Include the flake refs / eval time dependencies into the SBOM

tiiuae / sbomnix

A suite of utilities to help with software supply chain challenges on nix targets

119 stars 22 forks source link

Include the flake refs / eval time dependencies into the SBOM #121

Open arianvp opened 2 weeks ago

arianvp commented 2 weeks ago

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" and for that it would be useful if we would also record the details from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

henrirosten commented 2 weeks ago

Hi @arianvp, thanks! I'm not sure I understand the request. Would it be possible you provided a simple example of the output you would like to have, and how one would use that new information to 'link to the nixpkgs commit'?

jonringer commented 1 week ago

Disregard below, this is a build vs runtime issue, should probably be it's own issue:

I think he's mentioning the fact that sbomnix seems to force a .drv into a realised path, then only looks at the realised path (which is pruned of build time dependencies).

I would assume the desired behavior would reflect something like nix-store -q --requisites, where passing a .drv infers buildtime dependencies as well.

[16:16:08] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-build -A hello) | wc -l
5
[16:16:11] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-instantiate -A hello) | wc -l
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
343

jonringer commented 1 week ago

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" ... from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

Nevermind, missed it the first time.

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

There's a few (potential) issues here:

local flake's have an "unpinned" reference to "self", so it's kind of hard to know where packages come from if it's package in the same repo.
could have multiple nixpkgs pins, especially if you reference other flakes
you could try to use meta.pos, but this hard to do without involving the nix interpreter

henrirosten commented 1 week ago

@jonringer:

Disregard below, this is a build vs runtime issue, should probably be it's own issue

Most of the tools in this repository support working with --buildtime dependencies too, see e.g.: https://github.com/tiiuae/sbomnix?tab=readme-ov-file#generate-sbom-including-buildtime-dependencies

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

Right, think I got the request now but unfortunately I also don't see how that could be done.

jonringer commented 1 week ago

Right, think I got the request now but unfortunately I also don't see how that could be done.

You may be able to query it with meta.position

$ nix-instantiate --eval -A hello.meta.position
"/home/jon/projects/nixpkgs/pkgs/by-name/he/hello/package.nix:45"
$ nix eval .#hello.meta.position
warning: Git tree '/home/jon/projects/nixpkgs' is dirty
"/nix/store/jhl3lnj5vclrhnj22iagmnsk8pszdx0z-source/pkgs/by-name/he/hello/package.nix:45"

The hard part would be "which repo does this path prefix belong to?"

arianvp commented 1 week ago

We have the narhash of the repo in the flake.lock that should help no?