fix: mark malformed GGUF scans inconclusive

[mldangelo-oai]

Summary

• mark malformed GGUF/GGML parse boundaries with explicit inconclusive scan_outcome metadata
• fail closed for corrupt non-malicious GGUF files so core returns exit 2 instead of clean exit 0
• reject unknown GGML tensor types as unvalidated rather than silently estimating tensor size

Validation

• uv run pytest tests/scanners/test_gguf_scanner.py
• uv run ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run pytest -n auto -m "not slow and not integration" --maxfail=1
• uv run ruff format --check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run ruff check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• git diff --check

Summary by CodeRabbit

• Bug Fixes
  • Improved GGUF/GGML file parsing robustness: malformed parse boundaries and unknown tensor types are now treated as inconclusive scan results, ensuring the system fails closed when validation issues are encountered rather than potentially proceeding.
  • Enhanced structural validation for corrupted or truncated files.

[coderabbitai]

Warning

Rate limit exceeded

@mldangelo-oai has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ccfeb0a-2fce-4682-a2f4-9bf49ae5d333

📥 Commits

Reviewing files that changed from the base of the PR and between 0f04edf and 6ecc16c.

📒 Files selected for processing (1)

• tests/scanners/test_gguf_scanner.py

Walkthrough

The PR hardens GGUF/GGML scanning by treating malformed parse boundaries and unknown tensor types as inconclusive outcomes instead of proceeding with default assumptions. The scanner now fails closed when inconclusive unless critical security issues are present.

Changes

Cohort / File(s)	Summary
Documentation CHANGELOG.md	Added entry documenting hardening to mark GGUF/GGML malformed parse boundaries as inconclusive and fail when encountering unknown tensor types.
Scanner Logic modelaudit/scanners/gguf_scanner.py	Introduced _mark_inconclusive() helper and reason constants (gguf_parse_incomplete, gguf_structure_validation_failed). Added _finish_result() to fail closed (success=False) when outcome is inconclusive unless WARNING/CRITICAL severity issues exist. Marked multiple error paths (unrecognized magic, parse exceptions, file-size checks, truncated headers) as inconclusive. Enhanced tensor validation: invalid bounds/dimensions/unknown types now mark inconclusive and skip further checks, removing prior fallback assumptions.
Test Updates tests/scanners/test_gguf_scanner.py	Updated assertions across multiple test cases to expect inconclusive outcomes (success=False, INCONCLUSIVE_SCAN_OUTCOME) for malformed parse, truncated metadata, unknown tensor type, and invalid dimension cases. Added helper _write_gguf_with_tensor_type() and new tests for truncated metadata exit code validation and unknown tensor type behavior verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A scanner once trusted what tensors would say,
But malformed shapes led it astray—
Now inconclusive brings truth to the test,
Unknown tensor types fail gracefully best! 🔒

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: mark malformed GGUF scans inconclusive' directly summarizes the main change: treating malformed GGUF/GGML parse failures as inconclusive outcomes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mdangelo/codex/gguf-boundary-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 6 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 6 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 703.69ms -> 692.77ms (-1.6%).

Benchmark	Target	Size	Files	Baseline	Current	Change	Status
tests/benchmarks/test_scan_benchmarks.py::test_detect_file_format_safe_pickle	safe_model.pkl	49.4 KiB	1	164.1us	172.0us	+4.8%	stable
tests/benchmarks/test_scan_benchmarks.py::test_validate_file_type_pytorch_zip	state_dict.pt	1.5 MiB	1	50.4us	49.2us	-2.3%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_directory	duplicate-corpus	840.0 KiB	81	501.57ms	490.33ms	-2.2%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_pytorch_zip	state_dict.pt	1.5 MiB	1	34.49ms	34.76ms	+0.8%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_safe_pickle	safe_model.pkl	49.4 KiB	1	28.40ms	28.62ms	+0.8%	stable
tests/benchmarks/test_scan_benchmarks.py::test_scan_mixed_directory	mixed-corpus	1.7 MiB	54	139.02ms	138.83ms	-0.1%	stable

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/scanners/test_gguf_scanner.py`:
- Around line 236-270: These tests add new fail-closed paths but don't assert
cached-rerun behavior; add a second scan invocation for each case that hits the
cache and verify the cached results preserve the inconclusive metadata,
scan_outcome_reasons, and exit code 2. Concretely, after the initial direct =
GgufScanner().scan(...) and aggregate = scan_model_directory_or_file(...), call
GgufScanner().scan(...) (or scan_model_directory_or_file(...)) a second time for
the same path, capture the cached_direct/cached_aggregate, and assert
cached_direct.metadata["scan_outcome"] == INCONCLUSIVE_SCAN_OUTCOME, the same
"gguf_parse_incomplete" or "gguf_structure_validation_failed" reason is present
in cached_direct.metadata["scan_outcome_reasons"], and
determine_exit_code(cached_aggregate) == 2 (and mirror the same checks for
issues/success flags as in the original assertions). Ensure you reference the
existing test functions test_gguf_truncated_metadata_returns_exit2 and
test_gguf_unknown_tensor_type_is_inconclusive and reuse GgufScanner().scan,
scan_model_directory_or_file, and determine_exit_code to validate cache
semantics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 27b1eb22-26b7-428a-81a5-b2f363a868e9

📥 Commits

Reviewing files that changed from the base of the PR and between f285a05 and 0f04edf.

📒 Files selected for processing (3)

• CHANGELOG.md
• modelaudit/scanners/gguf_scanner.py
• tests/scanners/test_gguf_scanner.py