bug: Not able to generate complete SBOM with --stream flag enabled #671
Description
Preflight checklist
- I searched existing issues and did not find a duplicate.
- I am using the latest released version of ModelAudit.
ModelAudit version
0.2.27
Python version
3.12
Command(s) run
Non-Working Example (Bug)
Not able to generate the complete SBOM with all the model artifacts inside components
modelaudit --sbom model_name.json --format sarif --output model_name.sarif --stream hf://openai-community/gpt2
Working Example
Generates the complete SBOM with all the model artifacts
modelaudit --sbom model_name.json --format sarif --output model_name.sarif hf://openai-community/gpt2
As you can see above, the behavior is completely fine for non --stream example. The issue arises from using the --stream flag
Expected behavior
Running the command
modelaudit --sbom model_name.json --format sarif --output model_name.sarif --stream hf://openai-community/gpt2
Should generate the complete SBOM with all the components
Actual behavior
Running the command
modelaudit --sbom model_name.json --format sarif --output model_name.sarif --stream hf://openai-community/gpt2
generates incomplete SBOM like the following:
{
"components": [
{
"bom-ref": "hf://openai-community/gpt2",
"name": "gpt2",
"properties": [
{
"name": "risk_score",
"value": "0"
},
{
"name": "size",
"value": "0"
}
],
"type": "file"
}
],
"dependencies": [
{
"ref": "hf://openai-community/gpt2"
}
],
"metadata": {
"timestamp": "2026-03-10T10:36:47.326831+00:00"
},
"serialNumber": "urn:uuid:6a3927e7-fd3b-4aef-8005-7f17f160dd62",
"version": 1,
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6"
}Reproducible sample details
modelaudit --sbom model_name.json --format sarif --output model_name.sarif --stream hf://openai-community/gpt2
Run the following command, the model can be from ANY source (Jfrog, Huggingface, s3, local etc..). If the --stream flag is defined, it won't produce the complete SBOM.