Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: drop cpe from gguf #4383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spiffcs merged 3 commits into from
Nov 19, 2025
+37 −10
Merged

chore: drop cpe from gguf #4383

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e35d997
chore: drop cpe from gguf
spiffcs Nov 18, 2025
efa471b
chore: linter and explicit for types with no CPE
spiffcs Nov 18, 2025
e8fa18c
chore: nil over allocate
spiffcs Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions syft/pkg/cataloger/internal/cpegenerate/generate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,16 +62,13 @@ func GetIndexedDictionary() (_ *dictionary.Indexed, err error) {

func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
dict, err := GetIndexedDictionary()
parsedCPEs := []cpe.CPE{}
if err != nil {
log.Debugf("CPE dictionary lookup not available: %+v", err)
return parsedCPEs, false
return []cpe.CPE{}, false
Copy link
Contributor

@wagoodman wagoodman Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this can be nil, I see that it was allocated to begin with, but since your changing much of this do we still need to allocate? (we probably never did, but I haven't checked)

Copy link
Contributor Author

@spiffcs spiffcs Nov 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was allocated to begin with -- I was just trying to shave some lines for the linter. I can check the callers and see if we can just get away with this being nil.

}

var (
cpes *dictionary.Set
ok bool
)
var cpes *dictionary.Set
var ok bool

switch p.Type {
case pkg.NpmPkg:
Expand Down Expand Up @@ -101,20 +98,25 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
case pkg.WordpressPluginPkg:
metadata, valid := p.Metadata.(pkg.WordpressPluginEntry)
if !valid {
return parsedCPEs, false
return nil, false
}
cpes, ok = dict.EcosystemPackages[dictionary.EcosystemWordpressPlugins][metadata.PluginInstallDirectory]

case pkg.ModelPkg:
// ML models should not have CPEs as they are not traditional software packages
// and don't fit the vulnerability model used for software packages.
return nil, false
default:
// The dictionary doesn't support this package type yet.
return parsedCPEs, false
return nil, false
}

if !ok {
// The dictionary doesn't have a CPE for this package.
return parsedCPEs, false
return []cpe.CPE{}, false
}

parsedCPEs := []cpe.CPE{}
for _, c := range cpes.List() {
parsedCPE, err := cpe.New(c, cpe.NVDDictionaryLookupSource)
if err != nil {
Expand All @@ -126,7 +128,7 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
}

if len(parsedCPEs) == 0 {
return []cpe.CPE{}, false
return nil, false
}

sort.Sort(cpe.BySourceThenSpecificity(parsedCPEs))
Expand All @@ -137,6 +139,12 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
// generate the minimal set of representative CPEs, which implies that optional fields should not be included
// (such as target SW).
func FromPackageAttributes(p pkg.Package) []cpe.CPE {
// ML models should not have CPEs as they are not traditional software packages
// and don't fit the vulnerability model used for software packages.
if p.Type == pkg.ModelPkg {
return nil
}

vendors := candidateVendors(p)
products := candidateProducts(p)
targetSWs := candidateTargetSw(p)
Expand Down
19 changes: 19 additions & 0 deletions syft/pkg/cataloger/internal/cpegenerate/generate_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -846,6 +846,15 @@ func TestGeneratePackageCPEs(t *testing.T) {
"cpe:2.3:a:something_else:something_else_.net:2.5.1:*:*:*:*:*:*:*",
},
},
{
name: "ML model package should generate no CPEs",
p: pkg.Package{
Name: "llama3-8b",
Version: "3.0",
Type: pkg.ModelPkg,
},
expected: []string{},
},
}

for _, test := range tests {
Expand Down Expand Up @@ -1136,6 +1145,16 @@ func TestDictionaryFindIsWired(t *testing.T) {
// without the cpe data wired up, this would be empty (generation also creates cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*)
wantExists: true,
},
{
name: "ML model packages should not have dictionary CPEs",
pkg: pkg.Package{
Name: "llama3-8b",
Version: "3.0",
Type: pkg.ModelPkg,
},
want: []cpe.CPE{},
wantExists: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
Loading