In [1]:
#| hide
import kglab
import pandas as pd
from sbom_analysis.core import *

# Hugging Face Model

We've established the [microsoft/sbom-tool](https://github.com/microsoft/sbom-tool) looks in the `requirements.txt` for all python dependencies that are not part of `stdlib`, but what if the packages in `requirements.txt` are for C/C++ based projects (like the `llama.cpp` project from the last page)?

SBOM Source: [TheBloke/text-generation-webui](https://github.com/TheBloke/text-generation-webui) generated using [microsoft/sbom-tool](https://github.com/microsoft/sbom-tool)

RDF Source: Generated using [pyspdxtools](https://github.com/spdx/tools-python)

## text-generation-webui Overview

This repo is a UI for running LLMs like `llama.cpp`.

It has a number of dependencies, both python and C/C++ based.  Let's look at `requirements.txt`

```txt
colorama
datasets
flexgen==0.1.7
gradio_client==0.2.5
gradio==3.31.0
markdown
numpy
pandas
Pillow>=9.5.0
pyyaml
requests
safetensors==0.3.1
sentencepiece
tqdm
scipy
git+https://github.com/huggingface/peft@3714aa2fff158fdfa637b2b65952580801d890b2
git+https://github.com/huggingface/transformers@e45e756d22206ca8fa9fb057c8c3d8fa79bf81c6
git+https://github.com/huggingface/accelerate@0226f750257b3bf2cadc4f189f9eef0c764a0467
bitsandbytes==0.39.0; platform_system != "Windows"
https://github.com/jllllll/bitsandbytes-windows-webui/raw/main/bitsandbytes-0.39.0-py3-none-any.whl; platform_system == "Windows"
llama-cpp-python==0.1.53; platform_system != "Windows"
https://github.com/abetlen/llama-cpp-python/releases/download/v0.1.53/llama_cpp_python-0.1.53-cp310-cp310-win_amd64.whl; platform_system == "Windows"
```

## SBOM Representation

Let's see how the sbom knowledge graph reflects this 

In [4]:
kg = kglab.KnowledgeGraph()
kg.load_rdf("sboms/rdf/text-generation-ui.rdf.xml", format="xml")

<kglab.kglab.KnowledgeGraph at 0x7f6509c15280>

### Packages

In [6]:
package_schema(kg)

Unnamed: 0,property
0,spdx:copyrightText
1,spdx:downloadLocation
2,spdx:externalRef
3,spdx:filesAnalyzed
4,spdx:licenseConcluded
5,spdx:licenseDeclared
6,spdx:licenseInfoFromFiles
7,spdx:name
8,spdx:packageVerificationCode
9,spdx:relationship


In [8]:
packages = get_package_data(kg)
packages

Unnamed: 0,package,annotations,attributionTexts,checksums,copyrightText,downloadLocation,externalRefs,hasFiles,licenseConcluded,licenseDeclared,licenseInfoFromFiles,name,packageVerificationCode,supplier,versionInfo,relationships
0,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,,,spdx:noassertion,spdx:noassertion,,text-generation-webui,_:N9b83ea76b5f748638716680397fdcca3,Organization: TheBloke,0.1.0,"N6c8d9472f823447db6751b0eae712bfa, N322eff8e6e..."
1,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,Nbcbc00ea6ae94cd899f348b26fad8982,,spdx:noassertion,spdx:noassertion,,importlib-metadata,,NOASSERTION,6.6.0,
2,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N979f5bc89897463da80aa7cb6bfcf1de,,spdx:noassertion,spdx:noassertion,,importlib-resources,,NOASSERTION,5.12.0,
3,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N09327a3a6dde4e18a1d755ea4cff6e62,,spdx:noassertion,spdx:noassertion,,traitlets,,NOASSERTION,5.9.0,
4,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N003a8eed36254591aa0be68cd09d8295,,spdx:noassertion,spdx:noassertion,,numpy,,NOASSERTION,1.24.3,
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
141,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N1b12d8d0472441e2a42b49fa6f10f92e,,spdx:noassertion,spdx:noassertion,,nvidia-cuda-runtime-cu11,,NOASSERTION,11.7.99,
142,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N01f19f5277e84c15b19d47832efb7979,,spdx:noassertion,spdx:noassertion,,scandir,,NOASSERTION,1.10.0,
143,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,Nab90bc175481420e87f22cfbed6a39ed,,spdx:noassertion,spdx:noassertion,,nvidia-nvtx-cu11,,NOASSERTION,11.7.91,
144,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,Na1801ad388a840a7b04892a56aebb6f5,,spdx:noassertion,spdx:noassertion,,pycparser,,NOASSERTION,2.21,


Let's see if anything with `llama` or `.cpp` is in this knowledge graph

In [10]:
packages[packages['name'].str.contains('llama')]

Unnamed: 0,package,annotations,attributionTexts,checksums,copyrightText,downloadLocation,externalRefs,hasFiles,licenseConcluded,licenseDeclared,licenseInfoFromFiles,name,packageVerificationCode,supplier,versionInfo,relationships
129,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,N5cc03db56b2d4b6ca9c3794038353c49,,spdx:noassertion,spdx:noassertion,,llama-cpp-python,,NOASSERTION,0.1.53,


Ok, there's a `llama-cpp-python` package.  Looking at the `requirements.txt` this looks like it is imported from `pypi`.

What about `huggingface` packages, specifically the ones refrenced with git?

In [13]:
packages[packages['name'].str.contains('huggingface')]

Unnamed: 0,package,annotations,attributionTexts,checksums,copyrightText,downloadLocation,externalRefs,hasFiles,licenseConcluded,licenseDeclared,licenseInfoFromFiles,name,packageVerificationCode,supplier,versionInfo,relationships
15,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,https://github.com/huggingface/transformers,,,spdx:noassertion,spdx:noassertion,,https://github.com/huggingface/transformers : ...,,NOASSERTION,,
18,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,spdx:noassertion,Ne49bb867b3b543a4960ce10309768931,,spdx:noassertion,spdx:noassertion,,huggingface-hub,,NOASSERTION,0.15.1,
75,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,https://github.com/huggingface/peft,,,spdx:noassertion,spdx:noassertion,,https://github.com/huggingface/peft : 3714aa2f...,,NOASSERTION,,
108,<https://spdx.org/spdxdocs/sbom-tool-1.1.1-594...,,,,NOASSERTION,https://github.com/huggingface/accelerate,,,spdx:noassertion,spdx:noassertion,,https://github.com/huggingface/accelerate : 02...,,NOASSERTION,,


That's good, it includes those packages