Known purl types for Machine Learning packages

[maitre-matt]

Generating SPDX/CycloneDX SBOMs for systems relying on Machine Learning brings in a new set of package managers (aka model registries in ML speak). We wanted to discuss the addition of those to the list of known purl types:

• Hugging Face
• MLflow
  • Azure Machine Learning
  • Azure/AWS/GCP Databricks
• AWS Sagemaker
• GCP Vertex AI

[robomotic]

Hi there, saw your project from Slack, I am trying to understand how this overlaps with traditional SBOMS. For example let's say I have a web application that runs Scikit in python meaning that does depend on the PIP package manager, then there will be all sort of libraries that are related to the ML process typically like ETL or statistical manipulation. Should all those be included as related to ML? Basically where do we draw the line?

[maitre-matt]

Two guiding documents to answer that question would be the White House Cyber Executive Order and NTIA The Minimum Elements For a Software Bill of Materials (SBOM). The compliance requirements are fairly generic:

“SBOM” means a formal record containing the details and supply chain relationships of various components used in building software

Dependency Relationship - Characterizing the relationship that an upstream component X is included in software Y.

In this respect, Hugging Face and PyPI are equivalent in that they both represent a source of software dependency.