Improve CycloneDX AIBOM Output Quality and Ensure Model Component Type #31
Description
Problem
AIBOMs generated for Hugging Face models are intended to be compatible with CycloneDX v1.6 format, but the quality of the output data needs improvement. Specifically, it is essential to:
- Ensure every AIBOM includes the required CycloneDX fields and matches the specification (e.g., bomFormat, metadata, components, dependencies, etc.).
- Guarantee that the component type is set to
machine-learning-model. - Improve the completeness and accuracy of the model metadata, including author, license, description, download location, and references.
- Validate that all required fields are present and correctly formatted.
Evidence from Code
The generator sets type: 'machine-learning-model' in metadata.component:
generator source
export class AIBOMGenerator {
generateAIBOM(modelData: any) {
const aibom = {
bomFormat: 'CycloneDX',
components: [],
dependencies: [],
externalReferences: [],
metadata: {
component: {
name: modelData.name,
version: modelData.version,
type: 'machine-learning-model',
description: modelData.description || 'No description available',
copyright: modelData.copyright || 'NOASSERTION',
'bom-ref': `pkg:huggingface/${modelData.author}/${modelData.name}@${modelData.version}`,
},
properties: [
{ name: 'primaryPurpose', value: modelData.primaryPurpose || 'text-to-speech' },
{ name: 'suppliedBy', value: modelData.author },
{ name: 'licenses', value: modelData.license || 'unknown' },
{ name: 'downloadLocation', value: modelData.downloadUrl },
],
},
};
return aibom;
}
}Type definitions for AIBOMs:
src/types/index.ts
export interface AIBOM {
bomFormat: string;
components: Array<...>;
dependencies?: Array<...>;
metadata: {
component: {
name: string;
version: string;
type: string;
};
properties: Array<{ name: string; value: string }>;
};
...
}Suggested Improvements
- Validation: Implement strict validation to ensure AIBOMs conform to CycloneDX v1.6, including required fields and correct data types.
- Completeness: Enhance the collection of model metadata (license, author, description, download URL, references, inputs/outputs, etc.), possibly by extending data fetching or post-processing.
- Component type: Confirm that
type: 'machine-learning-model'is always set for the primary model component. - Testing: Add tests to compare generated AIBOMs to CycloneDX samples and schemas, checking for missing or malformed fields.
- Documentation: Update documentation to clarify how fields are mapped, and provide examples of compliant AIBOMs.
References
- CycloneDX v1.6 Specification: https://cyclonedx.org/docs/1.6/json/
- AIBOM-generator src/aibom/generator.ts
- AIBOM-generator src/types/index.ts
Relevant code snippets:
src/aibom/generator.ts
export class AIBOMGenerator {
generateAIBOM(modelData: any) {
const aibom = {
bomFormat: 'CycloneDX',
components: [],
dependencies: [],
externalReferences: [],
metadata: {
component: {
name: modelData.name,
version: modelData.version,
type: 'machine-learning-model',
description: modelData.description || 'No description available',
copyright: modelData.copyright || 'NOASSERTION',
'bom-ref': `pkg:huggingface/${modelData.author}/${modelData.name}@${modelData.version}`,
},
properties: [
{ name: 'primaryPurpose', value: modelData.primaryPurpose || 'text-to-speech' },
{ name: 'suppliedBy', value: modelData.author },
{ name: 'licenses', value: modelData.license || 'unknown' },
{ name: 'downloadLocation', value: modelData.downloadUrl },
],
},
};
return aibom;
}
}export interface AIBOM {
bomFormat: string;
components: Array<...>;
dependencies?: Array<...>;
metadata: {
component: {
name: string;
version: string;
type: string;
};
properties: Array<{ name: string; value: string }>;
};
...
}