PyTorch

SBOM Source: pytorch/pytorch generated using microsoft/sbom-tool

RDF Source: Generated using pyspdxtools

Generated SBOM

The SBOM Tool is designed to scan the build components path, which typically refers to the source folder, in order to locate project files such as *.csproj, requirements.txt or *.lock. By analyzing these files, the tool determines the components that were were used to build the project. During this process, the SBOM Tool uses ComponentDetection to perform the scanning of components and their dependencies.

In the pytorch repo the ComponentDetection could detect the following project files:

  • ./ios/TestApp/Gemfile.lock
  • ./tools/build/bazel/requirements.txt
  • ./functorch/docs/requirements.txt
  • ./caffe2/requirements.txt
  • ./requirements.txt
  • ./docs/requirements.txt
  • ./scripts/release_notes/requirements.txt
  • ./docs/cpp/requirements.txt

For each project file, a dependency graph is defined, but unfortunately this graph is not being used in the SBOM file generation.

In total, 225 packages were found: 135 Pip and 90 ruby packages.

No files detected. 255 relationships of the type DEPENDS_ON, one for each different package.

SBOM Analysis

Let’s analyze how accurate and complete the SBOM for this project is.

First import the KG form of the SBOM as specified in the header above.

kg = kglab.KnowledgeGraph()
kg.load_rdf("../../sboms/rdf/pytorch.rdf.xml", format="xml")
<kglab.kglab.KnowledgeGraph>

Basic Metadata

Let’s start by looking at the overall size of the KG

show_metadata(kg)
Total Triples: 4076
Distinct Entities: 680
Distinct Properties: 24
show_measures(kg)
edges 4076
nodes 692

Already this looks small

Packages

package_schema(kg)
property
0 spdx:copyrightText
1 spdx:downloadLocation
2 spdx:externalRef
3 spdx:filesAnalyzed
4 spdx:licenseConcluded
5 spdx:licenseDeclared
6 spdx:licenseInfoFromFiles
7 spdx:name
8 spdx:packageVerificationCode
9 spdx:relationship
10 spdx:supplier
11 spdx:versionInfo
12 rdf:type 
packages = get_package_data(kg)
packages
package annotations attributionTexts checksums copyrightText downloadLocation externalRefs hasFiles licenseConcluded licenseDeclared licenseInfoFromFiles name packageVerificationCode supplier versionInfo relationships
0 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION spdx:noassertion spdx:noassertion spdx:noassertion PyTorch _:N5158fb3e1d49434ba603b3e1cac432b9 Organization: pytorch 2.0.1 Na5371014d0744fa889463b66da2a4b13, N3d105ed8f1...
1 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION https://rubygems.org/ N072d33db8b0640c0a67f046442d71f6e spdx:noassertion spdx:noassertion faraday-net_http_persistent NaN NOASSERTION 1.2.0
2 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION https://rubygems.org/ N2b4cf4bd658240ea9faa89424f36c4a8 spdx:noassertion spdx:noassertion emoji_regex NaN NOASSERTION 3.2.3
3 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION spdx:noassertion N15a4af78e7084b20a9c5b2dc81cabd4d spdx:noassertion spdx:noassertion matplotlib NaN NOASSERTION 3.6.0
4 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION spdx:noassertion N68929099a2814d318464ac8f437c2e77 spdx:noassertion spdx:noassertion tensorboard NaN NOASSERTION 2.10.0
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
221 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION https://rubygems.org/ Nca4704d9fec1409992a888bca8d96405 spdx:noassertion spdx:noassertion simctl NaN NOASSERTION 1.6.8
222 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION https://rubygems.org/ Nb4a1fb4ffd11456faef76db1892e9ce8 spdx:noassertion spdx:noassertion nanaimo NaN NOASSERTION 0.3.0
223 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION spdx:noassertion N9af52b914e874d928dfc4c169352e544 spdx:noassertion spdx:noassertion tqdm NaN NOASSERTION 4.65.0
224 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION https://rubygems.org/ Nfd513ea41d344679b39c5f5611158eb6 spdx:noassertion spdx:noassertion unf NaN NOASSERTION 0.1.4
225 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... NOASSERTION spdx:noassertion N669f898b81934477a464d5c4c90a1d4a spdx:noassertion spdx:noassertion MarkupSafe NaN NOASSERTION 2.1.3

226 rows × 16 columns

Files

file_schema(kg)
 
get_files_data(kg)

First thing to point out here, is there are no relationships specified with any of these files. It could be important if these files are being used as libraries within the project to specify that as a relationship.

Relationships

Finally let’s look at what relationships are specified in the KG

rels = get_relationship_data(kg)
rels
element elementType relationshipType relatedElement relatedElementType
0 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
1 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
2 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
3 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
4 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
... ... ... ... ... ...
221 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
222 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
223 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
224 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
225 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:SpdxDocument spdx:relationshipType_describes <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package

226 rows × 5 columns

rels.describe()
element elementType relationshipType relatedElement relatedElementType
count 226 226 226 226 226
unique 2 2 2 226 1
top <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
freq 225 225 225 1 226

It looks like most relationshiips are of the spdx:relationshipType_contains type. Let’s filter those out to see what remains.

rels[~rels['relationshipType'].str.contains('spdx:relationshipType_contains')]
element elementType relationshipType relatedElement relatedElementType
0 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
1 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
2 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
3 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
4 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
... ... ... ... ... ...
221 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
222 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
223 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
224 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package spdx:relationshipType_dependsOn <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package
225 <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:SpdxDocument spdx:relationshipType_describes <https://spdx.org/spdxdocs/sbom-tool-1.1.2-49b... spdx:Package

226 rows × 5 columns

Relationship graph visualization

# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)

# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')

# show graph
graph.show("../figs/fig06.relationship_full.html")
../figs/fig06.relationship_full.html

The color of the nodes in the graph refer to the element type in the spdx specification:

display_relationship_graph_legend()
SPDX Type Node Color
0 File Yellow
1 Package Blue
2 SPDXDocument Red

Other Elements

Here’s what the KG contains other than Packages, Files, and Relationships

query = """
SELECT DISTINCT ?type
WHERE {
    ?element rdf:type ?type
}
"""
kg.query_as_df(query)
type
0 spdx:SpdxDocument
1 spdx:Relationship
2 spdx:Package
3 spdx:ExternalRef
4 spdx:PackageVerificationCode
5 spdx:CreationInfo

This is nothing specific for AI workflows yet