cdx1 8-bit xBOMEval tests #2137
Conversation
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
| "qna": [ | ||
| { | ||
| "question": "Do you think CycloneDX's explicit “Design” phase for early BOM creation offers more clarity than SPDX’s lifecycle representation?", | ||
| "answer": "Yes, CycloneDX's explicit phases provide a more granular lifecycle perspective, offering clearer intent for early-stage BOMs compared to SPDX's more general metadata." |
There was a problem hiding this comment.
cdx1 demonstrates a clear bias and a strong preference for the CycloneDX specifications compared to SPDX. This is partly due to our training dataset comprising mostly CycloneDX materials from the various guides and specifications. While this is not a critical issue, it is our desire to eventually make the models offer independent and unbiased advice based on relative merits by including more training data from other specifications. Contributions are welcome!
| "answer": "Yes, direct attachment is more integrated." | ||
| }, | ||
| { | ||
| "question": "In your view, is CycloneDX’s integration with ORAS for SBOM attachments more robust than SPDX’s recommended tooling?", |
There was a problem hiding this comment.
This question can be removed since not really relevant to the specifications.
| "answer": "Yes, it would improve querying." | ||
| }, | ||
| { | ||
| "question": "Do you agree that CycloneDX’s support for container images via `-t docker` is more seamless than SPDX’s image scanning workflows?", |
| }, | ||
| { | ||
| "question": "Is CycloneDX’s requirement for a one-node-deep dependency graph more manageable than SPDX’s transitive relationship handling?", | ||
| "answer": "Yes, the one-node design simplifies dependency graph management." |
There was a problem hiding this comment.
Answer appears to be incomplete.
| }, | ||
| { | ||
| "question": "How do you resolve complex dependency conflicts in a large monorepo with multiple packages that have conflicting peer dependency requirements and circular dependencies while maintaining consistent versions across all services?", | ||
| "answer": "Use a monorepo tool like Lerna or Rush to manage versions, use 'resolutions' in package.json, and resolve circular dependencies through code refactoring." |
There was a problem hiding this comment.
Answer could have included information about native monorepo support in npm and pnpm as well. The semantics training data lacks pnpm-specific information.
| }, | ||
| { | ||
| "question": "How do you configure a complex multi-module Maven project with custom plugins, profile-specific configurations, and cross-module dependencies that need to handle different deployment targets and environment-specific properties?", | ||
| "answer": "Use a parent 'pom.xml' to define common configuration, use 'profiles' for different environments, and configure plugins in the appropriate modules." |
There was a problem hiding this comment.
Answer could have elaborated about the parent pom.xml containing modules section and the individual submodules' pom.xml referencing the parent.
| }, | ||
| { | ||
| "question": "How do you optimize a large Gradle build with hundreds of modules by implementing build caching, parallel execution, configuration avoidance, and custom task dependencies to reduce build times from hours to minutes?", | ||
| "answer": "Enable 'build-cache' and 'org.gradle.parallel=true', use 'configurationAvoidance', and define custom task dependencies to avoid unnecessary work." |
There was a problem hiding this comment.
@malice00 do you agree with this answer?
| }, | ||
| { | ||
| "question": "How do you manage dependency resolution in a Python project with conflicting transitive dependencies across multiple third-party libraries while ensuring reproducible builds and handling platform-specific binary dependencies?", | ||
| "answer": "Use 'pip-tools' to manage requirements, pin versions in 'requirements.txt', and use the '--no-binary' flag for platform-specific dependencies." |
There was a problem hiding this comment.
What about uv which is present in the semantics data? pip-tools isn't covered in our training, so the answer must be coming from the base model.
| }, | ||
| { | ||
| "question": "How do you troubleshoot complex Maven build failures that involve plugin compatibility issues, repository connectivity problems, dependency resolution conflicts, profile activation failures, and integration with external build systems?", | ||
| "answer": "Use 'mvn help:effective-pom' to see resolved configuration, check plugin versions, and verify repository settings." |
There was a problem hiding this comment.
Wow, I learnt something new today.
| @@ -0,0 +1,1150 @@ | |||
| [ | |||
There was a problem hiding this comment.
cdx1-pro demonstrates incredible knowledge about various package managers, their commands and configuration, troubleshooting, etc. Knowing the principles of package management is essential for any supply chain assurance programme.
| @@ -0,0 +1,72 @@ | |||
| { | |||
There was a problem hiding this comment.
We are lacking some questions around docker rootless, docker context, authenticating with registry, and so on.
| }, | ||
| { | ||
| "question": "What command would you use to display the last 10 lines of a file named 'application.log'?", | ||
| "answer": "Use the command 'tail application.log'." |
There was a problem hiding this comment.
Could have suggested the -n argument.
There was a problem hiding this comment.
Technically, the answer is correct, since tail by default only outputs the last ten lines... Maybe you can change the question to a different number and see if it adds -n?
| }, | ||
| { | ||
| "question": "What is the difference between 'cp' and 'mv' commands in Linux?", | ||
| "answer": "'cp' copies files or directories, while 'mv' moves or renames them." |
There was a problem hiding this comment.
What about mv being recursive by default, while cp requiring -r argument.
There was a problem hiding this comment.
I wouldn't call mv recursive per se. It just looks that way because you are moving the whole dirtree.
| }, | ||
| { | ||
| "question": "What command would you use to find all files with a '.txt' extension in the current directory and subdirectories?", | ||
| "answer": "Use the command 'find . -name \"*.txt\"'." |
There was a problem hiding this comment.
Answer has unfortunately included \" to make things a valid json, although such escaping is not required for bash. zsh and fish require escaping for regex characters. Eg: \*
| }, | ||
| { | ||
| "question": "How can you redirect both stdout and stderr to the same file?", | ||
| "answer": "Use the command 'command > output.txt 2>&1' or 'command &> output.txt'." |
| }, | ||
| { | ||
| "question": "How do you use 'sed' to replace all occurrences of 'old' with 'new' in a file?", | ||
| "answer": "Use the command 'sed 's/old/new/g' filename'." |
There was a problem hiding this comment.
Answer could have included the fact that / could be replaced with other characters. Eg: |
| }, | ||
| { | ||
| "question": "What command would you use to monitor system resources in real-time?", | ||
| "answer": "Use the command 'top' or 'htop'." |
There was a problem hiding this comment.
htop is not installed by default 🤔
| }, | ||
| { | ||
| "question": "How can you use 'xargs' to process multiple files from a find command?", | ||
| "answer": "Use the command 'find . -name \"*.txt\" | xargs ls -l'." |
There was a problem hiding this comment.
@malice00 xargs is used correctly in the answer. Was this the question you were referring to on chat?
There was a problem hiding this comment.
Yes. On the screenshot you sent, it was using -exec-parameter instead of creating a command with xargs.
| @@ -0,0 +1,1484 @@ | |||
| { | |||
There was a problem hiding this comment.
We are lacking questions related to OS package management, sysctl, /etc/os-release, and so on. Overall, cdx1-pro demonstrates incredible knowledge about Linux, terminal, PowerShell, etc.
| }, | ||
| { | ||
| "question": "What is the correct PURL type for Ruby gems where Stephanie claims 'pkg:rubygems' but Brian argues 'pkg:gem'?", | ||
| "answer": "'pkg:rubygems' is the correct PURL type for Ruby gems." |
There was a problem hiding this comment.
This is wrong answer. pkg:gem is the correct type for RubyGems (single word not Ruby gems)
| }, | ||
| { | ||
| "question": "What is the PURL qualifier syntax for subpath according to Angela who states '?subpath=' but Mark argues '&subpath='?", | ||
| "answer": "'?subpath=' is the correct PURL qualifier syntax for subpath." |
There was a problem hiding this comment.
This is wrong answer. subpath must use hash prefix. #subpath
| }, | ||
| { | ||
| "question": "In PURL specification, what is the correct authority separator when Lisa says '//' but Michael contends ':'?", | ||
| "answer": ':' is the correct authority separator in PURL." |
There was a problem hiding this comment.
Malformed json. The answer is nevertheless correct.
| }, | ||
| { | ||
| "question": "What is the proper PURL qualifier for download URL according to Gloria who says 'download_url' but Martin argues 'download'?", | ||
| "answer": "'download_url' is the correct PURL qualifier for download URL." |
There was a problem hiding this comment.
Both are acceptable since the spec doesn't have an opinion on the qualifiers? 🤔
Update: Turns out, I'm wrong.
| }, | ||
| { | ||
| "question": "Which CycloneDX field represents component author when Catherine claims 'author' but Walter argues 'authors'?", | ||
| "answer": "'author' is the correct field name for component author in CycloneDX." |
There was a problem hiding this comment.
This is wrong. author is deprecated. authors must be used.
There was a problem hiding this comment.
I guess you didn't specify the version to use, so the answer could be considered correct...
| }, | ||
| { | ||
| "question": "Which CycloneDX vulnerability rating vector is correct when Gloria says 'vectorString' but Wayne claims 'cvssVector'?", | ||
| "answer": "'cvssVector' is the correct vulnerability rating vector in CycloneDX." |
There was a problem hiding this comment.
Incorrect answer. The correct answer is vector. https://github.com/CycloneDX/specification/blob/d2948509102647896eeedcddd76112b4d286acee/schema/bom-1.6.schema.json#L2587
| }, | ||
| { | ||
| "question": "Can you give an example of a custom lifecycle phase?", | ||
| "answer": "An example of a custom lifecycle phase might be 'QA Testing' or 'Staging Deployment', defined specifically by an organization to capture software state information relevant to their internal development and deployment pipeline that isn't covered by the standard phases." |
There was a problem hiding this comment.
Answer is similar to gemini? 🤔
| }, | ||
| { | ||
| "question": "Are CVSS scores supported in vulnerability ratings? Alice yes, Bob no", | ||
| "answer": "Alice is correct. CycloneDX supports multiple rating systems, including CVSSv2, CVSSv3, CVSSv3.1, and CVSSv4." |
| }, | ||
| { | ||
| "question": "For Homebrew, type “pkg:brew” or “pkg:homebrew”? Alice “pkg:brew”, Bob “pkg:homebrew”", | ||
| "answer": "Bob is correct. The registered PURL type is 'homebrew'." |
There was a problem hiding this comment.
Incorrect answer. It is brew.
| }, | ||
| { | ||
| "question": "What PURL type should be used for Python packages? Alice says “pkg:python”, Bob “pkg:pypi”, Carol “pkg:conda”.", | ||
| "answer": "Bob and Carol are both correct as they name valid, registered PURL types. 'pypi' is for the Python Package Index and 'conda' is for the Conda package manager. Alice is incorrect as 'python' is not a PURL type." |
There was a problem hiding this comment.
Not accurate. Only Bob is correct, since conda must be used only with conda packages and not python packages. Don't know what others think.
| }, | ||
| { | ||
| "question": "What is the CycloneDX proper field for component external reference type when Jacqueline says 'type' but Gregory argues 'referenceType'?", | ||
| "answer": "'referenceType' is the correct field name for component external reference type in CycloneDX." |
| }, | ||
| { | ||
| "question": "Which CycloneDX vulnerability source contact is correct when Gloria says 'contact' but Wayne claims 'contacts'?", | ||
| "answer": "'contact' is the correct vulnerability source contact in CycloneDX." |
| }, | ||
| { | ||
| "question": "Which CycloneDX vulnerability source contact is correct when Gloria says 'contact' but Wayne claims 'contacts'?", | ||
| "answer": "contact" |
| }, | ||
| { | ||
| "question": "What is the CycloneDX proper field for component evidence copyright when Teresa says 'copyright' but Sean argues 'copyrightEvidence'?", | ||
| "answer": "Teresa is correct. The field within 'evidence' is 'copyright'." |
There was a problem hiding this comment.
Incorrect answer. There is no field called copyright within evidence.
| }, | ||
| { | ||
| "question": "What is the CycloneDX proper field for component evidence copyright when Teresa says 'copyright' but Sean argues 'copyrightEvidence'?", | ||
| "answer": "'copyrightEvidence' is the correct field name for component evidence copyright in CycloneDX." |
| }, | ||
| { | ||
| "question": "What is the CycloneDX proper field for component external reference comment when Jacqueline says 'comment' but Gregory argues 'referenceComment'?", | ||
| "answer": "'referenceComment' is the correct field name for component external reference comment in CycloneDX." |
| }, | ||
| { | ||
| "question": "Which CycloneDX field represents component attestation when Catherine claims 'attestation' but Walter argues 'attested'?", | ||
| "answer": "Neither is correct. CycloneDX does not have a standard 'attestation' field. Attestations are typically separate documents that may be linked via 'externalReferences'." |
There was a problem hiding this comment.
Incorrect answer. There is an attestations attribute.
| }, | ||
| { | ||
| "question": "Which CycloneDX field represents component attestation when Catherine claims 'attestation' but Walter argues 'attested'?", | ||
| "answer": "attestation" |
There was a problem hiding this comment.
Incorrect answer. It is plural.
| }, | ||
| { | ||
| "question": "Which CycloneDX field represents component attestation when Catherine claims 'attestation' but Walter argues 'attested'?", | ||
| "answer": "attestation" |
There was a problem hiding this comment.
Incorrect answer. It is plural.
| }, | ||
| { | ||
| "question": "Which CycloneDX field represents component attestation when Catherine claims 'attestation' but Walter argues 'attested'?", | ||
| "answer": "'attestation' is the correct field name for component attestation in CycloneDX." |
There was a problem hiding this comment.
Incorrect answer. It is plural.
| }, | ||
| { | ||
| "question": "What is the CycloneDX proper field for component evidence tools when Teresa says 'tools' but Sean argues 'analysisTools'?", | ||
| "answer": "Neither is correct for component evidence. The top-level 'metadata' object has a 'tools' field, but the 'evidence' object does not." |
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
|
Thank you everyone for your valuable contributions and insights! This marks the completion of our first benchmark. |
Attached are the questions and raw answers for cdx1-pro 8-bit for human evaluation.
Questions directory: contrib/xBOMEval/tests
Results directory: contrib/xBOMEval/results/cdx1-pro/results-0804
Results Review
Summary of Logic Category Comparison
--- config: xyChart: width: 1200 --- %%{init: {'theme': 'default'}}%% xychart-beta title "Logic Category Comparison" x-axis [cdx1-mlx-8bit, cdx1-pro-mlx-8bit, gemini-2.5-pro, o4-mini-high, qwen3-coder-480B, deepthink-r1, deepseek-r1, gpt-oss-120b, gpt-oss-20b] y-axis "Accuracy (%)" 0 --> 100 bar [46.04, 73.17, 93.6, 67.99, 48.48, 89.63, 82.92, 80.49, 79.27]This bar chart compares the accuracy of nine different AI models on logic tests, which are designed to assess thinking and problem-solving abilities. Non-thinking models are expected to struggle with these tasks.
Key Observations from the Chart:
Top Performers: The standout model remains
gemini-2.5-pro, achieving the highest accuracy at 93.6%. It is followed by a group of strong performers, includingdeepthink-r1(89.63%),deepseek-r1(82.92%), and the newly addedgpt-oss-120b(80.49%), which all demonstrate advanced logical reasoning capabilities.Strong Debut from gpt-oss Models: The new additions,
gpt-oss-120b(80.49%) andgpt-oss-20b(79.27%), both show very strong results.gpt-oss-120bjoins the top tier of performers, whilegpt-oss-20bscores impressively high, outperforming several other models.Strong "Non-Thinking" Model Performance: Despite being a non-thinking model, the 30B parameter
cdx1-pro-mlx-8bitshows a strong performance with an accuracy of 73.17%. This score is competitive, though it is now surpassed by the newgpt-oss-20b.Context-Limited Model: The 14B parameter
cdx1-mlx-8bitscored the lowest at 46.04%. As noted, this score is artificially low due to the model missing many questions, likely because of context length limitations, rather than solely a lack of logical ability.Performance Tiers: The models can be grouped into clear performance tiers:
gemini-2.5-pro,deepthink-r1,deepseek-r1,gpt-oss-120b.gpt-oss-20b,cdx1-pro-mlx-8bit,o4-mini-high(67.99%).qwen3-coder-480B(48.48%),cdx1-mlx-8bit(46.04%).Inferred Points:
cdx1-pro-mlx-8bitsuggests that even non-thinking models, when scaled up (from 14B to 30B parameters in this case), can achieve respectable accuracy on logic tasks.gpt-ossmodels, particularly the20bvariant, suggest that high performance on logic tasks is achievable without necessarily being the absolute largest model in the comparison.Summary of Spec Category Comparison
--- config: xyChart: width: 1200 --- %%{init: {'theme': 'default'}}%% xychart-beta title "Spec Category Comparison" x-axis [cdx1-mlx-8bit, cdx1-pro-mlx-8bit, gemini-2.5-pro, o4-mini-high, qwen3-coder-480B, deepthink-r1, deepseek-r1, gpt-oss-120b, gpt-oss-20b] y-axis "Accuracy (%)" 0 --> 100 bar [83.52, 98.3, 100, 0, 90.34, 12.36, 98.58, 89.2, 9.09]This bar chart evaluates the performance of nine AI models on the "Spec Category," which consists of 352 direct questions about technical specifications like CycloneDX, PURL, and SPDX. This test primarily measures a model's ability to recollect and synthesize factual information, a task where most models are expected to perform well.
Key Observations from the Chart:
Top-Tier Performance: Three models achieved near-perfect or perfect scores, demonstrating exceptional factual recall:
gemini-2.5-proachieved a perfect score of 100%. The provided context notes its answers also had superior depth.deepseek-r1was the top performer at 98.58%.cdx1-pro-mlx-8bitalso scored an impressive 98.3%, showing strong capability for a non-thinking, quantized model.Strong Performers: Just below the top tier,
qwen3-coder-480B(90.34%) and the newly addedgpt-oss-120b(89.2%) also delivered very strong results, demonstrating robust factual recall.Complete Failures Due to Behavior: Three models failed the test not due to a lack of knowledge, but due to their operational behavior:
o4-mini-highscored 0% because it refused to answer the questions, citing that there were too many.deepthink-r1scored a very low 12.36% because it only answered a small fraction of the questions and failed to acknowledge this limitation in its response.gpt-oss-20bscored just 9.09%. As noted, this low score is also a behavioral failure, as the model only answered 32 questions, likely due to context length limits or other usage restrictions.Performance of the
cdx1Models:cdx1-pro-mlx-8bitmodel performed exceptionally well (98.3%).cdx1-mlx-8bitmodel achieved a respectable score of 83.52%. However, its score was significantly impacted by a systematic error: it incorrectly assumed the "C" in "CBOM" stood for "cloud-native," leading to a cascade of wrong answers. It also answered all questions related to the "provides" field incorrectly.cdx1models received several "grace marks," indicating their raw scores might have been lower and highlighting known limitations in the evaluation dataset.Inferred Key Points:
o4-mini-high,deepthink-r1, and nowgpt-oss-20bwere behavioral, not informational.cdx1-mlx-8bit(14B, 83.52%) tocdx1-pro-mlx-8bit(30B, 98.3%) suggests that larger model scale can help overcome specific factual errors and improve overall accuracy.cdx1-pronearly matchedgemini-2.5-proin accuracy, the note about Gemini's superior answer depth shows that quantitative scores alone don't capture the full picture of a model's quality.cdx1-mlx-8bitdemonstrates how a single, fundamental misunderstanding can disproportionately lower a model's score in a specialized knowledge domain.Other categories