WIP: EU AI Act mapping to AI/ML BOM sections and examples

ML-BOM/en/0x20-Design-Model-Component-Metadata.md

@@ -17,6 +17,7 @@ For convenience, here are links to the specific sections for each of those infor
   * [Describing models as components](#describing-models-as-components)
   * [Model repositories as components](#model-repositories-as-components)
   * [Model identifiers](#model-identifiers)
+  * [Providing model release notes](#providing-model-release-notes)
   * [Describing a model repository as a CycloneDX assembly](#describing-a-model-repository-as-a-cyclonedx-assembly)
   * [Declaring a model's pedigree](#declaring-a-models-pedigree)
 
@@ -58,8 +59,18 @@ The CycloneDX JSON pseudocode below shows how an ML model would be declared as t
       "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9",
       "purl": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9c57b252f3149c1408daf4d649ec8b6c85",
       "version": "ef3c5c9c57b252f3149c1408daf4d649ec8b6c85",
+      "licenses": [
+        {
+          "license": {
+            "name": "Tongyi Qianwen LICENSE AGREEMENT",
+            "text": {
+              "content": "By clicking to agree or by using or distributing any portion or element of the Tongyi Qianwen Materials, ..."
+            }
+          }
+        }
+      ]
       // ...
-    }
+    },
     // ...
   }
   // ...
@@ -69,6 +80,7 @@ The CycloneDX JSON pseudocode below shows how an ML model would be declared as t
 ###### Field discussion
 
 * **bom-ref** - Please note the `bom-ref` value includes the first seven characters of the larger hash value from the `purl` component identifier which is sufficient for local identification within the BOM itself.
+* **license** - The `licenses` object shown in the example is a "custom" license which, in this case, we chose to provide the unencoded license text.  It is preferable, when possible to use an SPDX license identifier and supply it in the `id` field of the `license` (e.g., `"license": { "id": "Apache-2.0" }` ).
 
 #### Model repositories as components
 
@@ -166,7 +178,7 @@ If the model being described by an ML-BOM is instead hosted in a GitHub reposito
 
 Organizations that produce BOMs for hardware or software components they produce may have multiple domain-specific identifiers for the same component.  In these cases, it is best practice to register (reserve) an official namespace for these domains with the [CycloneDX Property Taxonomy](), which is the authoritative source of official namespaces used in CycloneDX `properties`.
 
-###### Example:
+###### Example: domain-specific identifiers
 
 The following example shows how a registered name for a fictional company, ACME, which registered the namespace `acme`, could provide a property to identify one of its internal ML models.
 
@@ -224,11 +236,47 @@ Each can be specifically identified in a CycloneDX component using a Package URL
 }
 ```
 
+##### Providing model release notes
+
+It is important to disclose information regarding a model's release.  This is accomplished by utilizing the CycloneDX component's `releaseNotes` object and its fields.
+
+###### Example: release notes
+
+```json
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  // ...
+  "metadata":
+  {
+    "component":
+    {
+      "type": "machine-learning-model",
+      "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9",
+      // ...
+      "releaseNotes": [
+        {
+          "type": "major",
+          "title": "Qwen 7B initial release",
+          "timestamp": "2023-08-03T15:30:00Z",
+          "notes": {
+            {
+              "locale": "en-US",
+              "text": "United States (US), English release date."
+            }
+            // ...
+          }
+        }
+      ]
+    },
+    // ...
+  }
+}
+```
+
 ###### Field discussion
 
 * **type** -  the type has the value `machine-learning-model` since the single file contains all the information (e.g., default configuration parameters, references to architectures and tokenizers, prompt template, etc.) needed to run the model in GGUF inference frameworks.
 
-
 #### Describing a model repository as a CycloneDX assembly
 
 CycloneDX allows for declarations of software compositions (e.g., hardware products, software applications, packages, libraries, archives, etc.).
@@ -387,7 +435,7 @@ It is important to capture any of these transformations in the model's lineage (
 
 * **ancestors** - `ancestors` entries are themselves CycloneDX `component` objects. It should be noted that these models may have their own ML-BOMs, which can be located via their identifiers (e.g., `purl`) or via `externalReferences` for readers to follow.
 
-##### Declaring known descendents
+##### Declaring known descendants
 
 If, at the time an ML-BOM is created for a model, its downstream model variants (e.g., finetunings, quantizations, etc., derived from the model) are known, these can also be recorded within the `pedigree` object as `descendants` in a similar manner.
 

ML-BOM/en/0x40-Design-Additional-Model-Information.md

@@ -7,7 +7,9 @@ Currently, the v1.7 CycloneDX specification may not have specific objects or fie
 For convenience, here are links to the specific sections for some of these acknowledged informational areas:
 
 * [Using CycloneDX AI/ML properties](#using-cyclonedx-aiml-properties)
+  * [Declaring a model's modalities](#declaring-a-models-modalities)
   * [Annotating a model's supported languages](#annotating-a-models-supported-languages)
+  * [Providing a model's usage policy](#providing-a-models-usage-policy)
   * [Providing free-form tags for search](#providing-free-form-tags-for-search)
 * [Tokenizers and prompt templates](#tokenizers-and-prompt-templates)
 * [Including manufacturing information for the ML model](#including-manufacturing-information-for-the-ml-model)
@@ -20,6 +22,44 @@ For convenience, here are links to the specific sections for some of these ackno
 This section includes discussion and examples of supported AI/ML-related metadata properties that can be used to classify models in their model card information. This method utilizes reserved [AI/ML property names](https://github.com/CycloneDX/cyclonedx-property-taxonomy/cdx/ai-ml.md) registered under the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy).
 
 
+## Declaring a model's modalities
+
+Models are trained to support processing and analysis of one or more types types of input data for specific tasks or data modalities.
+
+* **Property name**: The CycloneDX reserved property taxonomy name to use to annotate a model with its supported modalities is: `cdx:ai-ml:model:modality`
+
+* **Property value**: The values for this property includes:
+
+  * `text` - Natural Language Processing (NLP) and specializations such as Natural Language Understanding (NLU) for tasks like translation, summarization, conversation, classification and sentiment analysis.
+  * `code` - Specialized text-based modality used for software engineering and logic.
+  * `instruct` - Specialized text-based fine-tuned for understanding and executing natural language directives (i.e., instruction following).
+  * `image` (vision) - Computer vision for object detection, generation, and classification as well as document processing.
+  * `video` - Video processing tasks to extract structured information, including object detection, action recognition, scene detection, and temporal understanding.
+  * `audio` - Audio processing tasks such as Automatic Speech Recognition (ASR), Speech-to-Text, music generation, and sound pattern recognition.
+  * `sensor` (telemetry) - Processes data from specialized sensors or hardware, such as LiDAR for autonomous vehicles or IoT sensor feeds.
+  * `biometric` - Specialized sensor-based modality used for analyzing biological traits for tasks such as facial recognition, fingerprint scanning, or voice authentication.
+  * `genomic` (telemetry) - Processes high-dimensional data used in drug discovery and medical research.
+  * `_undefined:<NAME>` - `<NAME>` placeholder, used to provide an arbitrary model modality name.
+
+###### Example: Tagging a model with its modalities
+
+```json
+"component":
+{
+  "type": "machine-learning-model",
+  "bom-ref": "pkg:huggingface/FakeAI/CoderModel",
+  // ...,
+  "properties": [
+    {
+      "name": "cdx:ai-ml:model:modality:code"
+    },
+    {
+      "name": "cdx:ai-ml:model:modality:instruct"
+    }
+  ]
+}
+```
+
 ## Annotating a model's supported languages
 
 Models can be trained in one or more languages (i.e., multilingual models).
@@ -81,6 +121,28 @@ This section describes how to "tag" model components with non-standard keywords
 * **properties** - The tag values shown above might be used to search for models in a catalog that are compatible with the `pytorch` framework and (the Hugging Face) `transformers` library.  The `text-to-speech` and `speech-to-speech` tags could identify the model with those input/output capabilities.
 
 
+## Providing a model's usage policy
+
+Model usage policies can be provided using `externalReferences` associated with the model's component definition.
+
+###### Example: Providing a link to a model's usage policy
+
+```json
+"component": {
+  "type": "machine-learning-model",
+  "bom-ref": "pkg:huggingface/Qwen/Qwen-7B@ef3c5c9",
+  // ...,
+  "externalReferences": [
+    {
+      "url": "https://qwen.ai/usagepolicy",
+      "type": "documentation",
+      "comment": "Usage policy"
+    }
+  ],
+  // ...
+}
+```
+
 ## Tokenizers and prompt templates
 
 Tokenizers provide the preprocessing (encoding) and postprocessing (decoding) functions to convert input and output information to tokens that the associated ML model was trained on and used for inference.

ML-BOM/en/0x91-Appendix-B_References.md

@@ -27,7 +27,7 @@ This appendix includes references to resources, standards, technologies, and mod
   * [ECMA-428 Common Lifecycle Enumeration (CLE) specification](https://ecma-international.org/publications-and-standards/standards/ecma-428/) - The CLE provides a standardized format for communicating software component lifecycle events in a machine-readable format.
 * [European Union's Cyber Resilience Act (EU CRA)](https://www.european-cyber-resilience-act.com/)
   * [Cyber Resilience Act (CRA)](https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Articles.html) - "The Final Text"
-* [EU’s AI Act](https://artificialintelligenceact.eu/) ([text](https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng)) - The European Union's  comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy.
+* [EU AI Act](https://artificialintelligenceact.eu/) ([index](https://artificialintelligenceact.eu/ai-act-explorer/)) - The European Union's  comprehensive legal framework for artificial intelligence, designed to ensure that AI systems used in the European Union are safe, ethical, and trustworthy.
   * [Article 53: Obligations for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/article/53/)
   * [Annex XI: Technical Documentation Referred to in Article 53(1), Point (a) – Technical Documentation for Providers of General-Purpose AI Models](https://artificialintelligenceact.eu/annex/11/)
   * [Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models)