Collecting, Linking, and Assessing Machine Learning Open-Source Software: A Large Scale Collection and Vulnerability Assessment Pipeline

Abstract

In recent years, Artificial Intelligence (AI) has seen rapid advances in performance and impact,disrupting major industries, including finance and healthcare. Machine learning open-source software(MLOSS) platforms such as GitHub and Hugging Face have contributed significantly to this advancement,enabling AI developers to share, reuse, and collaborate on AI development. While these platforms accelerate AI development, the MLOSS assets they host also contain vulnerabilities that can impact applications that leverage them. To map the MLOSS landscape and understand the vulnerabilities contained within MLOSS on platforms such as GitHub and Hugging Face,we have developed an MLOSS Collection Pipeline.Our pipeline has collected 373,634 models from Hugging Face and 39,115 repositories from GitHub and identified 6,751,739 vulnerabilities. The results of our pipeline offer several promising directions for future research, including vulnerability linking analysis and cross-platform vulnerability propagation identification.