schema/json/schema-16.0.43.json

@@ -1443,6 +1443,10 @@
           "type": "string",
           "description": "ModelName is the name of the model (from general.name or filename)"
         },
+        "modelVersion": {
+          "type": "string",
+          "description": "ModelVersion is the version of the model (if available in header, else \"unknown\")"
+        },
         "fileSize": {
           "type": "integer",
           "description": "FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)"

schema/json/schema-latest.json

@@ -1443,6 +1443,10 @@
           "type": "string",
           "description": "ModelName is the name of the model (from general.name or filename)"
         },
+        "modelVersion": {
+          "type": "string",
+          "description": "ModelVersion is the version of the model (if available in header, else \"unknown\")"
+        },
         "fileSize": {
           "type": "integer",
           "description": "FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)"

syft/pkg/cataloger/ai/cataloger_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/stretchr/testify/assert"
 
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/pkg"
@@ -13,28 +14,6 @@ import (
 )
 
 func TestGGUFCataloger_Globs(t *testing.T) {
-	tests := []struct {
-		name     string
-		fixture  string
-		expected []string
-	}{
-		{
-			name:    "obtain gguf files",
-			fixture: "test-fixtures/glob-paths",
-			expected: []string{
-				"models/model.gguf",
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			pkgtest.NewCatalogTester().
-				FromDirectory(t, test.fixture).
-				ExpectsResolverContentQueries(test.expected).
-				TestCataloger(t, NewGGUFCataloger())
-		})
-	}
 }
 
 func TestGGUFCataloger_Integration(t *testing.T) {
@@ -72,6 +51,7 @@ func TestGGUFCataloger_Integration(t *testing.T) {
 					),
 					Metadata: pkg.GGUFFileHeader{
 						ModelName:       "llama3-8b",
+						ModelVersion:    "3.0",
 						License:         "Apache-2.0",
 						Architecture:    "llama",
 						Quantization:    "Unknown",
@@ -97,11 +77,16 @@ func TestGGUFCataloger_Integration(t *testing.T) {
 				IgnoreLocationLayer().
 				IgnorePackageFields("FoundBy", "Locations"). // These are set by the cataloger
 				WithCompareOptions(
-					// Ignore MetadataHash as it's computed dynamically
+					// Ignore Hash as it's computed dynamically
-					cmpopts.IgnoreFields(pkg.GGUFFileHeader{}, "MetadataHash"),
+					cmpopts.IgnoreFields(pkg.GGUFFileHeader{}, "Hash"),
 				)
 
 			tester.TestCataloger(t, NewGGUFCataloger())
 		})
 	}
 }
+
+func TestGGUFCataloger_Name(t *testing.T) {
+	cataloger := NewGGUFCataloger()
+	assert.Equal(t, "gguf-cataloger", cataloger.Name())
+}

syft/pkg/cataloger/ai/package.go

@@ -1,14 +1,25 @@
 package ai
 
 import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/cespare/xxhash/v2"
+
+	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
 )
 
-func newGGUFPackage(metadata *pkg.GGUFFileHeader, version string, locations ...file.Location) pkg.Package {
+func newGGUFPackage(metadata *pkg.GGUFFileHeader, locations ...file.Location) pkg.Package {
+	// Compute hash if not already set
+	if metadata.Hash == "" {
+		metadata.Hash = computeMetadataHash(metadata)
+	}
+
 	p := pkg.Package{
 		Name:      metadata.ModelName,
-		Version:   version,
+		Version:   metadata.ModelVersion,
 		Locations: file.NewLocationSet(locations...),
 		Type:      pkg.ModelPkg,
 		Licenses:  pkg.NewLicenseSet(),
@@ -26,3 +37,33 @@ func newGGUFPackage(metadata *pkg.GGUFFileHeader, version string, locations ...f
 
 	return p
 }
+
+// computeMetadataHash computes a stable hash of the metadata for use as a global identifier
+func computeMetadataHash(metadata *pkg.GGUFFileHeader) string {
+	// Create a stable representation of the metadata
+	hashData := struct {
+		Format       string
+		Name         string
+		Version      string
+		Architecture string
+		GGUFVersion  uint32
+		TensorCount  uint64
+	}{
+		Name:         metadata.ModelName,
+		Version:      metadata.ModelVersion,
+		Architecture: metadata.Architecture,
+		GGUFVersion:  metadata.GGUFVersion,
+		TensorCount:  metadata.TensorCount,
+	}
+
+	// Marshal to JSON for stable hashing
+	jsonBytes, err := json.Marshal(hashData)
+	if err != nil {
+		log.Debugf("failed to marshal metadata for hashing: %v", err)
+		return ""
+	}
+
+	// Compute xxhash
+	hash := xxhash.Sum64(jsonBytes)
+	return fmt.Sprintf("%016x", hash) // 16 hex chars (64 bits)
+}

syft/pkg/cataloger/ai/package_test.go

@@ -15,15 +15,14 @@ func TestNewGGUFPackage(t *testing.T) {
 	tests := []struct {
 		name      string
 		metadata  *pkg.GGUFFileHeader
-		version   string
 		locations []file.Location
 		checkFunc func(t *testing.T, p pkg.Package)
 	}{
 		{
 			name: "complete GGUF package with all fields",
-			version: "3.0",
 			metadata: &pkg.GGUFFileHeader{
 				ModelName:       "llama3-8b-instruct",
+				ModelVersion:    "3.0",
 				License:         "Apache-2.0",
 				Architecture:    "llama",
 				Quantization:    "Q4_K_M",
@@ -53,9 +52,9 @@ func TestNewGGUFPackage(t *testing.T) {
 		},
 		{
 			name: "minimal GGUF package",
-			version: "1.0",
 			metadata: &pkg.GGUFFileHeader{
 				ModelName:    "simple-model",
+				ModelVersion: "1.0",
 				Architecture: "gpt2",
 				GGUFVersion:  3,
 				TensorCount:  50,
@@ -77,9 +76,9 @@ func TestNewGGUFPackage(t *testing.T) {
 		},
 		{
 			name: "GGUF package with multiple locations",
-			version: "1.5",
 			metadata: &pkg.GGUFFileHeader{
 				ModelName:    "multi-location-model",
+				ModelVersion: "1.5",
 				Architecture: "llama",
 				GGUFVersion:  3,
 				TensorCount:  150,
@@ -96,12 +95,12 @@ func TestNewGGUFPackage(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			p := newGGUFPackage(tt.metadata, tt.version, tt.locations...)
+			p := newGGUFPackage(tt.metadata, tt.locations...)
 
 			if d := cmp.Diff(tt.metadata.ModelName, p.Name); d != "" {
 				t.Errorf("Name mismatch (-want +got):\n%s", d)
 			}
-			if d := cmp.Diff(tt.version, p.Version); d != "" {
+			if d := cmp.Diff(tt.metadata.ModelVersion, p.Version); d != "" {
 				t.Errorf("Version mismatch (-want +got):\n%s", d)
 			}
 			if d := cmp.Diff(pkg.ModelPkg, p.Type); d != "" {

syft/pkg/cataloger/ai/parse_gguf_model.go

@@ -62,12 +62,10 @@ func parseGGUFModel(_ context.Context, _ file.Resolver, _ *generic.Environment,
 	// Extract metadata
 	metadata := ggufFile.Metadata()
 
-	// Extract version separately (will be set on Package.Version)
-	modelVersion := extractVersion(ggufFile.Header.MetadataKV)
-
 	// Convert to syft metadata structure
 	syftMetadata := &pkg.GGUFFileHeader{
 		ModelName:       metadata.Name,
+		ModelVersion:    extractVersion(ggufFile.Header.MetadataKV),
 		License:         metadata.License,
 		Architecture:    metadata.Architecture,
 		Quantization:    metadata.FileTypeDescriptor,
@@ -86,7 +84,6 @@ func parseGGUFModel(_ context.Context, _ file.Resolver, _ *generic.Environment,
 	// Create package from metadata
 	p := newGGUFPackage(
 		syftMetadata,
-		modelVersion,
 		reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 	)
 

syft/pkg/gguf.go

@@ -10,6 +10,9 @@ type GGUFFileHeader struct {
 	// ModelName is the name of the model (from general.name or filename)
 	ModelName string `json:"modelName" cyclonedx:"modelName"`
 
+	// ModelVersion is the version of the model (if available in header, else "unknown")
+	ModelVersion string `json:"modelVersion,omitempty" cyclonedx:"modelVersion"`
+
 	// FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)
 	FileSize int64 `json:"fileSize,omitempty" cyclonedx:"fileSize"`