chore: schema and test additions

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.40"
+	JSONSchemaVersion = "16.0.41"
 )

internal/packagemetadata/generated.go

@@ -27,6 +27,7 @@ func AllTypes() []any {
 		pkg.ELFBinaryPackageNoteJSONPayload{},
 		pkg.ElixirMixLockEntry{},
 		pkg.ErlangRebarLockEntry{},
+		pkg.GGUFFileMetadata{},
 		pkg.GitHubActionsUseStatement{},
 		pkg.GolangBinaryBuildinfoEntry{},
 		pkg.GolangModuleEntry{},

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.40/document",
+  "$id": "anchore.io/schema/syft/json/16.0.41/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1399,6 +1399,70 @@
         "size"
       ]
     },
+    "GgufFileMetadata": {
+      "properties": {
+        "modelFormat": {
+          "type": "string",
+          "description": "ModelFormat is always \"gguf\""
+        },
+        "modelName": {
+          "type": "string",
+          "description": "ModelName is the name of the model (from general.name or filename)"
+        },
+        "modelVersion": {
+          "type": "string",
+          "description": "ModelVersion is the version of the model (if available in header, else \"unknown\")"
+        },
+        "fileSize": {
+          "type": "integer",
+          "description": "FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)"
+        },
+        "hash": {
+          "type": "string",
+          "description": "Hash is a content hash of the metadata (for stable global identifiers across remotes)"
+        },
+        "license": {
+          "type": "string",
+          "description": "License is the license identifier (from general.license if present)"
+        },
+        "ggufVersion": {
+          "type": "integer",
+          "description": "GGUFVersion is the GGUF format version (e.g., 3)"
+        },
+        "architecture": {
+          "type": "string",
+          "description": "Architecture is the model architecture (from general.architecture, e.g., \"qwen3moe\", \"llama\")"
+        },
+        "quantization": {
+          "type": "string",
+          "description": "Quantization is the quantization type (e.g., \"IQ4_NL\", \"Q4_K_M\")"
+        },
+        "parameters": {
+          "type": "integer",
+          "description": "Parameters is the number of model parameters (if present in header)"
+        },
+        "tensorCount": {
+          "type": "integer",
+          "description": "TensorCount is the number of tensors in the model"
+        },
+        "header": {
+          "type": "object",
+          "description": "Header contains the remaining key-value pairs from the GGUF header that are not already\nrepresented as typed fields above. This preserves additional metadata fields for reference\n(namespaced with general.*, llama.*, etc.) while avoiding duplication."
+        },
+        "truncatedHeader": {
+          "type": "boolean",
+          "description": "TruncatedHeader indicates if the header was truncated during parsing (for very large headers)"
+        }
+      },
+      "type": "object",
+      "required": [
+        "modelFormat",
+        "modelName",
+        "ggufVersion",
+        "tensorCount"
+      ],
+      "description": "GGUFFileMetadata represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file."
+    },
     "GithubActionsUseStatement": {
       "properties": {
         "value": {
@@ -2474,6 +2538,9 @@
             {
               "$ref": "#/$defs/ErlangRebarLockEntry"
             },
+            {
+              "$ref": "#/$defs/GgufFileMetadata"
+            },
             {
               "$ref": "#/$defs/GithubActionsUseStatement"
             },

syft/format/internal/spdxutil/helpers/originator_supplier_test.go

@@ -53,6 +53,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 		pkg.OpamPackage{},
 		pkg.YarnLockEntry{},
 		pkg.TerraformLockProviderEntry{},
+		pkg.GGUFFileMetadata{},
 	)
 	tests := []struct {
 		name       string

syft/format/internal/spdxutil/helpers/source_info.go

@@ -82,6 +82,8 @@ func SourceInfo(p pkg.Package) string {
 		answer = "acquired package info from Homebrew formula"
 	case pkg.TerraformPkg:
 		answer = "acquired package info from Terraform dependency lock file"
+	case pkg.ModelPkg:
+		answer = "acquired package info from AI artifact"
 	default:
 		answer = "acquired package info from the following paths"
 	}

syft/format/internal/spdxutil/helpers/source_info_test.go

@@ -351,6 +351,14 @@ func Test_SourceInfo(t *testing.T) {
 				"acquired package info from Terraform dependency lock file",
 			},
 		},
+		{
+			input: pkg.Package{
+				Type: pkg.ModelPkg,
+			},
+			expected: []string{
+				"",
+			},
+		},
 	}
 	var pkgTypes []pkg.Type
 	for _, test := range tests {

syft/pkg/type_test.go

@@ -155,6 +155,7 @@ func TestTypeFromPURL(t *testing.T) {
 	expectedTypes.Remove(string(HomebrewPkg))
 	expectedTypes.Remove(string(TerraformPkg))
 	expectedTypes.Remove(string(GraalVMNativeImagePkg))
+	expectedTypes.Remove(string(ModelPkg))   // no valid purl for ai artifacts currently
 	expectedTypes.Remove(string(PhpPeclPkg)) // we should always consider this a pear package
 
 	for _, test := range tests {