Thank you for your interest in contributing to the OWASP AIBOM Generator! This project is part of the OWASP GenAI Security Project and welcomes contributions from the community.
-
Fork the repository on GitHub
-
Clone your fork locally:
git clone https://github.com/YOUR_USERNAME/aibom-generator.git cd aibom-generator -
Set up your environment:
# Local Python setup pip install -r requirements.txt
Use descriptive branch names following this pattern:
type/issue-number-description
Types:
feat- New featuresfix- Bug fixesdocs- Documentation changesrefactor- Code refactoringtest- Adding or updating tests
Examples:
feat/17-schema-validationfix/13-purl-encodingdocs/contributing-guide
- Create a branch from
v0.2(ormainfor documentation) - Make your changes with clear, focused commits
- Push to your fork and open a PR
- Link your PR to any related issues
- Respond to review feedback
Use conventional commits:
type(scope): description
[optional body]
Examples:
feat(validation): add CycloneDX 1.6 schema validationfix(generator): correct PURL encoding for model IDs
- Python 3.8+ compatibility required
- Follow existing patterns in the codebase
- Use type hints for function signatures
# Standard library
import json
import logging
# Third-party
import requests
from huggingface_hub import HfApi
# Local imports
from .models.service import AIBOMService
from .utils.validation import validate_aibomUse the Python logging module with module-level loggers:
import logging
logger = logging.getLogger(__name__)
# Use lazy formatting (not f-strings)
logger.info("Processing model: %s", model_id)
logger.warning("Schema validation found %d issues", count)
logger.error("Failed to fetch model: %s", error, exc_info=True)aibom-generator/
├── src/
│ ├── main.py # Application entry point
│ ├── cli.py # Command-line interface
│ ├── config.py # Configuration settings
│ ├── controllers/
│ │ ├── cli_controller.py # CLI request handling
│ │ └── web_controller.py # Web/API request handling
│ ├── models/
│ │ ├── service.py # Core AIBOM generation service
│ │ ├── extractor.py # Metadata extraction
│ │ ├── registry.py # Field registry management
│ │ ├── scoring.py # Completeness scoring
│ │ └── schemas.py # Pydantic models
│ ├── utils/
│ │ ├── validation.py # CycloneDX 1.6 schema validation
│ │ ├── license_utils.py # License normalization
│ │ └── analytics.py # Usage tracking
│ ├── schemas/ # JSON schemas (CycloneDX, SPDX)
│ └── templates/ # HTML templates
├── tests/ # Unit and integration tests
└── requirements.txt
- Service-oriented architecture: Core logic lives in
models/service.py - Registry-driven fields: Field definitions from
models/registry.py - CycloneDX 1.6 compliance: All AIBOMs validate against the schema
- Completeness scoring: Quality metrics in
models/scoring.py
# Install test dependencies
pip install -r requirements.txt
# Run all tests
pytest
# Run with coverage
pytest --cov=src --cov-report=html
# Run specific test file
pytest tests/test_validation.py -vpip install -r requirements.txt
# Run API server
python -m uvicorn src.main:app --reload --port 7860
# Or use CLI
python -m src.cli --model_id "microsoft/DialoGPT-medium"We especially welcome contributions in these areas:
- SPDX 3.1 export - Add support for SPDX AI Profile format
- Model-specific extractors - Better metadata extraction for specific model types
- Documentation - Improve guides, examples, and API docs
- UI/UX enhancements - Improve the web interface
- Test coverage - Expand unit and integration tests
- Performance optimization - Faster extraction and generation
Before creating an issue:
- Search existing issues to avoid duplicates
- Use a clear, descriptive title
- For bugs, include:
- Steps to reproduce
- Expected vs actual behavior
- Model ID if applicable
- Error messages
Issue tracker: GitHub Issues
This project is licensed under the Apache License 2.0. By contributing, you agree that your contributions will be licensed under the same license.
- OWASP GenAI Security Project: genai.owasp.org
- AIBOM Initiative: genai.owasp.org/ai-sbom-initiative
- Slack:
#team-genai-aibomon owasp.slack.com - Weekly Call: Mondays at 4:00 PM ET (Zoom: 851 1385 5952)
Thank you for helping make AI transparency practical!