aisbom-cli

v1.1.0 safe
3.0
Low Risk

An AI Supply Chain security tool that that detects Pickle bombs and generates CycloneDX SBOMs for Machine Learning models.

🤖 AI Analysis

Final verdict: SAFE

The package presents a low risk profile with no signs of obfuscation or credential harvesting. The metadata suggests a potential new author but does not indicate malicious intent.

  • Low obfuscation risk
  • No credential harvesting detected
  • Single package from author
Per-check LLM notes
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The author has only one package, indicating a potentially new or less active account.

📦 Package Quality Overall: Low (4.8/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

  • Test runner config found: pyproject.toml
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (16689 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 52 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in Lab700xOrg/aisbom
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • res = requests.post( "https://aisbom.io/api/sbom-sha
  • which is correct. resp = requests.get(api_url, headers=_auth_headers(api_url)) resp.raise_for_
  • ["scan_id"] = scan_id requests.post( TELEMETRY_ENDPOINT, json=body,
  • 3. Request response = requests.get( API_URL, headers={"User-Agent": us
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository Lab700xOrg/aisbom appears legitimate

Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Ajoy L" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with aisbom-cli 
Create a mini-application named 'MLSecurityChecker' that leverages the 'aisbom-cli' Python package to enhance the security of machine learning workflows. This application should serve as a comprehensive tool for developers and data scientists to ensure their ML models are secure against common vulnerabilities such as Pickle bombs and to maintain a clear record of all dependencies via CycloneDX Software Bill of Materials (SBOM).

Step 1: Initialize the Project
- Set up a new Python virtual environment and install 'aisbom-cli' along with any necessary dependencies.
- Create a main script file named 'ml_security_checker.py'.

Step 2: Implement Security Checks
- Develop a function within 'ml_security_checker.py' that takes an ML model file as input and uses 'aisbom-cli' to scan for potential Pickle bomb vulnerabilities.
- The function should output a clear message indicating whether the model is safe or if it contains risks.

Step 3: Generate SBOM Reports
- Integrate another function into 'ml_security_checker.py' which uses 'aisbom-cli' to generate CycloneDX SBOM reports for the provided ML model.
- Ensure the SBOM report includes all necessary details about the model's dependencies and versions.

Step 4: User Interface
- Design a simple command-line interface for users to interact with 'MLSecurityChecker'.
- Users should be able to run the application, specify an ML model file, and choose between running security checks, generating SBOMs, or both.

Suggested Features:
- Option to save generated SBOM reports to a specified directory.
- Detailed logging mechanism for tracking the application's operations and outcomes.
- Support for multiple file formats commonly used for ML models (e.g., .pkl, .joblib).

The goal of 'MLSecurityChecker' is to provide a robust, user-friendly solution for securing ML workflows and maintaining transparency over dependencies, all while leveraging the powerful capabilities of the 'aisbom-cli' package.