Open arianvp opened 2 weeks ago
Hi @arianvp, thanks! I'm not sure I understand the request. Would it be possible you provided a simple example of the output you would like to have, and how one would use that new information to 'link to the nixpkgs commit'?
Disregard below, this is a build vs runtime issue, should probably be it's own issue:
I think he's mentioning the fact that sbomnix seems to force a .drv
into a realised path, then only looks at the realised path (which is pruned of build time dependencies).
I would assume the desired behavior would reflect something like nix-store -q --requisites
, where passing a .drv
infers buildtime dependencies as well.
[16:16:08] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-build -A hello) | wc -l
5
[16:16:11] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-instantiate -A hello) | wc -l
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
343
The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" ... from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.
Nevermind, missed it the first time.
Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"
There's a few (potential) issues here:
meta.pos
, but this hard to do without involving the nix interpreter@jonringer:
Disregard below, this is a build vs runtime issue, should probably be it's own issue
Most of the tools in this repository support working with --buildtime
dependencies too, see e.g.: https://github.com/tiiuae/sbomnix?tab=readme-ov-file#generate-sbom-including-buildtime-dependencies
Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"
Right, think I got the request now but unfortunately I also don't see how that could be done.
Right, think I got the request now but unfortunately I also don't see how that could be done.
You may be able to query it with meta.position
$ nix-instantiate --eval -A hello.meta.position
"/home/jon/projects/nixpkgs/pkgs/by-name/he/hello/package.nix:45"
$ nix eval .#hello.meta.position
warning: Git tree '/home/jon/projects/nixpkgs' is dirty
"/nix/store/jhl3lnj5vclrhnj22iagmnsk8pszdx0z-source/pkgs/by-name/he/hello/package.nix:45"
The hard part would be "which repo does this path prefix belong to?"
We have the narhash of the repo in the flake.lock that should help no?
The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" and for that it would be useful if we would also record the details from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.