feat: 4184 gguf parser (ai artifact cataloger) part 1 (#4279)

---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

.gitignore

@@ -73,3 +73,5 @@ cosign.pub
 __pycache__/
 *.py[cod]
 *$py.class
+
+

cmd/syft/internal/test/integration/catalog_packages_test.go

@@ -87,6 +87,7 @@ func TestPkgCoverageImage(t *testing.T) {
 	definedPkgs.Remove(string(pkg.TerraformPkg))
 	definedPkgs.Remove(string(pkg.PhpPeclPkg)) // we have coverage for pear instead
 	definedPkgs.Remove(string(pkg.CondaPkg))
+	definedPkgs.Remove(string(pkg.ModelPkg))
 
 	var cases []testCase
 	cases = append(cases, commonTestCases...)
@@ -161,6 +162,7 @@ func TestPkgCoverageDirectory(t *testing.T) {
 	definedPkgs.Remove(string(pkg.UnknownPkg))
 	definedPkgs.Remove(string(pkg.CondaPkg))
 	definedPkgs.Remove(string(pkg.PhpPeclPkg)) // this is covered as pear packages
+	definedPkgs.Remove(string(pkg.ModelPkg))
 
 	// for directory scans we should not expect to see any of the following package types
 	definedPkgs.Remove(string(pkg.KbPkg))

go.mod

@@ -286,6 +286,11 @@ require (
 	modernc.org/memory v1.11.0 // indirect
 )
 
+require (
+	github.com/cespare/xxhash/v2 v2.3.0
+	github.com/gpustack/gguf-parser-go v0.22.1
+)
+
 require (
 	cyphar.com/go-pathrs v0.2.1 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.36.5 // indirect
@@ -310,7 +315,13 @@ require (
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.2.0 // indirect
 	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.65 // indirect
+	github.com/henvic/httpretty v0.1.4 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
+	github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect
+	gonum.org/v1/gonum v0.15.1 // indirect
 )
 
 retract (

go.sum

@@ -229,7 +229,6 @@ github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqy
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -549,6 +548,8 @@ github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj
 github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg=
 github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=
 github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
+github.com/gpustack/gguf-parser-go v0.22.1 h1:FRnEDWqT0Rcplr/R9ctCRSN2+3DhVsf6dnR5/i9JA4E=
+github.com/gpustack/gguf-parser-go v0.22.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
@@ -598,6 +599,8 @@ github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOn
 github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
+github.com/henvic/httpretty v0.1.4 h1:Jo7uwIRWVFxkqOnErcoYfH90o3ddQyVrSANeS4cxYmU=
+github.com/henvic/httpretty v0.1.4/go.mod h1:Dn60sQTZfbt2dYsdUSNsCljyF4AfdqnuJFDLJA1I4AM=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/iancoleman/orderedmap v0.0.0-20190318233801-ac98e3ecb4b0/go.mod h1:N0Wam8K1arqPXNWjMo21EXnBPOPp36vB07FNRdD2geA=
@@ -625,6 +628,7 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
@@ -730,9 +734,11 @@ github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcY
 github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=
 github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
@@ -860,6 +866,8 @@ github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yf
 github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
+github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d h1:3VwvTjiRPA7cqtgOWddEL+JrcijMlXUmj99c/6YyZoY=
+github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d/go.mod h1:tAG61zBM1DYRaGIPloumExGvScf08oHuo0kFoOqdbT0=
 github.com/sorairolake/lzip-go v0.3.8 h1:j5Q2313INdTA80ureWYRhX+1K78mUXfMoPZCw/ivWik=
 github.com/sorairolake/lzip-go v0.3.8/go.mod h1:JcBqGMV0frlxwrsE9sMWXDjqn3EeVf0/54YPsw66qkU=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -1313,6 +1321,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+gonum.org/v1/gonum v0.15.1 h1:FNy7N6OUZVUaWG9pTiD+jlhdQ3lMP+/LcTpJ6+a8sQ0=
+gonum.org/v1/gonum v0.15.1/go.mod h1:eZTZuRFrzu5pcyjN5wJhcIhnUdNijYxX1T2IcrOGY0o=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.42"
+	JSONSchemaVersion = "16.0.43"
 )

internal/packagemetadata/generated.go

@@ -27,6 +27,7 @@ func AllTypes() []any {
 		pkg.ELFBinaryPackageNoteJSONPayload{},
 		pkg.ElixirMixLockEntry{},
 		pkg.ErlangRebarLockEntry{},
+		pkg.GGUFFileHeader{},
 		pkg.GitHubActionsUseStatement{},
 		pkg.GolangBinaryBuildinfoEntry{},
 		pkg.GolangModuleEntry{},

internal/packagemetadata/names.go

@@ -124,6 +124,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.TerraformLockProviderEntry{}, "terraform-lock-provider-entry"),
 	jsonNames(pkg.DotnetPackagesLockEntry{}, "dotnet-packages-lock-entry"),
 	jsonNames(pkg.CondaMetaPackage{}, "conda-metadata-entry", "CondaPackageMetadata"),
+	jsonNames(pkg.GGUFFileHeader{}, "gguf-file-header"),
 )
 
 func expandLegacyNameVariants(names ...string) []string {

internal/task/package_tasks.go

@@ -3,6 +3,7 @@ package task
 import (
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/ai"
 	"github.com/anchore/syft/syft/pkg/cataloger/alpine"
 	"github.com/anchore/syft/syft/pkg/cataloger/arch"
 	"github.com/anchore/syft/syft/pkg/cataloger/binary"
@@ -178,6 +179,7 @@ func DefaultPackageTaskFactories() Factories {
 		newSimplePackageTaskFactory(homebrew.NewCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "homebrew"),
 		newSimplePackageTaskFactory(conda.NewCondaMetaCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.PackageTag, "conda"),
 		newSimplePackageTaskFactory(snap.NewCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "snap"),
+		newSimplePackageTaskFactory(ai.NewGGUFCataloger, pkgcataloging.DirectoryTag, pkgcataloging.ImageTag, "ai", "model", "gguf", "ml"),
 
 		// deprecated catalogers ////////////////////////////////////////
 		// these are catalogers that should not be selectable other than specific inclusion via name or "deprecated" tag (to remain backwards compatible)

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.42/document",
+  "$id": "anchore.io/schema/syft/json/16.0.43/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1433,6 +1433,48 @@
       ],
       "description": "FileMetadataEntry contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file."
     },
+    "GgufFileHeader": {
+      "properties": {
+        "ggufVersion": {
+          "type": "integer",
+          "description": "GGUFVersion is the GGUF format version (e.g., 3)"
+        },
+        "fileSize": {
+          "type": "integer",
+          "description": "FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)"
+        },
+        "architecture": {
+          "type": "string",
+          "description": "Architecture is the model architecture (from general.architecture, e.g., \"qwen3moe\", \"llama\")"
+        },
+        "quantization": {
+          "type": "string",
+          "description": "Quantization is the quantization type (e.g., \"IQ4_NL\", \"Q4_K_M\")"
+        },
+        "parameters": {
+          "type": "integer",
+          "description": "Parameters is the number of model parameters (if present in header)"
+        },
+        "tensorCount": {
+          "type": "integer",
+          "description": "TensorCount is the number of tensors in the model"
+        },
+        "header": {
+          "type": "object",
+          "description": "RemainingKeyValues contains the remaining key-value pairs from the GGUF header that are not already\nrepresented as typed fields above. This preserves additional metadata fields for reference\n(namespaced with general.*, llama.*, etc.) while avoiding duplication."
+        },
+        "metadataHash": {
+          "type": "string",
+          "description": "MetadataKeyValuesHash is a xx64 hash of all key-value pairs from the GGUF header metadata.\nThis hash is computed over the complete header metadata (including the fields extracted\ninto typed fields above) and provides a stable identifier for the model configuration\nacross different file locations or remotes. It allows matching identical models even\nwhen stored in different repositories or with different filenames."
+        }
+      },
+      "type": "object",
+      "required": [
+        "ggufVersion",
+        "tensorCount"
+      ],
+      "description": "GGUFFileHeader represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file."
+    },
     "GithubActionsUseStatement": {
       "properties": {
         "value": {
@@ -2579,6 +2621,9 @@
             {
               "$ref": "#/$defs/ErlangRebarLockEntry"
             },
+            {
+              "$ref": "#/$defs/GgufFileHeader"
+            },
             {
               "$ref": "#/$defs/GithubActionsUseStatement"
             },

syft/format/internal/cyclonedxutil/helpers/component.go

@@ -40,8 +40,11 @@ func EncodeComponent(p pkg.Package, supplier string, locationSorter func(a, b fi
 	}
 
 	componentType := cyclonedx.ComponentTypeLibrary
-	if p.Type == pkg.BinaryPkg {
+	switch p.Type {
+	case pkg.BinaryPkg:
 		componentType = cyclonedx.ComponentTypeApplication
+	case pkg.ModelPkg:
+		componentType = cyclonedx.ComponentTypeMachineLearningModel
 	}
 
 	return cyclonedx.Component{

syft/format/internal/cyclonedxutil/helpers/decoder.go

@@ -62,7 +62,7 @@ func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[str
 	switch component.Type {
 	case cyclonedx.ComponentTypeOS:
 	case cyclonedx.ComponentTypeContainer:
-	case cyclonedx.ComponentTypeApplication, cyclonedx.ComponentTypeFramework, cyclonedx.ComponentTypeLibrary:
+	case cyclonedx.ComponentTypeApplication, cyclonedx.ComponentTypeFramework, cyclonedx.ComponentTypeLibrary, cyclonedx.ComponentTypeMachineLearningModel:
 		p := decodeComponent(component)
 		idMap[component.BOMRef] = p
 		if component.BOMRef != "" {

syft/format/internal/spdxutil/helpers/originator_supplier_test.go

@@ -55,6 +55,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 		pkg.OpamPackage{},
 		pkg.YarnLockEntry{},
 		pkg.TerraformLockProviderEntry{},
+		pkg.GGUFFileHeader{},
 	)
 	tests := []struct {
 		name       string

syft/format/internal/spdxutil/helpers/source_info.go

@@ -82,6 +82,8 @@ func SourceInfo(p pkg.Package) string {
 		answer = "acquired package info from Homebrew formula"
 	case pkg.TerraformPkg:
 		answer = "acquired package info from Terraform dependency lock file"
+	case pkg.ModelPkg:
+		answer = "acquired package info from AI artifact (e.g. GGUF File"
 	default:
 		answer = "acquired package info from the following paths"
 	}

syft/format/internal/spdxutil/helpers/source_info_test.go

@@ -351,6 +351,14 @@ func Test_SourceInfo(t *testing.T) {
 				"acquired package info from Terraform dependency lock file",
 			},
 		},
+		{
+			input: pkg.Package{
+				Type: pkg.ModelPkg,
+			},
+			expected: []string{
+				"",
+			},
+		},
 	}
 	var pkgTypes []pkg.Type
 	for _, test := range tests {

syft/pkg/cataloger/ai/cataloger.go

@@ -0,0 +1,16 @@
+/*
+Package ai provides concrete Cataloger implementations for AI artifacts and machine learning models,
+including support for GGUF (GPT-Generated Unified Format) model files.
+*/
+package ai
+
+import (
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
+)
+
+// NewGGUFCataloger returns a new cataloger instance for GGUF model files.
+func NewGGUFCataloger() pkg.Cataloger {
+	return generic.NewCataloger("gguf-cataloger").
+		WithParserByGlobs(parseGGUFModel, "**/*.gguf")
+}

syft/pkg/cataloger/ai/cataloger_test.go

@@ -0,0 +1,140 @@
+package ai
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
+)
+
+func TestGGUFCataloger_Globs(t *testing.T) {
+	tests := []struct {
+		name     string
+		fixture  string
+		expected []string
+	}{
+		{
+			name:    "obtain gguf files",
+			fixture: "test-fixtures/glob-paths",
+			expected: []string{
+				"models/model.gguf",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			pkgtest.NewCatalogTester().
+				FromDirectory(t, test.fixture).
+				ExpectsResolverContentQueries(test.expected).
+				TestCataloger(t, NewGGUFCataloger())
+		})
+	}
+}
+
+func TestGGUFCataloger(t *testing.T) {
+	tests := []struct {
+		name                  string
+		setup                 func(t *testing.T) string
+		expectedPackages      []pkg.Package
+		expectedRelationships []artifact.Relationship
+	}{
+		{
+			name: "catalog single GGUF file",
+			setup: func(t *testing.T) string {
+				dir := t.TempDir()
+				data := newTestGGUFBuilder().
+					withVersion(3).
+					withStringKV("general.architecture", "llama").
+					withStringKV("general.name", "llama3-8b").
+					withStringKV("general.version", "3.0").
+					withStringKV("general.license", "Apache-2.0").
+					withStringKV("general.quantization", "Q4_K_M").
+					withUint64KV("general.parameter_count", 8030000000).
+					withStringKV("general.some_random_kv", "foobar").
+					build()
+
+				path := filepath.Join(dir, "llama3-8b.gguf")
+				os.WriteFile(path, data, 0644)
+				return dir
+			},
+			expectedPackages: []pkg.Package{
+				{
+					Name:    "llama3-8b",
+					Version: "3.0",
+					Type:    pkg.ModelPkg,
+					Licenses: pkg.NewLicenseSet(
+						pkg.NewLicenseFromFields("Apache-2.0", "", nil),
+					),
+					Metadata: pkg.GGUFFileHeader{
+						Architecture:          "llama",
+						Quantization:          "Unknown",
+						Parameters:            0,
+						GGUFVersion:           3,
+						TensorCount:           0,
+						MetadataKeyValuesHash: "6e3d368066455ce4",
+						RemainingKeyValues: map[string]interface{}{
+							"general.some_random_kv": "foobar",
+						},
+					},
+				},
+			},
+			expectedRelationships: nil,
+		},
+		{
+			name: "catalog GGUF file with minimal metadata",
+			setup: func(t *testing.T) string {
+				dir := t.TempDir()
+				data := newTestGGUFBuilder().
+					withVersion(3).
+					withStringKV("general.architecture", "gpt2").
+					withStringKV("general.name", "gpt2-small").
+					withStringKV("gpt2.context_length", "1024").
+					withUint32KV("gpt2.embedding_length", 768).
+					build()
+
+				path := filepath.Join(dir, "gpt2-small.gguf")
+				os.WriteFile(path, data, 0644)
+				return dir
+			},
+			expectedPackages: []pkg.Package{
+				{
+					Name:     "gpt2-small",
+					Version:  "",
+					Type:     pkg.ModelPkg,
+					Licenses: pkg.NewLicenseSet(),
+					Metadata: pkg.GGUFFileHeader{
+						Architecture:          "gpt2",
+						Quantization:          "Unknown",
+						Parameters:            0,
+						GGUFVersion:           3,
+						TensorCount:           0,
+						MetadataKeyValuesHash: "9dc6f23591062a27",
+						RemainingKeyValues: map[string]interface{}{
+							"gpt2.context_length":   "1024",
+							"gpt2.embedding_length": uint32(768),
+						},
+					},
+				},
+			},
+			expectedRelationships: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fixtureDir := tt.setup(t)
+
+			// Use pkgtest to catalog and compare
+			pkgtest.NewCatalogTester().
+				FromDirectory(t, fixtureDir).
+				Expects(tt.expectedPackages, tt.expectedRelationships).
+				IgnoreLocationLayer().
+				IgnorePackageFields("FoundBy", "Locations").
+				TestCataloger(t, NewGGUFCataloger())
+		})
+	}
+}

syft/pkg/cataloger/ai/package.go

@@ -0,0 +1,22 @@
+package ai
+
+import (
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+)
+
+func newGGUFPackage(metadata *pkg.GGUFFileHeader, modelName, version, license string, locations ...file.Location) pkg.Package {
+	p := pkg.Package{
+		Name:      modelName,
+		Version:   version,
+		Locations: file.NewLocationSet(locations...),
+		Type:      pkg.ModelPkg,
+		Licenses:  pkg.NewLicenseSet(pkg.NewLicensesFromValues(license)...),
+		Metadata:  *metadata,
+		// NOTE: PURL is intentionally not set as the package-url spec
+		// has not yet finalized support for ML model packages
+	}
+	p.SetID()
+
+	return p
+}

syft/pkg/cataloger/ai/package_test.go

@@ -0,0 +1,121 @@
+package ai
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
+)
+
+func TestNewGGUFPackage(t *testing.T) {
+	tests := []struct {
+		name     string
+		metadata *pkg.GGUFFileHeader
+		input    struct {
+			modelName string
+			version   string
+			license   string
+			locations []file.Location
+		}
+		expected pkg.Package
+	}{
+		{
+			name: "complete GGUF package with all fields",
+			input: struct {
+				modelName string
+				version   string
+				license   string
+				locations []file.Location
+			}{
+				modelName: "llama3-8b",
+				version:   "3.0",
+				license:   "Apache-2.0",
+				locations: []file.Location{file.NewLocation("/models/llama3-8b.gguf")},
+			},
+			metadata: &pkg.GGUFFileHeader{
+				Architecture: "llama",
+				Quantization: "Q4_K_M",
+				Parameters:   8030000000,
+				GGUFVersion:  3,
+				TensorCount:  291,
+				RemainingKeyValues: map[string]any{
+					"general.random_kv": "foobar",
+				},
+			},
+			expected: pkg.Package{
+				Name:    "llama3-8b",
+				Version: "3.0",
+				Type:    pkg.ModelPkg,
+				Licenses: pkg.NewLicenseSet(
+					pkg.NewLicenseFromFields("Apache-2.0", "", nil),
+				),
+				Metadata: pkg.GGUFFileHeader{
+					Architecture: "llama",
+					Quantization: "Q4_K_M",
+					Parameters:   8030000000,
+					GGUFVersion:  3,
+					TensorCount:  291,
+					RemainingKeyValues: map[string]any{
+						"general.random_kv": "foobar",
+					},
+				},
+				Locations: file.NewLocationSet(file.NewLocation("/models/llama3-8b.gguf")),
+			},
+		},
+		{
+			name: "minimal GGUF package",
+			input: struct {
+				modelName string
+				version   string
+				license   string
+				locations []file.Location
+			}{
+				modelName: "gpt2-small",
+				version:   "1.0",
+				license:   "MIT",
+				locations: []file.Location{file.NewLocation("/models/simple.gguf")},
+			},
+			metadata: &pkg.GGUFFileHeader{
+				Architecture: "gpt2",
+				GGUFVersion:  3,
+				TensorCount:  50,
+			},
+			expected: pkg.Package{
+				Name:    "gpt2-small",
+				Version: "1.0",
+				Type:    pkg.ModelPkg,
+				Licenses: pkg.NewLicenseSet(
+					pkg.NewLicenseFromFields("MIT", "", nil),
+				),
+				Metadata: pkg.GGUFFileHeader{
+					Architecture: "gpt2",
+					GGUFVersion:  3,
+					TensorCount:  50,
+				},
+				Locations: file.NewLocationSet(file.NewLocation("/models/simple.gguf")),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := newGGUFPackage(
+				tt.metadata,
+				tt.input.modelName,
+				tt.input.version,
+				tt.input.license,
+				tt.input.locations...,
+			)
+
+			// Verify metadata type
+			_, ok := actual.Metadata.(pkg.GGUFFileHeader)
+			require.True(t, ok, "metadata should be GGUFFileHeader")
+
+			// Use AssertPackagesEqual for comprehensive comparison
+			pkgtest.AssertPackagesEqual(t, tt.expected, actual)
+		})
+	}
+}

syft/pkg/cataloger/ai/parse_gguf.go

@@ -0,0 +1,63 @@
+package ai
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	gguf_parser "github.com/gpustack/gguf-parser-go"
+)
+
+// GGUF file format constants
+const (
+	ggufMagicNumber = 0x46554747       // "GGUF" in little-endian
+	maxHeaderSize   = 50 * 1024 * 1024 // 50MB for large tokenizer vocabularies
+)
+
+// copyHeader copies the GGUF header from the reader to the writer.
+// It validates the magic number first, then copies the rest of the data.
+// The reader should be wrapped with io.LimitedReader to prevent OOM issues.
+func copyHeader(w io.Writer, r io.Reader) error {
+	// Read initial chunk to validate magic number
+	// GGUF format: magic(4) + version(4) + tensor_count(8) + metadata_kv_count(8) + metadata_kvs + tensors_info
+	initialBuf := make([]byte, 24) // Enough for magic, version, tensor count, and kv count
+	if _, err := io.ReadFull(r, initialBuf); err != nil {
+		return fmt.Errorf("failed to read GGUF header prefix: %w", err)
+	}
+
+	// Verify magic number
+	magic := binary.LittleEndian.Uint32(initialBuf[0:4])
+	if magic != ggufMagicNumber {
+		return fmt.Errorf("invalid GGUF magic number: 0x%08X", magic)
+	}
+
+	// Write the initial buffer to the writer
+	if _, err := w.Write(initialBuf); err != nil {
+		return fmt.Errorf("failed to write GGUF header prefix: %w", err)
+	}
+
+	// Copy the rest of the header from reader to writer
+	// The LimitedReader will return EOF once maxHeaderSize is reached
+	if _, err := io.Copy(w, r); err != nil {
+		return fmt.Errorf("failed to copy GGUF header: %w", err)
+	}
+
+	return nil
+}
+
+// Helper to convert gguf_parser metadata to simpler types
+func convertGGUFMetadataKVs(kvs gguf_parser.GGUFMetadataKVs) map[string]interface{} {
+	result := make(map[string]interface{})
+
+	for _, kv := range kvs {
+		// Skip standard fields that are extracted separately
+		switch kv.Key {
+		case "general.architecture", "general.name", "general.license",
+			"general.version", "general.parameter_count", "general.quantization":
+			continue
+		}
+		result[kv.Key] = kv.Value
+	}
+
+	return result
+}

syft/pkg/cataloger/ai/parse_gguf_model.go

@@ -0,0 +1,135 @@
+package ai
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/cespare/xxhash/v2"
+	gguf_parser "github.com/gpustack/gguf-parser-go"
+
+	"github.com/anchore/syft/internal"
+	"github.com/anchore/syft/internal/log"
+	"github.com/anchore/syft/internal/unknown"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
+)
+
+// parseGGUFModel parses a GGUF model file and returns the discovered package.
+// This implementation only reads the header portion of the file, not the entire model.
+func parseGGUFModel(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
+	defer internal.CloseAndLogError(reader, reader.Path())
+
+	// Create a temporary file for the library to parse
+	// The library requires a file path, so we create a temp file
+	tempFile, err := os.CreateTemp("", "syft-gguf-*.gguf")
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create temp file: %w", err)
+	}
+	tempPath := tempFile.Name()
+	defer os.Remove(tempPath)
+
+	// Copy and validate the GGUF file header using LimitedReader to prevent OOM
+	// We use LimitedReader to cap reads at maxHeaderSize (50MB)
+	limitedReader := &io.LimitedReader{R: reader, N: maxHeaderSize}
+	if err := copyHeader(tempFile, limitedReader); err != nil {
+		tempFile.Close()
+		return nil, nil, fmt.Errorf("failed to copy GGUF header: %w", err)
+	}
+	tempFile.Close()
+
+	// Parse using gguf-parser-go with options to skip unnecessary data
+	ggufFile, err := gguf_parser.ParseGGUFFile(tempPath,
+		gguf_parser.SkipLargeMetadata(),
+	)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse GGUF file: %w", err)
+	}
+
+	// Extract metadata
+	metadata := ggufFile.Metadata()
+
+	// Extract version separately (will be set on Package.Version)
+	modelVersion := extractVersion(ggufFile.Header.MetadataKV)
+
+	// Convert to syft metadata structure
+	syftMetadata := &pkg.GGUFFileHeader{
+		Architecture:          metadata.Architecture,
+		Quantization:          metadata.FileTypeDescriptor,
+		Parameters:            uint64(metadata.Parameters),
+		GGUFVersion:           uint32(ggufFile.Header.Version),
+		TensorCount:           ggufFile.Header.TensorCount,
+		RemainingKeyValues:    convertGGUFMetadataKVs(ggufFile.Header.MetadataKV),
+		MetadataKeyValuesHash: computeKVMetadataHash(ggufFile.Header.MetadataKV),
+	}
+
+	// If model name is not in metadata, use filename
+	if metadata.Name == "" {
+		metadata.Name = extractModelNameFromPath(reader.Path())
+	}
+
+	// Create package from metadata
+	p := newGGUFPackage(
+		syftMetadata,
+		metadata.Name,
+		modelVersion,
+		metadata.License,
+		reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
+	)
+
+	return []pkg.Package{p}, nil, unknown.IfEmptyf([]pkg.Package{p}, "unable to parse GGUF file")
+}
+
+// computeKVMetadataHash computes a stable hash of the KV metadata for use as a global identifier
+func computeKVMetadataHash(metadata gguf_parser.GGUFMetadataKVs) string {
+	// Sort the KV pairs by key for stable hashing
+	sortedKVs := make([]gguf_parser.GGUFMetadataKV, len(metadata))
+	copy(sortedKVs, metadata)
+	sort.Slice(sortedKVs, func(i, j int) bool {
+		return sortedKVs[i].Key < sortedKVs[j].Key
+	})
+
+	// Marshal sorted KVs to JSON for stable hashing
+	jsonBytes, err := json.Marshal(sortedKVs)
+	if err != nil {
+		log.Debugf("failed to marshal metadata for hashing: %v", err)
+		return ""
+	}
+
+	// Compute xxhash
+	hash := xxhash.Sum64(jsonBytes)
+	return fmt.Sprintf("%016x", hash) // 16 hex chars (64 bits)
+}
+
+// extractVersion attempts to extract version from metadata KV pairs
+func extractVersion(kvs gguf_parser.GGUFMetadataKVs) string {
+	for _, kv := range kvs {
+		if kv.Key == "general.version" {
+			if v, ok := kv.Value.(string); ok && v != "" {
+				return v
+			}
+		}
+	}
+	return ""
+}
+
+// extractModelNameFromPath extracts the model name from the file path
+func extractModelNameFromPath(path string) string {
+	// Get the base filename
+	base := filepath.Base(path)
+
+	// Remove .gguf extension
+	name := strings.TrimSuffix(base, ".gguf")
+
+	return name
+}
+
+// integrity check
+var _ generic.Parser = parseGGUFModel

syft/pkg/cataloger/ai/test_helpers_test.go

@@ -0,0 +1,128 @@
+package ai
+
+import (
+	"bytes"
+	"encoding/binary"
+)
+
+// GGUF type constants for test builder
+// https://github.com/ggml-org/ggml/blob/master/docs/gguf.md
+const (
+	ggufMagic       = 0x46554747 // "GGUF" in little-endian
+	ggufTypeUint8   = 0
+	ggufTypeInt8    = 1
+	ggufTypeUint16  = 2
+	ggufTypeInt16   = 3
+	ggufTypeUint32  = 4
+	ggufTypeInt32   = 5
+	ggufTypeFloat32 = 6
+	ggufTypeBool    = 7
+	ggufTypeString  = 8
+	ggufTypeArray   = 9
+	ggufTypeUint64  = 10
+	ggufTypeInt64   = 11
+	ggufTypeFloat64 = 12
+)
+
+// testGGUFBuilder helps build GGUF files for testing
+type testGGUFBuilder struct {
+	buf         *bytes.Buffer
+	version     uint32
+	tensorCount uint64
+	kvPairs     []testKVPair
+}
+
+type testKVPair struct {
+	key       string
+	valueType uint32
+	value     interface{}
+}
+
+func newTestGGUFBuilder() *testGGUFBuilder {
+	return &testGGUFBuilder{
+		buf:         new(bytes.Buffer),
+		version:     3,
+		tensorCount: 0,
+		kvPairs:     []testKVPair{},
+	}
+}
+
+func (b *testGGUFBuilder) withVersion(v uint32) *testGGUFBuilder {
+	b.version = v
+	return b
+}
+
+func (b *testGGUFBuilder) withTensorCount(count uint64) *testGGUFBuilder {
+	b.tensorCount = count
+	return b
+}
+
+func (b *testGGUFBuilder) withStringKV(key, value string) *testGGUFBuilder {
+	b.kvPairs = append(b.kvPairs, testKVPair{key: key, valueType: ggufTypeString, value: value})
+	return b
+}
+
+func (b *testGGUFBuilder) withUint64KV(key string, value uint64) *testGGUFBuilder {
+	b.kvPairs = append(b.kvPairs, testKVPair{key: key, valueType: ggufTypeUint64, value: value})
+	return b
+}
+
+func (b *testGGUFBuilder) withUint32KV(key string, value uint32) *testGGUFBuilder {
+	b.kvPairs = append(b.kvPairs, testKVPair{key: key, valueType: ggufTypeUint32, value: value})
+	return b
+}
+
+func (b *testGGUFBuilder) writeString(s string) {
+	binary.Write(b.buf, binary.LittleEndian, uint64(len(s)))
+	b.buf.WriteString(s)
+}
+
+func (b *testGGUFBuilder) build() []byte {
+	// Write magic number "GGUF"
+	binary.Write(b.buf, binary.LittleEndian, uint32(ggufMagic))
+
+	// Write version
+	binary.Write(b.buf, binary.LittleEndian, b.version)
+
+	// Write tensor count
+	binary.Write(b.buf, binary.LittleEndian, b.tensorCount)
+
+	// Write KV count
+	binary.Write(b.buf, binary.LittleEndian, uint64(len(b.kvPairs)))
+
+	// Write KV pairs
+	for _, kv := range b.kvPairs {
+		// Write key
+		b.writeString(kv.key)
+		// Write value type
+		binary.Write(b.buf, binary.LittleEndian, kv.valueType)
+		// Write value based on type
+		switch kv.valueType {
+		case ggufTypeString:
+			b.writeString(kv.value.(string))
+		case ggufTypeUint32:
+			binary.Write(b.buf, binary.LittleEndian, kv.value.(uint32))
+		case ggufTypeUint64:
+			binary.Write(b.buf, binary.LittleEndian, kv.value.(uint64))
+		case ggufTypeUint8:
+			binary.Write(b.buf, binary.LittleEndian, kv.value.(uint8))
+		case ggufTypeInt32:
+			binary.Write(b.buf, binary.LittleEndian, kv.value.(int32))
+		case ggufTypeBool:
+			var v uint8
+			if kv.value.(bool) {
+				v = 1
+			}
+			binary.Write(b.buf, binary.LittleEndian, v)
+		}
+	}
+
+	return b.buf.Bytes()
+}
+
+// buildInvalidMagic creates a file with invalid magic number
+func (b *testGGUFBuilder) buildInvalidMagic() []byte {
+	buf := new(bytes.Buffer)
+	binary.Write(buf, binary.LittleEndian, uint32(0x12345678))
+	return buf.Bytes()
+}

syft/pkg/gguf.go

@@ -0,0 +1,37 @@
+package pkg
+
+// GGUFFileHeader represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file.
+// GGUF is a binary file format used for storing model weights for the GGML library, designed for fast
+// loading and saving of models, particularly quantized large language models.
+// The Model Name, License, and Version fields have all been lifted up to be on the syft Package.
+type GGUFFileHeader struct {
+	// GGUFVersion is the GGUF format version (e.g., 3)
+	GGUFVersion uint32 `json:"ggufVersion" cyclonedx:"ggufVersion"`
+
+	// FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)
+	FileSize int64 `json:"fileSize,omitempty" cyclonedx:"fileSize"`
+
+	// Architecture is the model architecture (from general.architecture, e.g., "qwen3moe", "llama")
+	Architecture string `json:"architecture,omitempty" cyclonedx:"architecture"`
+
+	// Quantization is the quantization type (e.g., "IQ4_NL", "Q4_K_M")
+	Quantization string `json:"quantization,omitempty" cyclonedx:"quantization"`
+
+	// Parameters is the number of model parameters (if present in header)
+	Parameters uint64 `json:"parameters,omitempty" cyclonedx:"parameters"`
+
+	// TensorCount is the number of tensors in the model
+	TensorCount uint64 `json:"tensorCount" cyclonedx:"tensorCount"`
+
+	// RemainingKeyValues contains the remaining key-value pairs from the GGUF header that are not already
+	// represented as typed fields above. This preserves additional metadata fields for reference
+	// (namespaced with general.*, llama.*, etc.) while avoiding duplication.
+	RemainingKeyValues map[string]interface{} `json:"header,omitempty" cyclonedx:"header"`
+
+	// MetadataKeyValuesHash is a xx64 hash of all key-value pairs from the GGUF header metadata.
+	// This hash is computed over the complete header metadata (including the fields extracted
+	// into typed fields above) and provides a stable identifier for the model configuration
+	// across different file locations or remotes. It allows matching identical models even
+	// when stored in different repositories or with different filenames.
+	MetadataKeyValuesHash string `json:"metadataHash,omitempty" cyclonedx:"metadataHash"`
+}

syft/pkg/type.go

@@ -54,6 +54,7 @@ const (
 	TerraformPkg            Type = "terraform"
 	WordpressPluginPkg      Type = "wordpress-plugin"
 	HomebrewPkg             Type = "homebrew"
+	ModelPkg                Type = "model"
 )
 
 // AllPkgs represents all supported package types
@@ -98,6 +99,7 @@ var AllPkgs = []Type{
 	TerraformPkg,
 	WordpressPluginPkg,
 	HomebrewPkg,
+	ModelPkg,
 }
 
 // PackageURLType returns the PURL package type for the current package.

syft/pkg/type_test.go

@@ -155,6 +155,7 @@ func TestTypeFromPURL(t *testing.T) {
 	expectedTypes.Remove(string(HomebrewPkg))
 	expectedTypes.Remove(string(TerraformPkg))
 	expectedTypes.Remove(string(GraalVMNativeImagePkg))
+	expectedTypes.Remove(string(ModelPkg))   // no valid purl for ai artifacts currently
 	expectedTypes.Remove(string(PhpPeclPkg)) // we should always consider this a pear package
 
 	for _, test := range tests {