add tool Dyana

[GangGreenTemperTatum]

Dyana provides a safe, easily adoptable and approachable methodology for any developers or engineers to verify numerous elements of their supply-chain from multiple model formats, programming language dependencies and even down to executable files.

I strongly believe this tool is a great open-source contribution that can be adopted by the OWASP foundation in general due to its multi-faceted use-cases and lightweight, flexible approach and serves multiple use-cases - including, but not limited to:

• OWASP Top 10 for LLM Applications project, including the OWASP LLM and GenAI Security Landscape
• OWASP Application Security Verification Standard (ASVS)
• OWASP OWASP LLM Security Verification Standard (LLMSVS)
• CycloneDX - @OWASP CycloneDX SBOM/xBOM Standard

Related links:

https://pypi.org/project/dyana/0.0.2/
https://www.linkedin.com/posts/dreadnode_meet-dyana-a-new-open-source-tool-from-dreadnode-activity-7284984127064260608-aLS-?utm_source=share&utm_medium=member_desktop
OWASP/www-project-top-10-for-large-language-model-applications#531

[stevespringett]

Thanks for the PR. The tool has a ml-bom category defined which is not supported by the current Tool Center. We are working on a completely updated tool center which will have this category, but the format of the yaml will be completely different. If you'd like this PR merged, we need to the ml-bom category removed - and we will reclassify it when we roll out the new tool center - scheduled for March.

[GangGreenTemperTatum]

chore: feedback remove mlbom tag not ready

perfect, thank you @stevespringett and done! (here 2f4bf84)

hope this works and plmk if you need anything else, thank you!

[jkowalleck]

Please do not mix scopes.
just add your tool at the bottom, and revert all the whitespace changes and format modifications.
Thanks.

PS: if you think the whitespace changes are beneficial, open another PR for this scope.

[GangGreenTemperTatum]

Please do not mix scopes. just add your tool at the bottom, and revert all the whitespace changes and format modifications. Thanks.

PS: if you think the whitespace changes are beneficial, open another PR for this scope.

apologies @jkowalleck , my bad on a linter - fixed and thank you

[jkowalleck]

could you help me understand how this tool is connected to CycloneDX?

[GangGreenTemperTatum]

CycloneDX

sure and thanks! reasoning TLDR;

• CycloneDX - BOM standard/framework
  • that extends to the ML-BOM which is a BOM framework for ML/AI
• dyana is a multi-faceted tool in a very scarse space of similar toolsets that allow you to perform sandboxed, dynamic runtime analysis on model files (see citation ref)
  • by multi-faceted definition, Dyana also has a concept of "loaders" which extends beyond machine learning models and includes many common file-types, package dependencies and executable files that co-exist within an ML and SDLC supply chain

therefore, this is a swiss-army knife to anyone involved within an SDLC or security team etc that allows them to verify the legitimacy, integrity and system resource requirements for these pieces of software.. plmk if you need anything else and hope that helps!

[jkowalleck]

CycloneDX

sure and thanks! reasoning TLDR;

* CycloneDX - BOM standard/framework
  
  * that extends to the [ML-BOM](https://cyclonedx.org/capabilities/mlbom/) which is a BOM framework for ML/AI

* [`dyana`](https://github.com/dreadnode/dyana) is a multi-faceted tool in a very scarse space of similar toolsets that allow you to perform sandboxed, dynamic runtime analysis on model files (see citation [ref](https://jfrog.com/blog/data-scientists-targeted-by-malicious-hugging-face-ml-models-with-silent-backdoor/))
  
  * by multi-faceted definition, Dyana also has a concept of "[loaders](https://docs.dreadnode.io/dyana/docs/loaders/)" which extends beyond machine learning models and includes many common file-types, [package dependencies](https://docs.dreadnode.io/dyana/docs/loaders/#js) and [executable files](https://docs.dreadnode.io/dyana/docs/loaders/#elf) that co-exist within an ML and SDLC supply chain

therefore, this is a swiss-army knife to anyone involved within an SDLC or security team etc that allows them to verify the legitimacy, integrity and system resource requirements for these pieces of software.. plmk if you need anything else and hope that helps!

Could you help me understand, hat does the tool have to do with CycloneDX?

[GangGreenTemperTatum]

CycloneDX

i'm sorry @jkowalleck , i'm not sure if its a duplicate comment but i do not understand your question and understand i've addressed that here(?) please let me know if this is not the case

[jkowalleck]

CycloneDX

i'm sorry @jkowalleck , i'm not sure if its a duplicate comment but i do not understand your question and understand i've addressed that here(?) please let me know if this is not the case

I mean, you want the tool to be listed on the website of CycloneDX, on the marketplace for tools that are somehow connected to CycloneDX, right?

How is dyna connected to CycloneDX?
I tried to understand it from the project's description and from the project's readdme, but I failed.
I tried to read up some docs, but did not find any connection of dyana to CycloneDX: https://github.com/search?q=repo:dreadnode/dyana%20Cyclone&type=code

Does dyana produce CycloneDX? or does it ingest CycloneDX?

[GangGreenTemperTatum]

CycloneDX

i'm sorry @jkowalleck , i'm not sure if its a duplicate comment but i do not understand your question and understand i've addressed that here(?) please let me know if this is not the case

I mean, you want the tool to be listed on the website of CycloneDX, on the marketplace for tools that are somehow connected to CycloneDX, right?

How is dyna connected to CycloneDX? I tried to understand it from the project's description and from the project's readdme, but I failed. I tried to read up some docs, but did not find any connection of dyana to CycloneDX: https://github.com/search?q=repo:dreadnode/dyana%20Cyclone&type=code

Does dyana produce CycloneDX? or does it ingest CycloneDX?

sorry @jkowalleck i see now, this makes sense with me - is either of the two a hard-requirement for the tool-centre?

Does dyana produce CycloneDX? or does it ingest CycloneDX?

we can certainly look into a feature capability to do this - do you have any developer doc references at all? (apologies if this is an obvious question)

[stevespringett]

@GangGreenTemperTatum this looks like a really interesting tool. Thanks for making us aware of it. I looked at the repo and Dyana doesn't seem to support CycloneDX today.

I think there is some potential to support it, specifically support for formulation (Manufacturing Bill of Materials - MBOM) and for ML-BOM. We have an Authoritative Guide to MBOM being developed now and a ML-BOM guide later this year. In the meantime, the CycloneDX specification can be found here.

[GangGreenTemperTatum]

thanks @stevespringett ! added a NFR in our repo dreadnode/dyana#38 and i'll certainly look into this on the backlog 👍
for this PR, to confirm is this a hard-stop for this repo right now? if so, any better placement you'd suggest?

[GangGreenTemperTatum]

hey @stevespringett @jkowalleck , i created an issue in the CISA repo here aibom-squad/rsa-2024#3

as per here, we are unsure how the numfocus in the cpe would be generated, ie:

"cpe:2.3:a:numfocus:pandas:1.0.3:*:*:*:*:*:*:*"

as of today, current capabilities of dyana would be able to generate the following as a comparison:

"cpe:2.3:a:*:pandas:1.0.3:*:*:*:*:*:*:*",

TLDR; question for you, is this a hard requirement for the MLBOM format? TYIA!