Problem
AIBOMs generated for Hugging Face models are intended to be compatible with CycloneDX v1.6 format, but the quality of the output data needs improvement. Specifically, it is essential to:
- Ensure every AIBOM includes the required CycloneDX fields and matches the specification (e.g., bomFormat, metadata, components, dependencies, etc.).
- Guarantee that the component type is set to
machine-learning-model.
- Improve the completeness and accuracy of the model metadata, including author, license, description, download location, and references.
- Validate that all required fields are present and correctly formatted.
Evidence from Code
The generator sets type: 'machine-learning-model' in metadata.component:
generator source
export class AIBOMGenerator {
generateAIBOM(modelData: any) {
const aibom = {
bomFormat: 'CycloneDX',
components: [],
dependencies: [],
externalReferences: [],
metadata: {
component: {
name: modelData.name,
version: modelData.version,
type: 'machine-learning-model',
description: modelData.description || 'No description available',
copyright: modelData.copyright || 'NOASSERTION',
'bom-ref': `pkg:huggingface/${modelData.author}/${modelData.name}@${modelData.version}`,
},
properties: [
{ name: 'primaryPurpose', value: modelData.primaryPurpose || 'text-to-speech' },
{ name: 'suppliedBy', value: modelData.author },
{ name: 'licenses', value: modelData.license || 'unknown' },
{ name: 'downloadLocation', value: modelData.downloadUrl },
],
},
};
return aibom;
}
}Type definitions for AIBOMs:
src/types/index.ts
export interface AIBOM {
bomFormat: string;
components: Array<...>;
dependencies?: Array<...>;
metadata: {
component: {
name: string;
version: string;
type: string;
};
properties: Array<{ name: string; value: string }>;
};
...
}Suggested Improvements
- Validation: Implement strict validation to ensure AIBOMs conform to CycloneDX v1.6, including required fields and correct data types.
- Completeness: Enhance the collection of model metadata (license, author, description, download URL, references, inputs/outputs, etc.), possibly by extending data fetching or post-processing.
- Component type: Confirm that
type: 'machine-learning-model' is always set for the primary model component.
- Testing: Add tests to compare generated AIBOMs to CycloneDX samples and schemas, checking for missing or malformed fields.
- Documentation: Update documentation to clarify how fields are mapped, and provide examples of compliant AIBOMs.
References
Relevant code snippets:
src/aibom/generator.ts
export class AIBOMGenerator {
generateAIBOM(modelData: any) {
const aibom = {
bomFormat: 'CycloneDX',
components: [],
dependencies: [],
externalReferences: [],
metadata: {
component: {
name: modelData.name,
version: modelData.version,
type: 'machine-learning-model',
description: modelData.description || 'No description available',
copyright: modelData.copyright || 'NOASSERTION',
'bom-ref': `pkg:huggingface/${modelData.author}/${modelData.name}@${modelData.version}`,
},
properties: [
{ name: 'primaryPurpose', value: modelData.primaryPurpose || 'text-to-speech' },
{ name: 'suppliedBy', value: modelData.author },
{ name: 'licenses', value: modelData.license || 'unknown' },
{ name: 'downloadLocation', value: modelData.downloadUrl },
],
},
};
return aibom;
}
}src/types/index.ts
export interface AIBOM {
bomFormat: string;
components: Array<...>;
dependencies?: Array<...>;
metadata: {
component: {
name: string;
version: string;
type: string;
};
properties: Array<{ name: string; value: string }>;
};
...
}
Problem
AIBOMs generated for Hugging Face models are intended to be compatible with CycloneDX v1.6 format, but the quality of the output data needs improvement. Specifically, it is essential to:
machine-learning-model.Evidence from Code
The generator sets
type: 'machine-learning-model'in metadata.component:generator source
Type definitions for AIBOMs:
src/types/index.ts
Suggested Improvements
type: 'machine-learning-model'is always set for the primary model component.References
Relevant code snippets:
src/aibom/generator.ts
src/types/index.ts