feat: Add AIBoMGen tooling

[wiebe-vandendriessche]

Adds three CycloneDX tool entries for the AIBoMGen project by IDLab, Ghent University, imec:

• AIBoMGen: proof-of-concept platform for generating trustworthy AIBOMs during distributed AI model training
• AIBoMGen CLI: Go CLI tool for scanning repositories for Hugging Face model usage and generating CycloneDX AIBOMs
• AIBoMGen CLI Action: GitHub Action wrapping the AIBoMGen CLI for use in CI/CD pipelines

All three target the CycloneDX AI/ML-BOM capability.

[jkowalleck]

I dont see how an GH action might help authoring an BOM.

https://cyclonedx.github.io/tool-center/#tools_items_functions

Tools that human authors can use to create CycloneDX BOMs.

Suggested change

"AUTHOR"

[wiebe-vandendriessche]

Could you clarify what "authoring" means in this context? Does it strictly mean a human manually writing BOM content, or does it also cover tools that automate BOM creation on behalf of the user? And if the latter doesn't qualify, which functions value would be most appropriate for an automated generator?

[jkowalleck]

I dont see how an GH action might help to author a BOM.

https://cyclonedx.github.io/tool-center/#tools_items_functions

Tools that human authors can use to create CycloneDX BOMs.

Suggested change

"AUTHOR",

[wiebe-vandendriessche]

This is the cli tool (not the GH action)
But same question here.

[jkowalleck]

I dont see how an SBOM generator acts as a transformer.
could you elaborate on this?

https://cyclonedx.github.io/tool-center/#tools_items_functions

Tools that transform CycloneDX into other formats or transform other formats into CycloneDX.

[wiebe-vandendriessche]

This cli tool is able to generate AI/ML BOMs in both xml and json format and is able to merge SBOMs with AI/ML BOM components. I understood that merging is a form of "transformation".

[jkowalleck]

I dont see how an SBOM generator acts as a transformer.
could you elaborate on this?

https://cyclonedx.github.io/tool-center/#tools_items_functions

Tools that can analyze CycloneDX BOMs.

[wiebe-vandendriessche]

This cli tool is able to generate AI/ML BOMs in both xml and json format and is able to merge SBOMs with AI/ML BOM components. I understood that merging is a form of "transformation".

[jkowalleck]

I dont see how an GH action might help to author a BOM.

https://cyclonedx.github.io/tool-center/#tools_items_functions

Tools that human authors can use to create CycloneDX BOMs.

Suggested change

"AUTHOR",

[wiebe-vandendriessche]

This is not the GH action. Same question here: What is meant with "authoring"?

[wiebe-vandendriessche]

Hey @jkowalleck, quick note on the functions field across the three entries:
Current state:

Tool	Functions
AIBoMGen	AUTHOR, SIGNING/NOTARY
AIBoMGen CLI	AUTHOR, ANALYSIS, TRANSFORM
AIBoMGen CLI Action	AUTHOR

The schema defines AUTHOR as:

"Tools that human authors can use to create CycloneDX BOMs."

All three tools generate BOMs automatically (from training runs or repository scans) not interactively by a human author.
However AIBoMGen and AIBoMGen-cli tool are also able to "enrich" the BOMs with author defined metadata using a form.
Should I remove Author for all 3?

Proposed:

Tool	Functions
AIBoMGen	SIGNING/NOTARY (platform signs BOMs)
AIBoMGen CLI	ANALYSIS, TRANSFORM (validate, check completeness, merge with SBOM)
AIBoMGen CLI Action	N/A? (anything i can add here?)