Hugging Face's logo

Spaces:
GenAISecurityProject
/
OWASP-AIBOM-Generator
Running

App Files
OWASP-AIBOM-Generator / src /aibom-generator /generator.py
ryanoakley's picture
ryanoakley
Update src/aibom-generator/generator.py
79da033 verified
raw
history blame
25.1 kB
 import json
import uuid
import datetime
from typing import Dict, Optional, Any, List
from huggingface_hub import HfApi, ModelCard
from urllib.parse import urlparse
from .utils import calculate_completeness_score
class AIBOMGenerator:
def __init__(
self,
hf_token: Optional[str] = None,
inference_model_url: Optional[str] = None,
use_inference: bool = True,
cache_dir: Optional[str] = None,
use_best_practices: bool = True, # Added parameter for industry-neutral scoring
):
self.hf_api = HfApi(token=hf_token)
self.inference_model_url = inference_model_url
self.use_inference = use_inference
self.cache_dir = cache_dir
self.enhancement_report = None # Store enhancement report as instance variable
self.use_best_practices = use_best_practices # Store best practices flag
def generate_aibom(
self,
model_id: str,
output_file: Optional[str] = None,
include_inference: Optional[bool] = None,
use_best_practices: Optional[bool] = None, # Added parameter for industry-neutral scoring
) -> Dict[str, Any]:
try:
model_id = self._normalise_model_id(model_id)
use_inference = include_inference if include_inference is not None else self.use_inference
# Use method parameter if provided, otherwise use instance variable
use_best_practices = use_best_practices if use_best_practices is not None else self.use_best_practices
model_info = self._fetch_model_info(model_id)
model_card = self._fetch_model_card(model_id)
# Store original metadata before any AI enhancement
original_metadata = self._extract_structured_metadata(model_id, model_info, model_card)
# Create initial AIBOM with original metadata
original_aibom = self._create_aibom_structure(model_id, original_metadata)
# Calculate initial score with industry-neutral approach if enabled
original_score = calculate_completeness_score(original_aibom, validate=True, use_best_practices=use_best_practices)
# Final metadata starts with original metadata
final_metadata = original_metadata.copy() if original_metadata else {}
# Apply AI enhancement if requested
ai_enhanced = False
ai_model_name = None
if use_inference and self.inference_model_url:
try:
# Extract additional metadata using AI
enhanced_metadata = self._extract_unstructured_metadata(model_card, model_id)
# If we got enhanced metadata, merge it with original
if enhanced_metadata:
ai_enhanced = True
ai_model_name = "BERT-base-uncased" # Will be replaced with actual model name
# Merge enhanced metadata with original (enhanced takes precedence)
for key, value in enhanced_metadata.items():
if value is not None and (key not in final_metadata or not final_metadata[key]):
final_metadata[key] = value
except Exception as e:
print(f"Error during AI enhancement: {e}")
# Continue with original metadata if enhancement fails
# Create final AIBOM with potentially enhanced metadata
aibom = self._create_aibom_structure(model_id, final_metadata)
# Calculate final score with industry-neutral approach if enabled
final_score = calculate_completeness_score(aibom, validate=True, use_best_practices=use_best_practices)
if output_file:
with open(output_file, 'w') as f:
json.dump(aibom, f, indent=2)
# Create enhancement report for UI display and store as instance variable
self.enhancement_report = {
"ai_enhanced": ai_enhanced,
"ai_model": ai_model_name if ai_enhanced else None,
"original_score": original_score,
"final_score": final_score,
"improvement": round(final_score["total_score"] - original_score["total_score"], 2) if ai_enhanced else 0
}
# Return only the AIBOM to maintain compatibility with existing code
return aibom
except Exception as e:
print(f"Error generating AIBOM: {e}")
# Return a minimal valid AIBOM structure in case of error
return self._create_minimal_aibom(model_id)
def _create_minimal_aibom(self, model_id: str) -> Dict[str, Any]:
"""Create a minimal valid AIBOM structure in case of errors"""
return {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": f"urn:uuid:{str(uuid.uuid4())}",
"version": 1,
"metadata": {
"timestamp": datetime.datetime.utcnow().isoformat() + "Z",
"tools": {
"components": [{
"bom-ref": "pkg:generic/aetheris-ai/aetheris-aibom-generator@1.0.0",
"type": "application",
"name": "aetheris-aibom-generator",
"version": "1.0.0",
"manufacturer": {
"name": "Aetheris AI"
}
}]
},
"component": {
"bom-ref": f"pkg:generic/{model_id.replace('/', '%2F')}@1.0",
"type": "application",
"name": model_id.split("/")[-1],
"description": f"AI model {model_id}",
"version": "1.0",
"purl": f"pkg:generic/{model_id.replace('/', '%2F')}@1.0",
"copyright": "NOASSERTION"
}
},
"components": [{
"bom-ref": f"pkg:huggingface/{model_id.replace('/', '/')}@1.0",
"type": "machine-learning-model",
"name": model_id.split("/")[-1],
"version": "1.0",
"purl": f"pkg:huggingface/{model_id.replace('/', '/')}@1.0"
}],
"dependencies": [{
"ref": f"pkg:generic/{model_id.replace('/', '%2F')}@1.0",
"dependsOn": [f"pkg:huggingface/{model_id.replace('/', '/')}@1.0"]
}]
}
def get_enhancement_report(self):
"""Return the enhancement report from the last generate_aibom call"""
return self.enhancement_report
def _fetch_model_info(self, model_id: str) -> Dict[str, Any]:
try:
return self.hf_api.model_info(model_id)
except Exception as e:
print(f"Error fetching model info for {model_id}: {e}")
return {}
# ---- new helper ---------------------------------------------------------
@staticmethod
def _normalise_model_id(raw_id: str) -> str:
"""
Accept either 'owner/model' or a full URL like
'https://huggingface.co/owner/model'. Return 'owner/model'.
"""
if raw_id.startswith(("http://", "https://")):
path = urlparse(raw_id).path.lstrip("/")
# path can contain extra segments (e.g. /commit/...), keep first two
parts = path.split("/")
if len(parts) >= 2:
return "/".join(parts[:2])
return path
return raw_id
# -------------------------------------------------------------------------
def _fetch_model_card(self, model_id: str) -> Optional[ModelCard]:
try:
return ModelCard.load(model_id)
except Exception as e:
print(f"Error fetching model card for {model_id}: {e}")
return None
def _create_aibom_structure(
self,
model_id: str,
metadata: Dict[str, Any],
) -> Dict[str, Any]:
# Extract owner and model name from model_id
parts = model_id.split("/")
group = parts[0] if len(parts) > 1 else ""
name = parts[1] if len(parts) > 1 else parts[0]
# Get version from metadata or use default
version = metadata.get("commit", "1.0")
aibom = {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": f"urn:uuid:{str(uuid.uuid4())}",
"version": 1,
"metadata": self._create_metadata_section(model_id, metadata),
"components": [self._create_component_section(model_id, metadata)],
"dependencies": [
{
"ref": f"pkg:generic/{model_id.replace('/', '%2F')}@{version}",
"dependsOn": [f"pkg:huggingface/{model_id.replace('/', '/')}@{version}"]
}
]
}
# ALWAYS add root-level external references
aibom["externalReferences"] = [{
"type": "distribution",
"url": f"https://huggingface.co/{model_id}"
}]
if metadata and "commit_url" in metadata:
aibom["externalReferences"].append({
"type": "vcs",
"url": metadata["commit_url"]
} )
return aibom
def _extract_structured_metadata(
self,
model_id: str,
model_info: Dict[str, Any],
model_card: Optional[ModelCard],
) -> Dict[str, Any]:
metadata = {}
if model_info:
try:
author = getattr(model_info, "author", None)
if not author or author.strip() == "":
parts = model_id.split("/")
author = parts[0] if len(parts) > 1 else "unknown"
print(f"DEBUG: Fallback author used: {author}")
else:
print(f"DEBUG: Author from model_info: {author}")
metadata.update({
"name": getattr(model_info, "modelId", model_id).split("/")[-1],
"author": author,
"tags": getattr(model_info, "tags", []),
"pipeline_tag": getattr(model_info, "pipeline_tag", None),
"downloads": getattr(model_info, "downloads", 0),
"last_modified": getattr(model_info, "lastModified", None),
"commit": getattr(model_info, "sha", None)[:7] if getattr(model_info, "sha", None) else None,
"commit_url": f"https://huggingface.co/{model_id}/commit/{model_info.sha}" if getattr(model_info, "sha", None) else None,
})
except Exception as e:
print(f"Error extracting model info metadata: {e}")
if model_card and hasattr(model_card, "data") and model_card.data:
try:
card_data = model_card.data.to_dict() if hasattr(model_card.data, "to_dict") else {}
metadata.update({
"language": card_data.get("language"),
"license": card_data.get("license"),
"library_name": card_data.get("library_name"),
"base_model": card_data.get("base_model"),
"datasets": card_data.get("datasets"),
"model_name": card_data.get("model_name"),
"tags": card_data.get("tags", metadata.get("tags", [])),
"description": card_data.get("model_summary", None)
})
if hasattr(model_card.data, "eval_results") and model_card.data.eval_results:
metadata["eval_results"] = model_card.data.eval_results
except Exception as e:
print(f"Error extracting model card metadata: {e}")
metadata["ai:type"] = "Transformer"
metadata["ai:task"] = metadata.get("pipeline_tag", "Text Generation")
metadata["ai:framework"] = "PyTorch" if "transformers" in metadata.get("library_name", "") else "Unknown"
metadata["primaryPurpose"] = metadata.get("ai:task", "text-generation")
# Use model owner as fallback for suppliedBy if no author
if not metadata.get("author"):
parts = model_id.split("/")
metadata["author"] = parts[0] if len(parts) > 1 else "unknown"
metadata["suppliedBy"] = metadata.get("author", "unknown")
metadata["typeOfModel"] = metadata.get("ai:type", "Transformer")
print(f"DEBUG: Final metadata['author'] = {metadata.get('author')}")
print(f"DEBUG: Adding primaryPurpose = {metadata.get('ai:task', 'Text Generation')}")
print(f"DEBUG: Adding suppliedBy = {metadata.get('suppliedBy')}")
return {k: v for k, v in metadata.items() if v is not None}
def _extract_unstructured_metadata(self, model_card: Optional[ModelCard], model_id: str) -> Dict[str, Any]:
"""
Placeholder for future AI enhancement.
Currently returns empty dict since AI enhancement is not implemented.
"""
return {}
def _create_metadata_section(self, model_id: str, metadata: Dict[str, Any]) -> Dict[str, Any]:
timestamp = datetime.datetime.utcnow().isoformat() + "Z"
# Get version from metadata or use default
version = metadata.get("commit", "1.0")
# Create tools section with components array
tools = {
"components": [{
"bom-ref": "pkg:generic/aetheris-ai/aetheris-aibom-generator@1.0.0",
"type": "application",
"name": "aetheris-aibom-generator",
"version": "1.0",
"manufacturer": {
"name": "Aetheris AI"
}
}]
}
# Create authors array
authors = []
if "author" in metadata and metadata["author"]:
authors.append({
"name": metadata["author"]
})
# Create component section for metadata
component = {
"bom-ref": f"pkg:generic/{model_id.replace('/', '%2F')}@{version}",
"type": "application",
"name": metadata.get("name", model_id.split("/")[-1]),
"description": metadata.get("description", f"AI model {model_id}"),
"version": version,
"purl": f"pkg:generic/{model_id.replace('/', '%2F')}@{version}"
}
# Add authors to component if available
if authors:
component["authors"] = authors
# Add publisher and supplier if author is available
if "author" in metadata and metadata["author"]:
component["publisher"] = metadata["author"]
component["supplier"] = {
"name": metadata["author"]
}
component["manufacturer"] = {
"name": metadata["author"]
}
# Add copyright
component["copyright"] = "NOASSERTION"
# Create properties array for additional metadata (ALWAYS include critical fields)
properties = []
# ALWAYS add critical fields for scoring
critical_fields = {
"primaryPurpose": metadata.get("primaryPurpose", metadata.get("ai:task", "text-generation")),
"suppliedBy": metadata.get("suppliedBy", metadata.get("author", "unknown")),
"typeOfModel": metadata.get("ai:type", "transformer")
}
# Add critical fields first
for key, value in critical_fields.items():
if value and value != "unknown":
properties.append({"name": key, "value": str(value)})
# Add other metadata fields (excluding basic component fields)
excluded_fields = ["name", "author", "license", "description", "commit", "primaryPurpose", "suppliedBy", "typeOfModel"]
for key, value in metadata.items():
if key not in excluded_fields and value is not None:
if isinstance(value, (list, dict)):
if not isinstance(value, str):
value = json.dumps(value)
properties.append({"name": key, "value": str(value)})
# Assemble metadata section
metadata_section = {
"timestamp": timestamp,
"tools": tools,
"component": component,
"properties": properties # ALWAYS include properties
}
return metadata_section
def _create_component_section(self, model_id: str, metadata: Dict[str, Any]) -> Dict[str, Any]:
# Extract owner and model name from model_id
parts = model_id.split("/")
group = parts[0] if len(parts) > 1 else ""
name = parts[1] if len(parts) > 1 else parts[0]
# Get version from metadata or use default
version = metadata.get("commit", "1.0")
# Create PURL with version information if commit is available
purl = f"pkg:huggingface/{model_id.replace('/', '/')}"
if "commit" in metadata:
purl = f"{purl}@{metadata['commit']}"
else:
purl = f"{purl}@{version}"
component = {
"bom-ref": f"pkg:huggingface/{model_id.replace('/', '/')}@{version}",
"type": "machine-learning-model",
"group": group,
"name": name,
"version": version,
"purl": purl
}
# ALWAYS add licenses (use default if not available)
if metadata and "license" in metadata and metadata["license"]:
component["licenses"] = [{
"license": {
"id": metadata["license"],
"url": self._get_license_url(metadata["license"])
}
}]
else:
# Add default license structure for consistency
component["licenses"] = [{
"license": {
"id": "unknown",
"url": "https://spdx.org/licenses/"
}
}]
# Debug
print(f"DEBUG: License in metadata: {'license' in metadata}" )
if "license" in metadata:
print(f"DEBUG: Adding licenses = {metadata['license']}")
# ALWAYS add description
component["description"] = metadata.get("description", f"AI model {model_id}")
# Add external references
external_refs = [{
"type": "website",
"url": f"https://huggingface.co/{model_id}"
}]
if "commit_url" in metadata:
external_refs.append({
"type": "vcs",
"url": metadata["commit_url"]
})
component["externalReferences"] = external_refs
# ALWAYS add author information (use model owner if not available )
author_name = metadata.get("author", group if group else "unknown")
if author_name and author_name != "unknown":
component["authors"] = [{"name": author_name}]
component["publisher"] = author_name
component["supplier"] = {
"name": author_name,
"url": [f"https://huggingface.co/{author_name}"]
}
component["manufacturer"] = {
"name": author_name,
"url": [f"https://huggingface.co/{author_name}"]
}
# Add copyright
component["copyright"] = "NOASSERTION"
# Add model card section
component["modelCard"] = self._create_model_card_section(metadata)
return component
def _create_model_card_section(self, metadata: Dict[str, Any]) -> Dict[str, Any]:
model_card_section = {}
# Add quantitative analysis section
if "eval_results" in metadata:
model_card_section["quantitativeAnalysis"] = {
"performanceMetrics": metadata["eval_results"],
"graphics": {} # Empty graphics object as in the example
}
else:
model_card_section["quantitativeAnalysis"] = {"graphics": {}}
# Add properties section
properties = []
for key, value in metadata.items():
if key in ["author", "library_name", "license", "downloads", "likes", "tags", "created_at", "last_modified"]:
properties.append({"name": key, "value": str(value)})
if properties:
model_card_section["properties"] = properties
# Create model parameters section
model_parameters = {}
# Add outputs array
model_parameters["outputs"] = [{"format": "generated-text"}]
# Add task
model_parameters["task"] = metadata.get("pipeline_tag", "text-generation")
# Add architecture information
model_parameters["architectureFamily"] = "llama" if "llama" in metadata.get("name", "").lower() else "transformer"
model_parameters["modelArchitecture"] = f"{metadata.get('name', 'Unknown')}ForCausalLM"
# Add datasets array with proper structure
if "datasets" in metadata:
datasets = []
if isinstance(metadata["datasets"], list):
for dataset in metadata["datasets"]:
if isinstance(dataset, str):
datasets.append({
"type": "dataset",
"name": dataset,
"description": f"Dataset used for training {metadata.get('name', 'the model')}"
})
elif isinstance(dataset, dict) and "name" in dataset:
# Ensure dataset has the required structure
dataset_entry = {
"type": dataset.get("type", "dataset"),
"name": dataset["name"],
"description": dataset.get("description", f"Dataset: {dataset['name']}")
}
datasets.append(dataset_entry)
elif isinstance(metadata["datasets"], str):
datasets.append({
"type": "dataset",
"name": metadata["datasets"],
"description": f"Dataset used for training {metadata.get('name', 'the model')}"
})
if datasets:
model_parameters["datasets"] = datasets
# Add inputs array
model_parameters["inputs"] = [{"format": "text"}]
# Add model parameters to model card section
model_card_section["modelParameters"] = model_parameters
# Add considerations section
considerations = {}
for k in ["limitations", "ethical_considerations", "bias", "risks"]:
if k in metadata:
considerations[k] = metadata[k]
if considerations:
model_card_section["considerations"] = considerations
return model_card_section
def _get_license_url(self, license_id: str) -> str:
"""Get the URL for a license based on its SPDX ID."""
license_urls = {
"apache-2.0": "https://www.apache.org/licenses/LICENSE-2.0",
"mit": "https://opensource.org/licenses/MIT",
"bsd-3-clause": "https://opensource.org/licenses/BSD-3-Clause",
"gpl-3.0": "https://www.gnu.org/licenses/gpl-3.0.en.html",
"cc-by-4.0": "https://creativecommons.org/licenses/by/4.0/",
"cc-by-sa-4.0": "https://creativecommons.org/licenses/by-sa/4.0/",
"cc-by-nc-4.0": "https://creativecommons.org/licenses/by-nc/4.0/",
"cc-by-nd-4.0": "https://creativecommons.org/licenses/by-nd/4.0/",
"cc-by-nc-sa-4.0": "https://creativecommons.org/licenses/by-nc-sa/4.0/",
"cc-by-nc-nd-4.0": "https://creativecommons.org/licenses/by-nc-nd/4.0/",
"lgpl-3.0": "https://www.gnu.org/licenses/lgpl-3.0.en.html",
"mpl-2.0": "https://www.mozilla.org/en-US/MPL/2.0/",
}
return license_urls.get(license_id.lower(), "https://spdx.org/licenses/" )
def _fetch_with_retry(self, fetch_func, *args, max_retries=3, **kwargs):
"""Fetch data with retry logic for network failures."""
for attempt in range(max_retries):
try:
return fetch_func(*args, **kwargs)
except Exception as e:
if attempt == max_retries - 1:
logger.warning(f"Failed to fetch after {max_retries} attempts: {e}")
return None
time.sleep(1 * (attempt + 1)) # Exponential backoff
return None