kg = kglab.KnowledgeGraph()
kg.load_rdf("../../sboms/rdf/text-generation-ui.rdf.xml", format="xml")<kglab.kglab.KnowledgeGraph>Hugging Face Model
We’ve established the microsoft/sbom-tool looks in the requirements.txt for all python dependencies that are not part of stdlib, but what if the packages in requirements.txt are for C/C++ based projects (like the llama.cpp project from the last page)?
SBOM Source: TheBloke/text-generation-webui generated using microsoft/sbom-tool
RDF Source: Generated using pyspdxtools
text-generation-webui Overview
This repo is a UI for running LLMs like llama.cpp.
It has a number of dependencies, both python and C/C++ based. Let’s look at requirements.txt
colorama
datasets
flexgen==0.1.7
gradio_client==0.2.5
gradio==3.31.0
markdown
numpy
pandas
Pillow>=9.5.0
pyyaml
requests
safetensors==0.3.1
sentencepiece
tqdm
scipy
git+https://github.com/huggingface/peft@3714aa2fff158fdfa637b2b65952580801d890b2
git+https://github.com/huggingface/transformers@e45e756d22206ca8fa9fb057c8c3d8fa79bf81c6
git+https://github.com/huggingface/accelerate@0226f750257b3bf2cadc4f189f9eef0c764a0467
bitsandbytes==0.39.0; platform_system != "Windows"
https://github.com/jllllll/bitsandbytes-windows-webui/raw/main/bitsandbytes-0.39.0-py3-none-any.whl; platform_system == "Windows"
llama-cpp-python==0.1.53; platform_system != "Windows"
https://github.com/abetlen/llama-cpp-python/releases/download/v0.1.53/llama_cpp_python-0.1.53-cp310-cp310-win_amd64.whl; platform_system == "Windows"SBOM Representation
Let’s see how the sbom knowledge graph reflects this
Packages
package_schema(kg)| property | |
|---|---|
| 0 | spdx:copyrightText |
| 1 | spdx:downloadLocation |
| 2 | spdx:externalRef |
| 3 | spdx:filesAnalyzed |
| 4 | spdx:licenseConcluded |
| 5 | spdx:licenseDeclared |
| 6 | spdx:licenseInfoFromFiles |
| 7 | spdx:name |
| 8 | spdx:packageVerificationCode |
| 9 | spdx:relationship |
| 10 | spdx:supplier |
| 11 | spdx:versionInfo |
| 12 | rdf:type |
packages = get_package_data(kg)
packages| package | annotations | attributionTexts | checksums | copyrightText | downloadLocation | externalRefs | hasFiles | licenseConcluded | licenseDeclared | licenseInfoFromFiles | name | packageVerificationCode | supplier | versionInfo | relationships | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | spdx:noassertion | spdx:noassertion | text-generation-webui | _:N29f7a890c28342198b886e61135a6a94 | Organization: TheBloke | 0.1.0 | N6bba3886dcfd4988be4fbf5cc7b46857, N21abfede97... | ||||||
| 1 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N6a357f9f9fe1438cb065f87471617939 | spdx:noassertion | spdx:noassertion | importlib-metadata | NaN | NOASSERTION | 6.6.0 | ||||||
| 2 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N1e84a8e4bdfc4b40bf1764c3146bc4cd | spdx:noassertion | spdx:noassertion | importlib-resources | NaN | NOASSERTION | 5.12.0 | ||||||
| 3 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N1b57b74746eb4d03946aa0109cfaba6c | spdx:noassertion | spdx:noassertion | traitlets | NaN | NOASSERTION | 5.9.0 | ||||||
| 4 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | Nfbc537ac7b6f487c8bada564db9018c8 | spdx:noassertion | spdx:noassertion | numpy | NaN | NOASSERTION | 1.24.3 | ||||||
| ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... |
| 141 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N31bce7fc79a0464ebdf752892eb3ecfd | spdx:noassertion | spdx:noassertion | nvidia-cuda-runtime-cu11 | NaN | NOASSERTION | 11.7.99 | ||||||
| 142 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | Nc7efcce812ec49839c2f781e79d506fe | spdx:noassertion | spdx:noassertion | scandir | NaN | NOASSERTION | 1.10.0 | ||||||
| 143 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N11cf60af9ef54bf681a09776719c175f | spdx:noassertion | spdx:noassertion | nvidia-nvtx-cu11 | NaN | NOASSERTION | 11.7.91 | ||||||
| 144 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N04322bcefa4e4329a0b2ced440e6ad94 | spdx:noassertion | spdx:noassertion | pycparser | NaN | NOASSERTION | 2.21 | ||||||
| 145 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N74ff6c55ec7b403dab92922edb617bc8 | spdx:noassertion | spdx:noassertion | pickleshare | NaN | NOASSERTION | 0.7.5 |
146 rows × 16 columns
Let’s see if anything with llama or .cpp is in this knowledge graph
packages[packages['name'].str.contains('llama')]| package | annotations | attributionTexts | checksums | copyrightText | downloadLocation | externalRefs | hasFiles | licenseConcluded | licenseDeclared | licenseInfoFromFiles | name | packageVerificationCode | supplier | versionInfo | relationships | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 129 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | Nc1dc3d8cd4b14db498d5961ac006fe00 | spdx:noassertion | spdx:noassertion | llama-cpp-python | NaN | NOASSERTION | 0.1.53 |
Ok, there’s a llama-cpp-python package. Looking at the requirements.txt this looks like it is imported from pypi.
What about huggingface packages, specifically the ones refrenced with git?
packages[packages['name'].str.contains('huggingface')]| package | annotations | attributionTexts | checksums | copyrightText | downloadLocation | externalRefs | hasFiles | licenseConcluded | licenseDeclared | licenseInfoFromFiles | name | packageVerificationCode | supplier | versionInfo | relationships | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 15 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | https://github.com/huggingface/transformers | spdx:noassertion | spdx:noassertion | https://github.com/huggingface/transformers : ... | NaN | NOASSERTION | NaN | |||||||
| 18 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | spdx:noassertion | N3e0d4cf23fbb4211b886bc9375e2344c | spdx:noassertion | spdx:noassertion | huggingface-hub | NaN | NOASSERTION | 0.15.1 | ||||||
| 75 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | https://github.com/huggingface/peft | spdx:noassertion | spdx:noassertion | https://github.com/huggingface/peft : 3714aa2f... | NaN | NOASSERTION | NaN | |||||||
| 108 | <https://spdx.org/spdxdocs/sbom-tool-1.1.1-594... | NOASSERTION | https://github.com/huggingface/accelerate | spdx:noassertion | spdx:noassertion | https://github.com/huggingface/accelerate : 02... | NaN | NOASSERTION | NaN |
That’s good, it includes those packages
Relationship graph visualization
# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)
# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')
# show graph
graph.show("../figs/fig04.relationship_full.html")../figs/fig04.relationship_full.htmlThe color of the nodes in the graph refer to the element type in the spdx specification:
display_relationship_graph_legend()| SPDX Type | Node Color | |
|---|---|---|
| 0 | File | Yellow |
| 1 | Package | Blue |
| 2 | SPDXDocument | Red |
The previous graph has lots of nodes of the type SPDX:File. We can filter these types of nodes to have a clearer understanding of the package’s dependencies. For that we can pass the flag hideTypeFile=True for the function visualize_relationship_graph(), as you can see in the example below:
# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg, hideTypeFile=True)
# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')
# show graph
graph.show("../figs/fig04.relationship.html")../figs/fig04.relationship.html