chore: drop cpe from gguf (#4383)

--------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-20 18:03:16 +01:00 · 2025-11-19 05:37:40 -05:00 · 2025-11-19 05:37:40 -05:00 · 9aca8167b8
commit 9aca8167b8
parent 759909f611
2 changed files with 37 additions and 10 deletions
--- a/syft/pkg/cataloger/internal/cpegenerate/generate.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/generate.go
@ -62,16 +62,13 @@ func GetIndexedDictionary() (_ *dictionary.Indexed, err error) {

 func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 	dict, err := GetIndexedDictionary()
-	parsedCPEs := []cpe.CPE{}
 	if err != nil {
 		log.Debugf("CPE dictionary lookup not available: %+v", err)
-		return parsedCPEs, false
+		return []cpe.CPE{}, false
 	}

-	var (
-		cpes *dictionary.Set
-		ok   bool
-	)
+	var cpes *dictionary.Set
+	var ok bool

 	switch p.Type {
 	case pkg.NpmPkg:
@ -101,20 +98,25 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 	case pkg.WordpressPluginPkg:
 		metadata, valid := p.Metadata.(pkg.WordpressPluginEntry)
 		if !valid {
-			return parsedCPEs, false
+			return nil, false
 		}
 		cpes, ok = dict.EcosystemPackages[dictionary.EcosystemWordpressPlugins][metadata.PluginInstallDirectory]

+	case pkg.ModelPkg:
+		// ML models should not have CPEs as they are not traditional software packages
+		// and don't fit the vulnerability model used for software packages.
+		return nil, false
 	default:
 		// The dictionary doesn't support this package type yet.
-		return parsedCPEs, false
+		return nil, false
 	}

 	if !ok {
 		// The dictionary doesn't have a CPE for this package.
-		return parsedCPEs, false
+		return []cpe.CPE{}, false
 	}

+	parsedCPEs := []cpe.CPE{}
 	for _, c := range cpes.List() {
 		parsedCPE, err := cpe.New(c, cpe.NVDDictionaryLookupSource)
 		if err != nil {
@ -126,7 +128,7 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 	}

 	if len(parsedCPEs) == 0 {
-		return []cpe.CPE{}, false
+		return nil, false
 	}

 	sort.Sort(cpe.BySourceThenSpecificity(parsedCPEs))
@ -137,6 +139,12 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 // generate the minimal set of representative CPEs, which implies that optional fields should not be included
 // (such as target SW).
 func FromPackageAttributes(p pkg.Package) []cpe.CPE {
+	// ML models should not have CPEs as they are not traditional software packages
+	// and don't fit the vulnerability model used for software packages.
+	if p.Type == pkg.ModelPkg {
+		return nil
+	}
+
 	vendors := candidateVendors(p)
 	products := candidateProducts(p)
 	targetSWs := candidateTargetSw(p)
--- a/syft/pkg/cataloger/internal/cpegenerate/generate_test.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/generate_test.go
@ -846,6 +846,15 @@ func TestGeneratePackageCPEs(t *testing.T) {
 				"cpe:2.3:a:something_else:something_else_.net:2.5.1:*:*:*:*:*:*:*",
 			},
 		},
+		{
+			name: "ML model package should generate no CPEs",
+			p: pkg.Package{
+				Name:    "llama3-8b",
+				Version: "3.0",
+				Type:    pkg.ModelPkg,
+			},
+			expected: []string{},
+		},
 	}

 	for _, test := range tests {
@ -1136,6 +1145,16 @@ func TestDictionaryFindIsWired(t *testing.T) {
 			// without the cpe data wired up, this would be empty (generation also creates cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*)
 			wantExists: true,
 		},
+		{
+			name: "ML model packages should not have dictionary CPEs",
+			pkg: pkg.Package{
+				Name:    "llama3-8b",
+				Version: "3.0",
+				Type:    pkg.ModelPkg,
+			},
+			want:       []cpe.CPE{},
+			wantExists: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {