_eval.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/env_extraction.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/file_access.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/hex_bypass.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/loop_discovery.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/network_exfil.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/request_exploit.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious/subprocess_injection.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_cve_2024_34359.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_env_vars.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_file_read.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_loop_exploit.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_obfuscated.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/malicious_subprocess.template +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/obfuscated/base64_payload.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/obfuscated/char_construction.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/obfuscated/format_bypass.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/obfuscated/getattr_bypass.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/standalone/benign_chat.j2 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/standalone/malicious_standalone.jinja +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/standalone/suspicious_benign.template +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/tokenizer_config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/yaml/malicious_config.yaml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/jinja2/yaml/model_config.yaml +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/basic_lambda_layer.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/custom_layer_attack.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/keras_zip_format.keras +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/lambda_exfiltration.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/lambda_with_imports.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/loss_injection.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/malicious_lambda.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/metric_injection.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/keras/safe_model.h5 +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/manifests/safe_config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/manifests/suspicious_config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/decode_exec_chain.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/dill_func.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/malicious_model_realistic.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/malicious_system_call.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/nested_pickle_base64.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/nested_pickle_hex.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/nested_pickle_multistage.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/nested_pickle_raw.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_data.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_large_model.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_model_with_binary.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_model_with_encoding.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_model_with_tokens.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/safe_nested_structure.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pickles/simple_nested.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pipeline.skops +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pytorch/malicious_eval.pt +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/pytorch/safe_model.pt +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/malicious_import.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/multiple_patterns.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/obfuscated_metadata.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/safe_model.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/script_injection.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/shell_commands.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/safetensors/suspicious_url.safetensors +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/tensorflow/malicious_pyfunc/saved_model.pb +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/samples/tensorflow/safe_savedmodel/saved_model.pb +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/agpl_component/agpl_model.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/agpl_component/neural_network.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mit_model/config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mit_model/model.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mit_model/model_weights.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mixed_licenses/LICENSE +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mixed_licenses/apache_component.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mixed_licenses/dataset_cc_nc.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mixed_licenses/gpl_utility.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/mixed_licenses/mixed_model.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/unlicensed_dataset/embeddings.npy +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/unlicensed_dataset/features.csv +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/license_scenarios/unlicensed_dataset/training_data.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/security_scenarios/mixed_malicious_model/config.json +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/assets/scenarios/security_scenarios/mixed_malicious_model/model.pkl +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/benchmarks/test_scan_benchmarks.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/cache/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/cache/test_cache_correctness.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/cache/test_optimized_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/cli_output.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/config/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/config/test_name_blacklist.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/conftest.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/demo_license_functionality.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_builtin_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_compile_eval_variants.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_cve_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_jit_script_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_runpy_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/detectors/test_secrets_detector.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/helpers/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/helpers/file_creators.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/helpers/frameworks.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_license_checker.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_license_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_mlflow_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_sbom_license_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/integrations/test_sbom_url_fixes.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/progress/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/progress/test_base.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_base_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_cntk_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_compressed_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_coreml_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_executorch_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_jax_checkpoint_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_jinja2_template_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_joblib_scanner_codecs.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_oci_layer_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_onnx_dependency_handling.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_paddle_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_pytorch_binary_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_rule_code_registry_consistency.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_sevenzip_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_skops_content_analysis.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_skops_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_tensorrt_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_tf_metagraph_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_tf_savedmodel_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_tflite_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_torch7_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_weight_distribution_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scanners/test_xgboost_scanner.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/scripts/test_compare_pickle_scanners.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_asset_inventory_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_asset_list.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_auth_config.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_basic.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_benchmark_report.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_bug1_confidence_exploit.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cache_cli.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cache_optimizations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_checks_recording.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_cache_dir.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_default_command.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_file_filtering.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_license_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_logging_handlers.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cli_output.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cloud_url_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_cve_2025_10155_bin_pickle.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_debug_command.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_dill_joblib_enhanced.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_double_interrupt.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_false_positive_fixes.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_file_hash.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_gguf_sbom_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_graceful_degradation.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_header_discrepancy.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_huggingface_symlinks.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_importlib_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_jax_flax_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_jit_script_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_lazy_loading.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_manifest_name_policy.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_models.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_nested_pickle_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_os_alias_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_os_subprocess_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_path_traversal.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_performance_benchmarks.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_progress.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_pydantic_models.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_python_version_warning.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_pytorch_zip_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_real_world_dill_joblib.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_regression_corpus.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_regular_scan_hash.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_safetensors_optimization.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_secure_hasher.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_security_asset_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_security_enhancements.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_shebang_context.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_simple_jinja2.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_sklearn_joblib_false_positive.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_telemetry_decoupling.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_tensorflow_lambda_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_timeout_configuration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_utils.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_weak_hash_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_webbrowser_detection.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_why_explanations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/test_xdist_status.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_advanced_file_handler.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_advanced_size_limits.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_file_filter.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_file_type_validation_integration.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_integration_file_type_demo.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_large_file_handler.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/file/test_streaming_preview.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_asset_from_scan_result.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_auto_defaults.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_code_validation.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_disk_space.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_file_iterator.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_interrupt_handling.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_ml_context_false_positives.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_py_compile_improvements.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/helpers/test_secure_hasher.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/sources/test_pytorch_hub.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/utils/test_lfs.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/whitelists/__init__.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/whitelists/test_combined.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/whitelists/test_huggingface_popular.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/whitelists/test_organizations.py +0 -0
- {modelaudit-0.2.35 → modelaudit-0.2.37}/tests/xdist_status.py +0 -0
|
@@ -28,7 +28,7 @@ uv sync --extra all-ci
|
|
|
28
28
|
uv run ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
|
|
29
29
|
uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
|
|
30
30
|
uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
|
|
31
|
-
uv run pytest -n auto -m "not slow and not integration" --maxfail=1
|
|
31
|
+
PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1
|
|
32
32
|
```
|
|
33
33
|
|
|
34
34
|
## Standard Workflow
|
|
@@ -74,7 +74,7 @@ gh pr create --title "feat: descriptive title" --body "Brief description"
|
|
|
74
74
|
uv run ruff check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ # Lint (no errors)
|
|
75
75
|
uv run ruff format --check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ # Format (no changes)
|
|
76
76
|
uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ # Types (no errors)
|
|
77
|
-
uv run pytest -n auto -m "not slow and not integration" --maxfail=1
|
|
77
|
+
PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1
|
|
78
78
|
```
|
|
79
79
|
|
|
80
80
|
| Issue | Fix |
|
|
@@ -111,6 +111,7 @@ uv run pytest -n auto -m "not slow and not integration" --maxfail=1
|
|
|
111
111
|
- Keep fixtures deterministic and self-contained under `tmp_path`; never rely on host paths or global temp filenames.
|
|
112
112
|
- If a new regression test must run on reduced CI lanes, add the file to `allowed_test_files` in `tests/conftest.py`.
|
|
113
113
|
- Match local validation to the CI lane that will exercise the change when possible; if optional dependencies or Python-version gates prevent that, call it out explicitly in the PR.
|
|
114
|
+
- Disable telemetry for local validation unless the task explicitly tests telemetry behavior: prefix pytest runs with `PROMPTFOO_DISABLE_TELEMETRY=1` (or `NO_ANALYTICS=1`). Requests to contact `a.promptfoo.app` during normal unit, scanner, or integration-excluded test runs are ok and expected for this project; approve them when the test runner requests access. Telemetry tests should still mock the transport or make network intent explicit before running.
|
|
114
115
|
- For file routing, prefiltering, or archive-triage changes, add at least one malicious positive regression and one benign near-match negative regression.
|
|
115
116
|
- Reuse shared fixture helpers for container formats. For PyTorch ZIP tests, prefer
|
|
116
117
|
`tests.helpers.create_mock_pytorch_zip`; if you hand-roll a ZIP-backed `.pt`/`.pkl`,
|
|
@@ -5,6 +5,71 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
## [0.2.37](https://github.com/promptfoo/modelaudit/compare/v0.2.36...v0.2.37) (2026-04-12)
|
|
11
|
+
|
|
12
|
+
### Bug Fixes
|
|
13
|
+
|
|
14
|
+
- add CVE scanner coverage ([01dec02](https://github.com/promptfoo/modelaudit/commit/01dec0270516738295651ce07e7804de82eaabdb))
|
|
15
|
+
- add size floor for zip compression ratio ([#949](https://github.com/promptfoo/modelaudit/issues/949)) ([5e66eeb](https://github.com/promptfoo/modelaudit/commit/5e66eeb483048644da7c07bba6496a5c6c73a187))
|
|
16
|
+
- align SARIF scan metadata with CLI results ([#934](https://github.com/promptfoo/modelaudit/issues/934)) ([1a90415](https://github.com/promptfoo/modelaudit/commit/1a90415d53d9ddc4dba01ff7ad804125a1d76c20))
|
|
17
|
+
- allow generated TorchScript source files ([#948](https://github.com/promptfoo/modelaudit/issues/948)) ([53d0cdc](https://github.com/promptfoo/modelaudit/commit/53d0cdc48025628de0f56397d832dbac839721fd))
|
|
18
|
+
- **archives:** honor nested header routing ([fccdb91](https://github.com/promptfoo/modelaudit/commit/fccdb914ccd87d0f178729f6becdfdddcfe72024))
|
|
19
|
+
- avoid archive bin pickle routing ([#962](https://github.com/promptfoo/modelaudit/issues/962)) ([446df6b](https://github.com/promptfoo/modelaudit/commit/446df6b06a59cf6cc8e11485d6df8f5dc0d35ec8))
|
|
20
|
+
- avoid safetensors unicode metadata false positive ([#945](https://github.com/promptfoo/modelaudit/issues/945)) ([d595fde](https://github.com/promptfoo/modelaudit/commit/d595fdee57150ea22d9bb38b92ec61cdc865da60))
|
|
21
|
+
- bound standalone pickle stream reads ([4d0cb84](https://github.com/promptfoo/modelaudit/commit/4d0cb84af010b4ed332ebbf17fc8bd0769fa8b6e))
|
|
22
|
+
- **catboost:** redact finding urls ([c65334c](https://github.com/promptfoo/modelaudit/commit/c65334ceb456556835d80bf17010d952c7437985))
|
|
23
|
+
- **cli:** honor streaming file skips ([49291ac](https://github.com/promptfoo/modelaudit/commit/49291acbc9fb8c35f7944ee894fd81ac23fe3045))
|
|
24
|
+
- **cli:** redact cloud urls in output ([#964](https://github.com/promptfoo/modelaudit/issues/964)) ([0ee82ca](https://github.com/promptfoo/modelaudit/commit/0ee82ca1e84f2dc06daa8d05a4ad9c3abdc85987))
|
|
25
|
+
- default unknown severities to info ([#963](https://github.com/promptfoo/modelaudit/issues/963)) ([9b27b9a](https://github.com/promptfoo/modelaudit/commit/9b27b9ac672009a77a413aeea1fea350f6df145c))
|
|
26
|
+
- **deps:** update dependency tensorflow to >=2.21,<2.22 ([#985](https://github.com/promptfoo/modelaudit/issues/985)) ([2e3ac65](https://github.com/promptfoo/modelaudit/commit/2e3ac651e2bb0b83d87d070c00894eeddcf0091d))
|
|
27
|
+
- **detectors:** redact network urls in findings ([7e28a46](https://github.com/promptfoo/modelaudit/commit/7e28a46c6de3f5646d42b14fd76061fdfeaf114e))
|
|
28
|
+
- **dvc:** restrict target paths ([3bd9b68](https://github.com/promptfoo/modelaudit/commit/3bd9b685a3e3bb5de87d3775a9704deb7f4a253b))
|
|
29
|
+
- flag pickle persistent ids ([#938](https://github.com/promptfoo/modelaudit/issues/938)) ([2cfba40](https://github.com/promptfoo/modelaudit/commit/2cfba403e21d53f46ba7089b655cebc564dcddaf))
|
|
30
|
+
- **gguf:** detect tensor bounds overflow ([a4358ff](https://github.com/promptfoo/modelaudit/commit/a4358ffe0e3b8a8d8729b8bcf23a8f00f205a5e1))
|
|
31
|
+
- honor header-routed scanners ([#941](https://github.com/promptfoo/modelaudit/issues/941)) ([6740260](https://github.com/promptfoo/modelaudit/commit/6740260c36331156eb6f7fc491d58f5b570dbee4))
|
|
32
|
+
- **huggingface:** redact source urls ([73b538e](https://github.com/promptfoo/modelaudit/commit/73b538e21ccf23c5ef452b16153c1e6e2b8e6663))
|
|
33
|
+
- ignore pmml documentation urls ([506aa75](https://github.com/promptfoo/modelaudit/commit/506aa7510a820e4c01018231cb52be4f5964334f))
|
|
34
|
+
- **jfrog:** redact url secrets ([4546eee](https://github.com/promptfoo/modelaudit/commit/4546eeeadad7a8fadd31e21cf550a44688f0d076))
|
|
35
|
+
- **keras:** redact archive urls ([e532b0d](https://github.com/promptfoo/modelaudit/commit/e532b0dd67d2f7033c29644356efe8a220060441))
|
|
36
|
+
- **lightgbm:** redact finding urls ([d4f1fe2](https://github.com/promptfoo/modelaudit/commit/d4f1fe2a61e51166bf48c74861ff7cb31f55a69c))
|
|
37
|
+
- **manifest:** redact url secrets ([c831733](https://github.com/promptfoo/modelaudit/commit/c83173316cf98d9f19b0a8481a40b848077d0096))
|
|
38
|
+
- mark missing numpy format as operational ([#958](https://github.com/promptfoo/modelaudit/issues/958)) ([6d271d6](https://github.com/promptfoo/modelaudit/commit/6d271d6eb4e3faf38bf03ae3db76ce9d369ce4af))
|
|
39
|
+
- mark pickle parse failures inconclusive ([8a0e3fd](https://github.com/promptfoo/modelaudit/commit/8a0e3fd125ec6e4d49f72ab68d43d1c6544d3ae0))
|
|
40
|
+
- **metadata:** redact suspicious urls ([7af0d4d](https://github.com/promptfoo/modelaudit/commit/7af0d4d1dbe8a6c6d87870f3a0b5989c91bb35d1))
|
|
41
|
+
- **metadata:** reject symlink escapes ([3869cf0](https://github.com/promptfoo/modelaudit/commit/3869cf0492fa1db7418269c8263b42f65a130a07))
|
|
42
|
+
- narrow flax suspicious key criticals ([#957](https://github.com/promptfoo/modelaudit/issues/957)) ([9276d24](https://github.com/promptfoo/modelaudit/commit/9276d2472c18cda02a559c1f451fa65c91bdbcf1))
|
|
43
|
+
- narrow network c2 metadata patterns ([fd9cc41](https://github.com/promptfoo/modelaudit/commit/fd9cc410440568cbb1ef0c17fea03499c16441e9))
|
|
44
|
+
- narrow openvino external library checks ([#959](https://github.com/promptfoo/modelaudit/issues/959)) ([e895872](https://github.com/promptfoo/modelaudit/commit/e895872612c15bfd016f9a9e1fb58262ff4ee1eb))
|
|
45
|
+
- narrow safetensors path metadata checks ([#955](https://github.com/promptfoo/modelaudit/issues/955)) ([4241780](https://github.com/promptfoo/modelaudit/commit/42417800670c4fb49d8bf2ea9b46aec702550485))
|
|
46
|
+
- narrow suspicious dunder string detection ([#947](https://github.com/promptfoo/modelaudit/issues/947)) ([e866760](https://github.com/promptfoo/modelaudit/commit/e8667609d293d4391205ce4e8884fa3559030604))
|
|
47
|
+
- **nemo:** scan referenced non-checkpoint suffixes ([3ba4ff7](https://github.com/promptfoo/modelaudit/commit/3ba4ff76399987dbcaf7b56c1a23f0d0a3c0a205))
|
|
48
|
+
- **openvino:** flag sidecar symlink escapes ([772e796](https://github.com/promptfoo/modelaudit/commit/772e796c73b1b05172225af27a6dabf6c5254aae))
|
|
49
|
+
- **openvino:** redact library urls ([241a667](https://github.com/promptfoo/modelaudit/commit/241a667dd658f1e0a827a05d3ddef5d13717f357))
|
|
50
|
+
- preserve informational network findings ([b39d312](https://github.com/promptfoo/modelaudit/commit/b39d3124bf0b8578ae79919c726a28d7731261a4))
|
|
51
|
+
- reduce benign Keras Lambda bytecode noise ([8cb5c29](https://github.com/promptfoo/modelaudit/commit/8cb5c29308673f52e9a9f2b7186cdd37c9657214))
|
|
52
|
+
- require nested pickle execution evidence ([d2ad631](https://github.com/promptfoo/modelaudit/commit/d2ad6314f4df70ae03064f78ef37ddd6c8de8f53))
|
|
53
|
+
- route nested compressed archive members ([e217b29](https://github.com/promptfoo/modelaudit/commit/e217b2982609a1888450c3d4ae9bd29726e187d4))
|
|
54
|
+
- route nested compressed members ([#944](https://github.com/promptfoo/modelaudit/issues/944)) ([d839fe7](https://github.com/promptfoo/modelaudit/commit/d839fe734ccdabb62401970f4b652048156707ec))
|
|
55
|
+
- **r:** redact serialized urls ([013bcf0](https://github.com/promptfoo/modelaudit/commit/013bcf0056b63f850ff569062ca3f6c64cfdbd9a))
|
|
56
|
+
- **scanners:** redact evidence secrets ([3ae1383](https://github.com/promptfoo/modelaudit/commit/3ae13834844cd1cffc3975379e3ab8550309dc83))
|
|
57
|
+
- skip prose-only network references ([773eb88](https://github.com/promptfoo/modelaudit/commit/773eb881187ef3b6601c9650e5bd4c8c17ec939c))
|
|
58
|
+
- skip protocol-only streaming pickle warning ([#961](https://github.com/promptfoo/modelaudit/issues/961)) ([dba3ebe](https://github.com/promptfoo/modelaudit/commit/dba3ebec5c19ea86b1e40012ff0ffce8d81af451))
|
|
59
|
+
- tighten pytorch zip pickle discovery ([#953](https://github.com/promptfoo/modelaudit/issues/953)) ([bfd9663](https://github.com/promptfoo/modelaudit/commit/bfd9663f68e30213fa8bb76016815dfbfdbdd968))
|
|
60
|
+
- **torchserve:** redact manifest urls ([4626a02](https://github.com/promptfoo/modelaudit/commit/4626a02450b5436cc994329662b5e1623d2d6b00))
|
|
61
|
+
|
|
62
|
+
### Documentation
|
|
63
|
+
|
|
64
|
+
- add scanner CVE gap analysis ([73d6e8e](https://github.com/promptfoo/modelaudit/commit/73d6e8e512f0d86c7307df69a5663e3223724196))
|
|
65
|
+
- allow promptfoo telemetry approval ([1fbe64c](https://github.com/promptfoo/modelaudit/commit/1fbe64cbe071579ebbb8064980cd05cf27133f2c))
|
|
66
|
+
|
|
67
|
+
## [0.2.36](https://github.com/promptfoo/modelaudit/compare/v0.2.35...v0.2.36) (2026-04-11)
|
|
68
|
+
|
|
69
|
+
### Documentation
|
|
70
|
+
|
|
71
|
+
- disable telemetry during agent validation ([#928](https://github.com/promptfoo/modelaudit/issues/928)) ([69a1986](https://github.com/promptfoo/modelaudit/commit/69a1986aa2a63ab07e63871507e96bf857c1c882))
|
|
72
|
+
|
|
8
73
|
## [0.2.35](https://github.com/promptfoo/modelaudit/compare/v0.2.34...v0.2.35) (2026-04-11)
|
|
9
74
|
|
|
10
75
|
### Bug Fixes
|
|
@@ -79,28 +144,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
79
144
|
- reduce PMML subprocess extension false positives ([#869](https://github.com/promptfoo/modelaudit/issues/869)) ([5e6f79d](https://github.com/promptfoo/modelaudit/commit/5e6f79dc134267202b5a4b841a8946af865ebd15))
|
|
80
145
|
- tolerate bounded CoreML custom block truncation ([#868](https://github.com/promptfoo/modelaudit/issues/868)) ([34df06d](https://github.com/promptfoo/modelaudit/commit/34df06dd2c12b69815a2a15f1273085856bebf64))
|
|
81
146
|
|
|
82
|
-
## [Unreleased]
|
|
83
|
-
|
|
84
|
-
### Bug Fixes
|
|
85
|
-
|
|
86
|
-
- mark trailing bytes after NumPy object-array pickle payloads inconclusive without escalating to security findings
|
|
87
|
-
- avoid CoreML nested parse failures on bounded-read truncation
|
|
88
|
-
- mark incomplete sharded-model scans as inconclusive, ignore shard-name prefix matches, and skip caching explicit incomplete outcomes
|
|
89
|
-
- flag TensorFlow `LoadLibrary` and `LoadLibraryV2` graph ops as dangerous native-library loading
|
|
90
|
-
- detect split CNTK native-user-function and native-library references
|
|
91
|
-
- detect Linux/macOS native-library members in Keras archives and uppercase native-library members in PyTorch ZIPs
|
|
92
|
-
- detect embedded Windows DLL/PE, Linux ELF shared-object, and TensorRT plugin entry-point markers in TensorRT engines
|
|
93
|
-
- detect punctuation-delimited TensorRT `/tmp` plugin paths
|
|
94
|
-
- clean up temporary ZIP entry files when extraction fails on entry size limits
|
|
95
|
-
- preserve HuggingFace cache provenance for symlinked custom cache roots
|
|
96
|
-
- mark ONNX tensor dtype validation failures inconclusive instead of allowing clean scans
|
|
97
|
-
- ignore remote OCI `layers[].urls` entries during local layer discovery
|
|
98
|
-
- fail closed on unterminated OpenVINO DOCTYPE declarations
|
|
99
|
-
- avoid PMML `<Extension>` false positives for benign `subprocess` prose while preserving `subprocess.getoutput()`, `subprocess.getstatusoutput()`, and `importlib.import_module("subprocess")` detections
|
|
100
|
-
- mark incomplete ZIP, TAR, and 7z archive traversals as inconclusive in scan metadata
|
|
101
|
-
- route helper-level ZIP-backed `.ckpt`/`.pkl` checkpoints through archive scanners
|
|
102
|
-
- harden standalone pickle scanner dangerous global coverage, nested payload bounds, incomplete-scan reporting, and standalone-primary migration behavior
|
|
103
|
-
|
|
104
147
|
## [0.2.31](https://github.com/promptfoo/modelaudit/compare/v0.2.30...v0.2.31) (2026-04-04)
|
|
105
148
|
|
|
106
149
|
### Bug Fixes
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: modelaudit
|
|
3
|
-
Version: 0.2.
|
|
3
|
+
Version: 0.2.37
|
|
4
4
|
Summary: Static scanning library for detecting malicious code, backdoors, and other security risks in ML model files
|
|
5
5
|
Project-URL: Repository, https://github.com/promptfoo/modelaudit
|
|
6
6
|
Project-URL: Homepage, https://github.com/promptfoo/modelaudit
|
|
@@ -111,7 +111,7 @@ Requires-Dist: safetensors>=0.4.0; extra == 'safetensors'
|
|
|
111
111
|
Provides-Extra: sevenzip
|
|
112
112
|
Requires-Dist: py7zr>=0.20.1; extra == 'sevenzip'
|
|
113
113
|
Provides-Extra: tensorflow
|
|
114
|
-
Requires-Dist: tensorflow<
|
|
114
|
+
Requires-Dist: tensorflow<2.22,>=2.21; (python_version >= '3.11' and python_version < '3.13') and extra == 'tensorflow'
|
|
115
115
|
Provides-Extra: tensorrt
|
|
116
116
|
Requires-Dist: tensorrt>=8.6.0; (sys_platform == 'linux' or sys_platform == 'win32') and extra == 'tensorrt'
|
|
117
117
|
Provides-Extra: tflite
|
|
@@ -3,7 +3,8 @@
|
|
|
3
3
|
## Core Components
|
|
4
4
|
|
|
5
5
|
- `cli.py`: Click-based CLI interface
|
|
6
|
-
- `core.py`: Main scanning logic and
|
|
6
|
+
- `core.py`: Main scanning logic, file traversal, routing, and scanner invocation
|
|
7
|
+
- `core_results.py`: Aggregate result helpers, exit-code semantics, check consolidation, and asset/metadata attachment
|
|
7
8
|
- `metadata_extractor.py`: Metadata extraction command backend (`modelaudit metadata`)
|
|
8
9
|
- `scanner_results.py`: Leaf result/check/issue contracts re-exported by `scanners/base.py`
|
|
9
10
|
- `scanner_registry_metadata.py`: Static scanner metadata consumed by registry loading and extension utilities
|
|
@@ -15,7 +16,8 @@
|
|
|
15
16
|
## Routing & Coverage Invariants
|
|
16
17
|
|
|
17
18
|
- Prefer trusted file structure and bounded content sniffing over extension-only routing, especially for ZIP-like containers and nested archives.
|
|
18
|
-
- Keep scanner routing metadata descriptor-owned in `
|
|
19
|
+
- Keep scanner routing metadata descriptor-owned in `scanner_registry_metadata.py`; header-format aliases, content-routed extensions, extension-only format policy, and lazy class exports should come from that descriptor module, with `can_handle()` as the final content gate.
|
|
20
|
+
- Source discovery filters should consume the registry-backed scannable extension set instead of carrying local allowlists.
|
|
19
21
|
- For routing, prefiltering, or archive-recursion changes, add one malicious positive regression and one benign near-match negative regression.
|
|
20
22
|
- If a scanner aborts to avoid partial coverage, make the result operationally explicit (`success=False` with a clear error message) and preserve consistent exit-code and cache behavior.
|
|
21
23
|
|
|
@@ -103,6 +105,7 @@ result.add_check(
|
|
|
103
105
|
- `modelaudit/scanners/base.py`: Scanner interface and base classes
|
|
104
106
|
- `modelaudit/scanners/<scanner>_support/`: Extracted helper modules for large scanners while preserving public `<scanner>_scanner.py` entrypoints
|
|
105
107
|
- `modelaudit/core.py`: Main scanning orchestration logic
|
|
108
|
+
- `modelaudit/core_results.py`: Shared result aggregation/finalization logic used by core scan flows
|
|
106
109
|
- `modelaudit/cli.py`: Command-line interface
|
|
107
110
|
- `pyproject.toml`: Dependencies and project configuration
|
|
108
111
|
- `tests/conftest.py`: Test configuration and fixtures
|
|
@@ -55,12 +55,13 @@ class ExampleScanner(BaseScanner):
|
|
|
55
55
|
|
|
56
56
|
## 3. Register the scanner
|
|
57
57
|
|
|
58
|
-
Update `modelaudit/
|
|
58
|
+
Update `modelaudit/scanner_registry_metadata.py`:
|
|
59
59
|
|
|
60
60
|
- Add one scanner descriptor entry with module/class metadata
|
|
61
61
|
- Set priority, direct extensions, and any descriptor-owned `header_formats` / `content_routed_extensions` carefully
|
|
62
62
|
- Declare dependency names for load-time diagnostics
|
|
63
63
|
- Document intentional descriptor/class extension differences with `scanner_only_extensions` instead of leaving silent drift
|
|
64
|
+
- If the extension is authoritative enough for extension-only format validation, add it to the descriptor-owned `EXTENSION_FORMAT_MAP`; leave generic text/config extensions out
|
|
64
65
|
- Do not add a second class map in `__getattr__`; lazy exports are resolved from descriptor metadata
|
|
65
66
|
|
|
66
67
|
## 4. Dependency handling rules
|
|
@@ -58,8 +58,8 @@ Out of scope:
|
|
|
58
58
|
|
|
59
59
|
1. Routing and registration
|
|
60
60
|
|
|
61
|
-
- Add scanner entry
|
|
62
|
-
- Add `.mlmodel` mapping to extension detection.
|
|
61
|
+
- Add scanner metadata entry.
|
|
62
|
+
- Add `.mlmodel` mapping to descriptor-owned extension detection.
|
|
63
63
|
- Ensure scanner priority is above generic manifest/text handling.
|
|
64
64
|
|
|
65
65
|
1. Optional deep-validation path
|
|
@@ -55,8 +55,8 @@ Out of scope:
|
|
|
55
55
|
1. Routing and integration
|
|
56
56
|
|
|
57
57
|
- Register scanner with proper priority relative to manifest/text scanners.
|
|
58
|
-
- Add extension mapping entries for selected MXNet artifacts.
|
|
59
|
-
- Ensure lazy
|
|
58
|
+
- Add descriptor-owned extension mapping entries for selected MXNet artifacts.
|
|
59
|
+
- Ensure lazy exports resolve from scanner metadata.
|
|
60
60
|
|
|
61
61
|
1. Robustness
|
|
62
62
|
|
|
@@ -31,8 +31,8 @@ Out of scope:
|
|
|
31
31
|
## Deliverables
|
|
32
32
|
|
|
33
33
|
- `modelaudit/scanners/torchserve_mar_scanner.py`
|
|
34
|
-
- Registry
|
|
35
|
-
-
|
|
34
|
+
- Registry metadata in `modelaudit/scanner_registry_metadata.py`
|
|
35
|
+
- Descriptor-owned extension detection updates
|
|
36
36
|
- Unit tests under `tests/scanners/test_torchserve_mar_scanner.py`
|
|
37
37
|
- Fixture allowlist update in `tests/conftest.py`
|
|
38
38
|
- User docs and changelog updates
|
|
@@ -84,8 +84,8 @@ Out of scope:
|
|
|
84
84
|
1. Registry and routing
|
|
85
85
|
|
|
86
86
|
- Add scanner registration entry with priority before generic ZIP scanner.
|
|
87
|
-
-
|
|
88
|
-
- Add extension mapping for `.mar` in `EXTENSION_FORMAT_MAP`.
|
|
87
|
+
- Ensure lazy exports resolve from scanner metadata.
|
|
88
|
+
- Add extension mapping for `.mar` in `modelaudit/scanner_registry_metadata.py` `EXTENSION_FORMAT_MAP`.
|
|
89
89
|
- Ensure fallback behavior keeps `.mar` from being treated as unknown.
|
|
90
90
|
|
|
91
91
|
1. Performance and resilience
|
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
# Scanner CVE Gap Analysis
|
|
2
|
+
|
|
3
|
+
Date: 2026-04-11
|
|
4
|
+
|
|
5
|
+
Scope: inventory every registered scanner from `modelaudit/scanner_registry_metadata.py`, compare implemented CVE/security coverage against known public model-artifact vulnerability classes, and identify practical detection gaps.
|
|
6
|
+
|
|
7
|
+
This is a static-analysis gap report, not a claim that every listed runtime CVE can be detected safely from a model file alone. Rules should only be implemented when a precise artifact-level invariant exists and benign near-matches can be tested.
|
|
8
|
+
|
|
9
|
+
## Summary
|
|
10
|
+
|
|
11
|
+
- Registered scanners: 39.
|
|
12
|
+
- Strong CVE-specific coverage today: pickle/PyTorch/joblib, Keras ZIP/H5, ONNX external data, NumPy object arrays, skops, NeMo archive/checkpoint/Hydra issues, MXNet operator ReDoS, TorchServe MAR traversal, and Jinja/GGUF SSTI.
|
|
13
|
+
- Strong generic coverage today: ZIP/TAR/7z/compressed archive traversal and bomb checks, secrets/URLs/metadata indicators, custom/native code references, external paths, and bounded parsing.
|
|
14
|
+
- Remaining high-priority research gaps: LightGBM CVE-2024-43598 feasibility, GGUF/llama.cpp parser-CVE invariants, ExecuTorch binary loader-CVE invariants, and TensorFlow/TFLite malformed-model CVE feasibility. No detector should ship for these until public PoCs or advisories expose low-noise artifact-level invariants.
|
|
15
|
+
|
|
16
|
+
## Scanner Inventory And Gap Matrix
|
|
17
|
+
|
|
18
|
+
| Scanner | Formats | Current security/CVE coverage | Public CVE/known-vulnerability watchlist | Gap assessment |
|
|
19
|
+
| --------------------- | ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
20
|
+
| `pickle` | `.pkl`, `.pickle`, `.dill`, `.bin`, `.pt`, `.pth`, `.ckpt`, `.joblib` via scanner-only routing | Unsafe globals/opcodes, suspicious imports, package-manager gadgets, nested pickle handling, `CVE-2020-13092`, `CVE-2025-1716`, `CVE-2025-32434`, `CVE-2026-24747`, PyTorch RPC pattern references | Inherent RCE on untrusted pickle/joblib/cloudpickle/dill; picklescan bypasses `CVE-2025-1889`, `CVE-2025-1945`, `CVE-2025-10155`; analyzer bypasses in Fickling `CVE-2026-22606`, `CVE-2026-22607` | Mostly covered for model-file risk. Add regression fixtures for picklescan nonstandard extension and malformed ZIP bypass shapes if not already routed through core. Consider explicit runpy/cProfile payload tests. |
|
|
21
|
+
| `pytorch_zip` | `.pt`, `.pth`, `.ckpt`, `.pkl`, `.bin` | ZIP entry validation, symlinks, embedded pickle scan, PyTorch version metadata checks for `CVE-2025-32434`, `CVE-2026-24747`, `CVE-2022-45907`, `CVE-2024-5480`, `CVE-2024-48063`, tensor metadata validation for `CVE-2026-24747` | PyTorch `torch.load`/`torch.jit.load` untrusted RCE; picklescan bypass CVEs for hidden or misrouted pickle payloads | Strong. Add focused `CVE-2025-1889` / `CVE-2025-1945` archive-structure attribution if fixtures are not present. |
|
|
22
|
+
| `pytorch_binary` | `.bin` | Static suspicious binary/string checks and routed pickle fallback | PyTorch `.bin` may be pickle-disguised or tensor data; `CVE-2025-10155` covers PyTorch-extension bypass in picklescan | Covered if core format detection routes protocol 0/1 pickles in `.bin`; keep regression coverage. |
|
|
23
|
+
| `joblib` | `.joblib` | Decompression plus pickle scan; `CVE-2020-13092`, `CVE-2024-34997`; CVE attribution helpers | Inherent joblib pickle RCE; sklearn/joblib persistence warns against untrusted loads | Good. Keep doc/comment guards and benign sklearn fixtures to limit false positives. |
|
|
24
|
+
| `skops` | `.skops`, ZIP-routed | `CVE-2025-54412`, `CVE-2025-54413`, `CVE-2025-54886`, unsafe joblib fallback, path/traversal/bomb bounds | skops < 0.12.0 RCE through trusted-type and MethodNode issues; Card fallback to joblib | Covered for known skops CVEs. Future work: improve version extraction confidence if skops archive exposes reliable producer metadata. |
|
|
25
|
+
| `numpy` | `.npy`, `.npz` | Object dtype pickle recursion and `CVE-2019-6446` attribution; dtype/shape/size validation | `CVE-2019-6446` disputed but useful for object-array pickle RCE; `CVE-2021-33430` array construction DoS | RCE covered. DoS parser CVEs need artifact-level feasibility research before adding noisy checks. |
|
|
26
|
+
| `tf_savedmodel` | `.pb`, SavedModel directories | Suspicious TensorFlow ops/functions, external references, graph/protobuf checks, bounded parsing | TensorFlow security policy treats untrusted graphs as code; malformed graph CVEs include `CVE-2022-23590`, `CVE-2022-23591`, `CVE-2022-23594`; `saved_model_cli` code injection `CVE-2022-29216` | Generic unsafe-op coverage exists, but CVE-specific malformed-graph invariants are not attributed. Research whether these CVEs expose static proto patterns worth detecting. |
|
|
27
|
+
| `tf_metagraph` | `.meta` | Unsafe op patterns, `PyFunc`, dynamic-library/external path style checks | Same TensorFlow graph trust boundary and malformed graph CVEs | Same as SavedModel; add CVE-specific attribution only when low-noise proto signals exist. |
|
|
28
|
+
| `tflite` | `.tflite`, `.bin` | FlatBuffer traversal guardrails, subgraph/operator/tensor limits, custom operator warnings | TFLite parser/kernel CVEs including `CVE-2020-15211`, `CVE-2021-29601`, `CVE-2023-27579` | Good generic bounds. Gap: no CVE-specific malformed-model checks; research whether public PoCs map to static operator/tensor invariants. |
|
|
29
|
+
| `keras_zip` | `.keras`, ZIP-routed | Lambda/custom objects, dangerous module references, `CVE-2024-3660`, `CVE-2025-1550`, `CVE-2025-8747`, `CVE-2025-9906`, `CVE-2025-49655`, `CVE-2025-12058`, `CVE-2025-12060`, embedded HDF5 `CVE-2026-1669` | Keras safe_mode bypass family, `StringLookup` file/SSRF, `TorchModuleWrapper`, get_file gadget, get_file tar path traversal `CVE-2025-12060` | Covered for known Keras config CVEs with scoped false-positive guards. |
|
|
30
|
+
| `keras_h5` | `.h5`, `.hdf5`, `.keras` HDF5 | Lambda/custom-object checks, `CVE-2024-3660`, `CVE-2025-9905`, HDF5 external refs `CVE-2026-1669` | H5 safe_mode ignored RCE; HDF5 external file read | Covered. Watch Keras affected-version drift; current code uses ranges that may need periodic advisory refresh. |
|
|
31
|
+
| `onnx` | `.onnx` | Custom operator domains, integrity checks, external_data traversal `CVE-2022-25882`, nested bypass `CVE-2024-27318`, write traversal `CVE-2025-51480`, symlink traversal `CVE-2026-34447` | Helper/archive CVEs `CVE-2024-5187`; hub trust-warning bypass `CVE-2026-28500` | External-data path CVEs covered. Helper/hub CVEs are process-level unless model artifact encodes a dangerous URL/source. |
|
|
32
|
+
| `openvino` | `.xml` | Suspicious layers, Python/custom layers, external library/path references | OpenVINO model loading and plugin extensibility; Model Server DoS `CVE-2023-31203` | Generic coverage only. No low-noise model-file CVE gap identified. |
|
|
33
|
+
| `coreml` | `.mlmodel` | Custom layer/custom model blocks, custom parameters, linked-model path traversal/absolute path validation, bounded protobuf parsing | No public CoreML model-loader CVE found in this pass; inherent risk from custom layers and third-party packages | Good generic coverage. Add `.mlpackage` support if product scope expands beyond `.mlmodel`. |
|
|
34
|
+
| `executorch` | `.ptl`, `.pte` | Suspicious content and structural checks | ExecuTorch loader heap-buffer-overflow CVEs `CVE-2025-30402`, `CVE-2025-54949`, `CVE-2025-54951` | Research gap. Determine if public PoCs expose static `.pte` header/program-count/offset invariants. |
|
|
35
|
+
| `gguf` | `.gguf`, `.ggml`, `.ggmf`, `.ggjt`, `.ggla`, `.ggsa` | Header/metadata/tensor count, dimensions, offsets, type/size consistency, bounds, alignment | llama.cpp/GGUF parser CVEs `CVE-2024-23496`, `CVE-2025-49847`, `CVE-2025-53630`; GGUF overflow advisory `GHSA-vgg9-87g3-85w8` | Good generic bounds. Gap: map known llama.cpp CVEs/advisories to explicit malformed header/tensor metadata rules and tests. |
|
|
36
|
+
| `llamafile` | `.llamafile`, `.exe`, extensionless executable | Executable wrapper checks and embedded GGUF payload analysis | Inherits llama.cpp/GGUF parser risks; executable artifact by design | Same GGUF gap plus executable provenance/signature policy if desired. |
|
|
37
|
+
| `jinja2_template` | `.gguf`, `.json`, `.yaml`, `.yml`, `.jinja`, `.j2`, `.template` | SSTI patterns in templates and model metadata; `CVE-2024-34359` attribution | llama-cpp-python GGUF chat-template SSTI `CVE-2024-34359`; Jinja sandbox escapes such as `CVE-2019-10906`, `CVE-2025-27516` | Covers model-metadata SSTI class. Future rules should stay template-context specific to avoid flagging documentation. |
|
|
38
|
+
| `flax_msgpack` | `.msgpack`, `.flax`, `.orbax`, `.jax` | Msgpack structure/security object checks, metadata/reference indicators, bounds | No public Flax/JAX checkpoint CVE found in this pass; parser/DoS risk remains | Generic coverage appropriate. No CVE-specific gap identified. |
|
|
39
|
+
| `jax_checkpoint` | `.ckpt`, `.checkpoint`, `.orbax-checkpoint`, `.pickle` | Multiple serialization variants; pickle/global checks where relevant | JAX/Orbax checkpoints can wrap pickle or filesystem metadata; no public checkpoint CVE found | Good generic coverage. Ensure pickle-backed checkpoint routes inherit PickleScanner CVEs. |
|
|
40
|
+
| `r_serialized` | `.rds`, `.rda`, `.rdata` | Static string/payload indicators for unsafe R deserialization | R `readRDS` can recreate objects with executable hooks in some workflows; no specific model-artifact CVE found | Generic only. Consider targeted checks for path/network/system strings in serialized symbols, but avoid broad CVE claims. |
|
|
41
|
+
| `paddle` | `.pdmodel`, `.pdiparams` | Static embedded code/string patterns | Paddle security docs warn `paddle.load` uses pickle; framework RCE `CVE-2024-0917` | Gap: ensure `.pdiparams` pickle-like payloads route to pickle scanning where content permits; no `.pdmodel` CVE-specific rule identified. |
|
|
42
|
+
| `cntk` | `.dnn`, `.cmf` | Signature/string analysis for load-time execution indicators | No public CNTK model-file CVE found | Generic coverage only; acceptable unless new advisories appear. |
|
|
43
|
+
| `torch7` | `.t7`, `.th`, `.net` | Legacy Torch/Lua execution and dynamic loading indicators | Legacy Lua serialization can reference executable code; no public model-file CVE found | Generic coverage appropriate. |
|
|
44
|
+
| `tensorrt` | `.engine`, `.plan`, `.trt` | Suspicious strings, plugin entry point indicators | TensorRT plugins/custom ops are trust boundary; no public parser CVE found | Generic coverage only. Consider stronger plugin/library path attribution. |
|
|
45
|
+
| `rknn` | `.rknn` | Metadata references, command/network indicators, bounded parsing | RKNN custom op/converter risk; no public model-parser CVE found | Generic coverage only. |
|
|
46
|
+
| `mxnet` | `*-symbol.json`, `*.params` | Custom/external operator references, embedded payloads, params integrity, `CVE-2022-24294` operator-name ReDoS detection | `CVE-2022-24294` regex DoS from crafted operator names | Covered with a pathological-shape rule and benign long-name guard. |
|
|
47
|
+
| `lightgbm` | `.model`, `.txt`, `.lgb`, `.lightgbm` | Command/network/path/encoded payload indicators, native text/binary validation | `CVE-2024-43598` heap buffer overflow with sparse public details | Research-only gap until exploit preconditions are concrete. Avoid broad "long line" rule without PoC-derived invariant. |
|
|
48
|
+
| `xgboost` | `.bst`, `.model`, `.json`, `.ubj` | Format/config anomaly checks, suspicious references | No core XGBoost model-load CVE found; adjacent H2O XGBoost asset extraction CVEs are not core format | Generic coverage adequate. |
|
|
49
|
+
| `catboost` | `.cbm` | Native metadata parsing, suspicious markers, bounds | No public `.cbm` parser CVE found; package install-time archive CVEs are adjacent | Generic coverage adequate. |
|
|
50
|
+
| `pmml` | `.pmml` | XML security checks and suspicious content | PMML/XML XXE/SSRF/DoS class; no PMML-specific CVE found | Ensure XXE/entity expansion stays disabled and tested. No CVE-specific gap. |
|
|
51
|
+
| `nemo` | `.nemo` | Tar/config analysis, archive traversal checks for `CVE-2025-23250` and `CVE-2025-23360`, checkpoint unsafe deserialization attribution for `CVE-2025-23249`, Hydra `_target_` injection `CVE-2025-23304`, dangerous/suspicious callable checks | Additional NVIDIA NeMo advisories include newer checkpoint-loading fixes such as `CVE-2025-33253` and `CVE-2026-24157` | Covered for static archive-member traversal and malicious checkpoint payload signals. Keep watch for additional NeMo checkpoint CVEs that expose more precise non-pickle invariants. |
|
|
52
|
+
| `torchserve_mar` | `.mar` | Entry count/size/ratio limits, path traversal with `CVE-2023-48299` attribution, symlink checks, handler static analysis, requirements/external reference checks, nested scan | TorchServe `CVE-2023-48299` ZipSlip, `CVE-2023-43654` SSRF/model registration file write, `CVE-2024-35198` allowed_urls bypass, `CVE-2024-35199` exposed gRPC defaults | MAR ZipSlip covered. SSRF/default-port CVEs are deployment-level unless MAR manifests encode risky download URLs or config. |
|
|
53
|
+
| `zip` | `.zip`, `.npz`, `.mar` | Recursive scan, traversal, symlink, compression ratio, nested dispatch, MAR Python fallback | Zip Slip, symlink traversal, ZIP bomb CVEs across archive libraries | Generic coverage good. For `.mar`, delegate CVE attribution to TorchServe-specific scanner. |
|
|
54
|
+
| `tar` | `.tar`, `.tar.gz`, `.tgz`, `.tar.bz2`, `.tbz2`, `.tar.xz`, `.txz` | Recursive scan, path traversal, symlink/hardlink safety, depth/size controls | Tar traversal/symlink CVEs including Python tarfile class issues | Generic coverage good. Consider CVE-specific tags only in product-specific contexts like NeMo/TorchServe/Keras `get_file`. |
|
|
55
|
+
| `sevenzip` | `.7z` | Recursive nested scan, entry/size/depth controls | 7-Zip traversal/extraction CVEs in loader libraries | Generic coverage good. CVE-specific claims likely belong to extractors, not model artifacts. |
|
|
56
|
+
| `compressed` | `.gz`, `.bz2`, `.xz`, `.lz4`, `.zlib` | Safe bounded decompression, ratio/depth controls, inner scanner routing | Decompression bombs and parser DoS | Generic coverage good. |
|
|
57
|
+
| `oci_layer` | `.manifest` | Manifest parsing, layer path traversal validation, embedded layer/model scanning | OCI artifact annotation/path traversal issues such as Docker Compose `CVE-2025-62725`; secret leakage via image/config metadata | Generic path/embedded scan coverage exists. Gap: add annotation/env/secret-specific checks if OCI artifacts are common input. |
|
|
58
|
+
| `manifest` | `.json`, `.yaml`, `.yml`, `.xml`, `.toml`, `.ini`, `.cfg`, `.config`, `.manifest`, `.model`, `.metadata`, known filenames | Blacklisted names/terms, suspicious URLs, weak hashes, model config metadata | Manifest injection, external URLs, poisoned metadata, dependency pinning issues | Generic coverage appropriate. No CVE-specific gap except where specific ecosystem scanners can claim context. |
|
|
59
|
+
| `metadata` | docs/model cards | Suspicious URLs/secrets/token-like content in docs | Metadata leakage and staged-download indicators | Generic coverage appropriate. |
|
|
60
|
+
| `text` | `.txt`, `.md`, `.markdown`, `.rst` | Low-signal text sanity and ML-related text scan | Same as metadata | Generic coverage appropriate. |
|
|
61
|
+
| `safetensors` | `.safetensors` | Header size, JSON metadata, tensor offsets/bounds/overlap, path traversal-like metadata | No public safetensors core CVE found; oversized metadata/header DoS PoCs exist | Good generic bounds. Add regression corpus for oversized metadata and malformed offset overlap. |
|
|
62
|
+
| `weight_distribution` | `.pt`, `.pth`, `.h5`, `.keras`, `.hdf5`, `.pb`, `.onnx` | Statistical anomaly/backdoor-like weight distribution checks | No CVE class; maps to model backdoor/trojan detection | Not a CVE scanner. Gap analysis should track model-integrity attacks separately from CVEs. |
|
|
63
|
+
|
|
64
|
+
## Implemented CVE Coverage
|
|
65
|
+
|
|
66
|
+
The codebase currently contains specific coverage or explanation/test references for:
|
|
67
|
+
|
|
68
|
+
- Pickle/joblib/PyTorch family: `CVE-2020-13092`, `CVE-2024-34997`, `CVE-2025-1716`, `CVE-2025-32434`, `CVE-2026-24747`, `CVE-2022-45907`, `CVE-2024-5480`, `CVE-2024-48063`, `CVE-2025-10155`.
|
|
69
|
+
- Keras: `CVE-2024-3660`, `CVE-2025-1550`, `CVE-2025-8747`, `CVE-2025-9905`, `CVE-2025-9906`, `CVE-2025-49655`, `CVE-2025-12058`, `CVE-2025-12060`, `CVE-2026-1669`.
|
|
70
|
+
- ONNX: `CVE-2022-25882`, `CVE-2024-27318`, `CVE-2025-51480`, `CVE-2026-34447`.
|
|
71
|
+
- MXNet: `CVE-2022-24294`.
|
|
72
|
+
- TorchServe MAR: `CVE-2023-48299`.
|
|
73
|
+
- NumPy: `CVE-2019-6446`.
|
|
74
|
+
- NeMo: `CVE-2025-23249`, `CVE-2025-23250`, `CVE-2025-23304`, `CVE-2025-23360`.
|
|
75
|
+
- Jinja/GGUF metadata: `CVE-2024-34359`.
|
|
76
|
+
- skops: `CVE-2025-54412`, `CVE-2025-54413`, `CVE-2025-54886`.
|
|
77
|
+
|
|
78
|
+
## Prioritized Backlog
|
|
79
|
+
|
|
80
|
+
Implemented in the follow-up pass:
|
|
81
|
+
|
|
82
|
+
- ONNX `CVE-2026-34447` symlink external-data traversal detection.
|
|
83
|
+
- Signal: external_data location resolves inside model dir but the target path is a symlink whose real path escapes the model directory.
|
|
84
|
+
- Test: malicious symlink fixture plus normal external data file negative.
|
|
85
|
+
|
|
86
|
+
- TorchServe MAR ZipSlip attribution as `CVE-2023-48299`.
|
|
87
|
+
- Signal: existing MAR path traversal or absolute critical path member finding.
|
|
88
|
+
- Test: traversal member gets CVE details; harmless nested path stays clean.
|
|
89
|
+
|
|
90
|
+
- MXNet `CVE-2022-24294` ReDoS operator-name rule.
|
|
91
|
+
- Signal: PoC-derived pathological operator name shape, not generic long names.
|
|
92
|
+
- Test: crafted symbol JSON positive and benign long/simple name negative.
|
|
93
|
+
|
|
94
|
+
- Keras `CVE-2025-12060` attribution for `get_file(extract=True)` archive extraction.
|
|
95
|
+
- Signal: executable Keras config references `keras.utils.get_file` with remote tar/archive URL plus `extract=True`.
|
|
96
|
+
- Test: direct and kwargs positives; extract-disabled, non-archive URL, and metadata-only negatives.
|
|
97
|
+
|
|
98
|
+
- NeMo archive and checkpoint CVE coverage.
|
|
99
|
+
- Signal: unsafe tar member paths/links and nested checkpoint payloads that existing pickle/PyTorch scanners classify as critical.
|
|
100
|
+
- Test: relative/absolute/symlink traversal positives, normalized safe path negative, malicious checkpoint positive, benign checkpoint negative.
|
|
101
|
+
|
|
102
|
+
Remaining research backlog:
|
|
103
|
+
|
|
104
|
+
1. Research LightGBM `CVE-2024-43598` static feasibility.
|
|
105
|
+
- Ship no detector until the exploit maps to a model-text/binary invariant.
|
|
106
|
+
|
|
107
|
+
2. Map GGUF/llama.cpp parser advisories to concrete metadata rules.
|
|
108
|
+
- Candidate signals: overflow-prone tensor offset/size/alignment combinations, invalid type/count fields, wrapped cumulative tensor sizes.
|
|
109
|
+
- Avoid general "corrupt GGUF" CVE claims.
|
|
110
|
+
|
|
111
|
+
3. Research ExecuTorch loader CVEs against `.pte` structure.
|
|
112
|
+
- Candidate signals: table counts, offsets, op/program sizes, or alignment values linked to public PoCs.
|
|
113
|
+
|
|
114
|
+
4. TensorFlow/TFLite malformed-model CVE feasibility research.
|
|
115
|
+
- Existing bounds/custom-op checks are valuable; CVE-specific rules need PoC-derived invariants.
|
|
116
|
+
|
|
117
|
+
## External Research Source Index
|
|
118
|
+
|
|
119
|
+
The research pass reviewed public advisory records and vendor/project security notes from these source families. URLs are intentionally omitted here so documentation CI does not depend on third-party advisory-site availability.
|
|
120
|
+
|
|
121
|
+
- Wiz vulnerability database entries for PyTorch `CVE-2025-32434` and MXNet `CVE-2022-24294`.
|
|
122
|
+
- Debian Security Tracker entry for NumPy `CVE-2019-6446`.
|
|
123
|
+
- NVD records for picklescan `CVE-2025-1889` and Keras `CVE-2025-12060`.
|
|
124
|
+
- INCIBE vulnerability records for picklescan `CVE-2025-10155` and skops `CVE-2025-54413`.
|
|
125
|
+
- GitHub advisory entry for Keras H5 `CVE-2025-9905`.
|
|
126
|
+
- Public Keras HDF5 external-reference writeup for `CVE-2026-1669`.
|
|
127
|
+
- Red Hat Bugzilla entry for ONNX `CVE-2026-34447`.
|
|
128
|
+
- NVIDIA NeMo March and April 2025 security bulletins for `CVE-2025-23360`, `CVE-2025-23249`, `CVE-2025-23250`, and `CVE-2025-23251`.
|
|
129
|
+
- Securitm vulnerability entry for Jinja/GGUF `CVE-2024-34359`.
|
|
130
|
+
- TensorFlow, TorchServe, and OpenVINO project security-policy documentation.
|