From 9aca8167b8530bc951e9570c9f4bb53955dda225 Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Wed, 19 Nov 2025 05:37:40 -0500 Subject: [PATCH] chore: drop cpe from gguf (#4383) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --- .../internal/cpegenerate/generate.go | 28 ++++++++++++------- .../internal/cpegenerate/generate_test.go | 19 +++++++++++++ 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate.go b/syft/pkg/cataloger/internal/cpegenerate/generate.go index 8fd40d7cd..44f3606bd 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/generate.go +++ b/syft/pkg/cataloger/internal/cpegenerate/generate.go @@ -62,16 +62,13 @@ func GetIndexedDictionary() (_ *dictionary.Indexed, err error) { func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) { dict, err := GetIndexedDictionary() - parsedCPEs := []cpe.CPE{} if err != nil { log.Debugf("CPE dictionary lookup not available: %+v", err) - return parsedCPEs, false + return []cpe.CPE{}, false } - var ( - cpes *dictionary.Set - ok bool - ) + var cpes *dictionary.Set + var ok bool switch p.Type { case pkg.NpmPkg: @@ -101,20 +98,25 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) { case pkg.WordpressPluginPkg: metadata, valid := p.Metadata.(pkg.WordpressPluginEntry) if !valid { - return parsedCPEs, false + return nil, false } cpes, ok = dict.EcosystemPackages[dictionary.EcosystemWordpressPlugins][metadata.PluginInstallDirectory] + case pkg.ModelPkg: + // ML models should not have CPEs as they are not traditional software packages + // and don't fit the vulnerability model used for software packages. + return nil, false default: // The dictionary doesn't support this package type yet. - return parsedCPEs, false + return nil, false } if !ok { // The dictionary doesn't have a CPE for this package. - return parsedCPEs, false + return []cpe.CPE{}, false } + parsedCPEs := []cpe.CPE{} for _, c := range cpes.List() { parsedCPE, err := cpe.New(c, cpe.NVDDictionaryLookupSource) if err != nil { @@ -126,7 +128,7 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) { } if len(parsedCPEs) == 0 { - return []cpe.CPE{}, false + return nil, false } sort.Sort(cpe.BySourceThenSpecificity(parsedCPEs)) @@ -137,6 +139,12 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) { // generate the minimal set of representative CPEs, which implies that optional fields should not be included // (such as target SW). func FromPackageAttributes(p pkg.Package) []cpe.CPE { + // ML models should not have CPEs as they are not traditional software packages + // and don't fit the vulnerability model used for software packages. + if p.Type == pkg.ModelPkg { + return nil + } + vendors := candidateVendors(p) products := candidateProducts(p) targetSWs := candidateTargetSw(p) diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate_test.go b/syft/pkg/cataloger/internal/cpegenerate/generate_test.go index 3323fbc6c..890d60170 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/generate_test.go +++ b/syft/pkg/cataloger/internal/cpegenerate/generate_test.go @@ -846,6 +846,15 @@ func TestGeneratePackageCPEs(t *testing.T) { "cpe:2.3:a:something_else:something_else_.net:2.5.1:*:*:*:*:*:*:*", }, }, + { + name: "ML model package should generate no CPEs", + p: pkg.Package{ + Name: "llama3-8b", + Version: "3.0", + Type: pkg.ModelPkg, + }, + expected: []string{}, + }, } for _, test := range tests { @@ -1136,6 +1145,16 @@ func TestDictionaryFindIsWired(t *testing.T) { // without the cpe data wired up, this would be empty (generation also creates cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*) wantExists: true, }, + { + name: "ML model packages should not have dictionary CPEs", + pkg: pkg.Package{ + Name: "llama3-8b", + Version: "3.0", + Type: pkg.ModelPkg, + }, + want: []cpe.CPE{}, + wantExists: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {