Skip to content

feat(extractor): Add Hugging Face Transformers config.json extractor#1989

Open
SteppL10n-prog wants to merge 24 commits intogoogle:mainfrom
SteppL10n-prog:feat/huggingface-transformers-extractor
Open

feat(extractor): Add Hugging Face Transformers config.json extractor#1989
SteppL10n-prog wants to merge 24 commits intogoogle:mainfrom
SteppL10n-prog:feat/huggingface-transformers-extractor

Conversation

@SteppL10n-prog
Copy link
Copy Markdown

@SteppL10n-prog SteppL10n-prog commented Apr 19, 2026

Summary

This PR adds a new filesystem extractor for Hugging Face Transformers AI models that:

  • Detects config.json and adapter_config.json files in model directories
  • Extracts transformers_version field from JSON config
  • Generates standard PURL: pkg:pypi/transformers@<version>
  • Enables vulnerability matching via OSV.dev, GHSA, and NVD

Why This Matters

  • 500K+ public AI models on Hugging Face Hub
  • Many models depend on transformers library with known CVEs
  • No existing extractor scans AI model configs for vulnerable dependencies
  • This PR fills that gap with minimal, performant code

Category Compliance

This is a software inventory extractor, NOT a secret/vulnerability detector.

Testing

  • 24 test cases covering success, error, and edge scenarios
  • 100% statement coverage
  • Docker-verifiable via Dockerfile.test

Files Added

  • extractor/filesystem/ai/huggingface-transformers/extractor.go
  • extractor/filesystem/ai/huggingface-transformers/extractor_test.go

Related Issues

Signed-off-by: Mahmut Boz mahmutbozl10n@gmail.com

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 19, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@SteppL10n-prog
feat(extractor): Add Hugging Face Transformers config.json extractor
2276d38 
- Detects transformers_version from model config files
- Generates PURL: pkg:pypi/transformers@<version>
- 100% test coverage with comprehensive edge case handling
- Docker-verifiable with test fixtures

Signed-off-by: Mahmut Boz <mahmutbozl10n@gmail.com>
@SteppL10n-prog SteppL10n-prog force-pushed the feat/huggingface-transformers-extractor branch from 95ff23c to 2276d38 Compare April 19, 2026 22:53
@SteppL10n-prog
fix: remove trailing spaces and update comments to English
83a9619 
- Remove trailing whitespace from string literals in tests
- Convert comments to English per Go style guide
- Ensure JSON test data has no extra spaces
- Run go fmt for consistent formatting
@SteppL10n-prog
fix: rewrite files with clean English content via Python script
39fe11f 
- Remove all Turkish comments
- Remove all trailing whitespace from string literals
- Ensure JSON test data has no extra spaces
- Run go fmt for consistent formatting
@SteppL10n-prog
fix: rewrite files with clean English content via base64
55aa8a3 
- Remove all Turkish comments
- Remove all trailing whitespace from string literals
- Ensure JSON test data has no extra spaces
- Run go fmt for consistent formatting
@SteppL10n-prog
Fix formatting issues in extractor.go
81d4113
@SteppL10n-prog
Update version references in extractor_test.go
4c488f0
@SteppL10n-prog
Handle JSON decode error in extractor
c00bfaa 
Return an error when JSON decoding fails in the extractor.
@SteppL10n-prog
Refactor FakeFileAPI and update test types
1016dff
@SteppL10n-prog
Refine comments in Hugging Face Extractor implementation
3edeb50 
Updated comments to clarify extractor functionality and file requirements.
@SteppL10n-prog
Fix extractor variable declaration
76f96b9
@SteppL10n-prog
Refactor tests for extractor functionality
5721518
@SteppL10n-prog
Add newline at end of extractor_test.go
cc1341f 
Fix missing newline at end of file in extractor_test.go
@SteppL10n-prog
Update extractor.go
93b958d
@SteppL10n-prog
Refactor extractor tests for consistency and readability
c1d8435
@SteppL10n-prog
Refactor JSON decoding error handling in Extractor
7d2c44a 
Refactor error handling in JSON decoding to avoid unnecessary variable declaration. Ensure proper return values when decoding fails.
@SteppL10n-prog
Add newline at end of extractor_test.go
95b6811 
Fix formatting by adding a newline at the end of the file.
@SteppL10n-prog
Refine comment on error handling in Extractor
90b43c7 
Updated comment for clarity on error handling without defining an error variable.
@SteppL10n-prog
Improve JSON decoding error handling in Extractor
33f8595 
Refactor error handling for JSON decoding in Extractor.
@SteppL10n-prog
Remove unused import from extractor_test.go
a5cb9cb 
Removed unused import for the plugin package.
@SteppL10n-prog
Improve extractor method implementations
f8776b6 
Refactor extractor methods for clarity and error handling.
@SteppL10n-prog
Refactor test struct for better readability
d71de1a
@SteppL10n-prog
Handle JSON decode failure gracefully in Extractor
c7dcb39 
Return nil error on JSON decode failure to prevent crashing on non-HuggingFace config.json files.
@SteppL10n-prog
Improve Extractor tests for error handling
a30b8a5 
Refactor tests for Extractor to handle errors and invalid JSON gracefully.
@SteppL10n-prog
style: final fix for gofmt
5e5a322
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SteppL10n-prog