diff --git a/default.nix b/default.nix index 59dcb3c..4f8ffb1 100644 --- a/default.nix +++ b/default.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.defaultNix +flake.defaultNix diff --git a/flake.nix b/flake.nix index e6ec3a8..894e4b8 100644 --- a/flake.nix +++ b/flake.nix @@ -19,20 +19,22 @@ }; }; - outputs = inputs @ {flake-parts, ...}: + outputs = + inputs@{ flake-parts, ... }: flake-parts.lib.mkFlake - { - inherit inputs; - } { - systems = [ - "x86_64-linux" - "aarch64-linux" - "x86_64-darwin" - "aarch64-darwin" - ]; + { + inherit inputs; + } + { + systems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; - imports = [ - ./nix - ]; - }; + imports = [ + ./nix + ]; + }; } diff --git a/nix/apps.nix b/nix/apps.nix index 1762888..06b3084 100644 --- a/nix/apps.nix +++ b/nix/apps.nix @@ -2,51 +2,55 @@ # # SPDX-License-Identifier: Apache-2.0 { - perSystem = {self', ...}: { - apps = let - inherit (self'.packages) sbomnix; - in { - # nix run .#repology_cli - repology_cli = { - type = "app"; - program = "${sbomnix}/bin/repology_cli"; - }; + perSystem = + { self', ... }: + { + apps = + let + inherit (self'.packages) sbomnix; + in + { + # nix run .#repology_cli + repology_cli = { + type = "app"; + program = "${sbomnix}/bin/repology_cli"; + }; - # nix run .#repology_cve - repology_cve = { - type = "app"; - program = "${sbomnix}/bin/repology_cve"; - }; + # nix run .#repology_cve + repology_cve = { + type = "app"; + program = "${sbomnix}/bin/repology_cve"; + }; - # nix run .#nix_outdated - nix_outdated = { - type = "app"; - program = "${sbomnix}/bin/nix_outdated"; - }; + # nix run .#nix_outdated + nix_outdated = { + type = "app"; + program = "${sbomnix}/bin/nix_outdated"; + }; - # nix run .#nixgraph - nixgraph = { - type = "app"; - program = "${sbomnix}/bin/nixgraph"; - }; + # nix run .#nixgraph + nixgraph = { + type = "app"; + program = "${sbomnix}/bin/nixgraph"; + }; - # nix run .#nixmeta - nixmeta = { - type = "app"; - program = "${sbomnix}/bin/nixmeta"; - }; + # nix run .#nixmeta + nixmeta = { + type = "app"; + program = "${sbomnix}/bin/nixmeta"; + }; - # nix run .#vulnxscan - vulnxscan = { - type = "app"; - program = "${sbomnix}/bin/vulnxscan"; - }; + # nix run .#vulnxscan + vulnxscan = { + type = "app"; + program = "${sbomnix}/bin/vulnxscan"; + }; - # nix run .#provenance - provenance = { - type = "app"; - program = "${sbomnix}/bin/provenance"; - }; + # nix run .#provenance + provenance = { + type = "app"; + program = "${sbomnix}/bin/provenance"; + }; + }; }; - }; } diff --git a/nix/checks.nix b/nix/checks.nix index 2f628ab..b5b877f 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -5,49 +5,58 @@ lib, self, ... -}: { - perSystem = { - self', - pkgs, - ... - }: { - checks = - { - # checks that copyright headers are compliant - # todo this could be moved into a shared flake - reuse = - pkgs.runCommandLocal "reuse-lint" { - nativeBuildInputs = [pkgs.reuse]; - } '' - cd ${self.outPath} - reuse lint - touch $out - ''; - pycodestyle = - pkgs.runCommandLocal "pycodestyle" { - nativeBuildInputs = [pkgs.python3.pkgs.pycodestyle]; - } '' - cd ${self.outPath} - pycodestyle --max-line-length 90 $(find . -name "*.py") - touch $out - ''; - pylint = - pkgs.runCommandLocal "pylint" { - nativeBuildInputs = [self'.devShells.default.nativeBuildInputs]; - } '' - cd ${self.outPath} - export HOME=/tmp - pylint \ - $(find . -name "*.py") \ - --reports n \ - --enable=useless-suppression \ - --fail-on=useless-suppression \ - --disable=duplicate-code - touch $out - ''; - } - // - # Force a build of all packages during a `nix flake check` - (with lib; mapAttrs' (n: nameValuePair "package-${n}") self'.packages); - }; +}: +{ + perSystem = + { + self', + pkgs, + ... + }: + { + checks = + { + # checks that copyright headers are compliant + # todo this could be moved into a shared flake + reuse = + pkgs.runCommandLocal "reuse-lint" + { + nativeBuildInputs = [ pkgs.reuse ]; + } + '' + cd ${self.outPath} + reuse lint + touch $out + ''; + pycodestyle = + pkgs.runCommandLocal "pycodestyle" + { + nativeBuildInputs = [ pkgs.python3.pkgs.pycodestyle ]; + } + '' + cd ${self.outPath} + pycodestyle --max-line-length 90 $(find . -name "*.py") + touch $out + ''; + pylint = + pkgs.runCommandLocal "pylint" + { + nativeBuildInputs = [ self'.devShells.default.nativeBuildInputs ]; + } + '' + cd ${self.outPath} + export HOME=/tmp + pylint \ + $(find . -name "*.py") \ + --reports n \ + --enable=useless-suppression \ + --fail-on=useless-suppression \ + --disable=duplicate-code + touch $out + ''; + } + // + # Force a build of all packages during a `nix flake check` + (with lib; mapAttrs' (n: nameValuePair "package-${n}") self'.packages); + }; } diff --git a/nix/devshell.nix b/nix/devshell.nix index e4dc6c8..90ecd73 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -2,30 +2,32 @@ # # SPDX-License-Identifier: Apache-2.0 { - perSystem = { - pkgs, - self', - ... - }: { - devShells.default = pkgs.mkShell rec { - name = "sbomnix-devshell"; - packages = with self'.packages; [ - pkgs.python3.pkgs.pylint # for running pylint manually in devshell - pkgs.black # for running black manually in devshell - pkgs.isort # for running isort manually in devshell - sbomnix.propagatedBuildInputs - sbomnix.nativeBuildInputs - ]; - # Add the repo root to PYTHONPATH, so invoking entrypoints (and them being - # able to find the python packages in the repo) becomes possible. - # `pytest.ini` already sets this for invoking `pytest` - # (cascading down to the processes it spawns), but this is for the developer - # invoking entrypoints from inside the devshell. - shellHook = '' - export PYTHONPATH="$PYTHONPATH:$(pwd)/src" - # https://github.com/NixOS/nix/issues/1009: - export TMPDIR="/tmp" - ''; + perSystem = + { + pkgs, + self', + ... + }: + { + devShells.default = pkgs.mkShell rec { + name = "sbomnix-devshell"; + packages = with self'.packages; [ + pkgs.python3.pkgs.pylint # for running pylint manually in devshell + pkgs.black # for running black manually in devshell + pkgs.isort # for running isort manually in devshell + sbomnix.propagatedBuildInputs + sbomnix.nativeBuildInputs + ]; + # Add the repo root to PYTHONPATH, so invoking entrypoints (and them being + # able to find the python packages in the repo) becomes possible. + # `pytest.ini` already sets this for invoking `pytest` + # (cascading down to the processes it spawns), but this is for the developer + # invoking entrypoints from inside the devshell. + shellHook = '' + export PYTHONPATH="$PYTHONPATH:$(pwd)/src" + # https://github.com/NixOS/nix/issues/1009: + export TMPDIR="/tmp" + ''; + }; }; - }; } diff --git a/nix/packages.nix b/nix/packages.nix index 30a3a21..ab754f8 100644 --- a/nix/packages.nix +++ b/nix/packages.nix @@ -2,62 +2,66 @@ # # SPDX-License-Identifier: Apache-2.0 { - perSystem = { - pkgs, - lib, - ... - }: let - pp = pkgs.python3Packages; - prefix_path = with pkgs; [ - git - graphviz - grype - nix - nix-visualize - vulnix - ]; - in { - packages = rec { - default = sbomnix; + perSystem = + { + pkgs, + lib, + ... + }: + let + pp = pkgs.python3Packages; + prefix_path = with pkgs; [ + git + graphviz + grype + nix + nix-visualize + vulnix + ]; + in + { + packages = rec { + default = sbomnix; - sbomnix = pp.buildPythonPackage rec { - pname = "sbomnix"; - version = pkgs.lib.removeSuffix "\n" (builtins.readFile ../VERSION); - format = "setuptools"; + sbomnix = pp.buildPythonPackage rec { + pname = "sbomnix"; + version = pkgs.lib.removeSuffix "\n" (builtins.readFile ../VERSION); + format = "setuptools"; - src = lib.cleanSource ../.; + src = lib.cleanSource ../.; - nativeCheckInputs = with pp; - [ - jsonschema - pytest - ] - ++ prefix_path; + nativeCheckInputs = + with pp; + [ + jsonschema + pytest + ] + ++ prefix_path; - propagatedBuildInputs = with pp; [ - beautifulsoup4 - colorlog - dfdiskcache - filelock - graphviz - numpy - packageurl-python - packaging - pandas - pyrate-limiter - reuse - requests - requests-cache - requests-ratelimiter - tabulate - ]; + propagatedBuildInputs = with pp; [ + beautifulsoup4 + colorlog + dfdiskcache + filelock + graphviz + numpy + packageurl-python + packaging + pandas + pyrate-limiter + reuse + requests + requests-cache + requests-ratelimiter + tabulate + ]; - pythonImportsCheck = ["sbomnix"]; + pythonImportsCheck = [ "sbomnix" ]; - makeWrapperArgs = [ - "--prefix PATH : ${lib.makeBinPath prefix_path}" - ]; + makeWrapperArgs = [ + "--prefix PATH : ${lib.makeBinPath prefix_path}" + ]; + }; }; }; - }; } diff --git a/nix/treefmt.nix b/nix/treefmt.nix index 867c48c..7204de1 100644 --- a/nix/treefmt.nix +++ b/nix/treefmt.nix @@ -1,32 +1,35 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { +{ inputs, ... }: +{ imports = with inputs; [ flake-root.flakeModule treefmt-nix.flakeModule ]; - perSystem = { - config, - pkgs, - ... - }: { - treefmt.config = { - package = pkgs.treefmt; - inherit (config.flake-root) projectRootFile; + perSystem = + { + config, + pkgs, + ... + }: + { + treefmt.config = { + package = pkgs.treefmt; + inherit (config.flake-root) projectRootFile; - programs = { - black.enable = true; # lints python https://github.com/psf/black - deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix - isort.enable = true; # sort python imports https://github.com/PyCQA/isort - shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck - nixfmt.enable = true; # nix formatter https://github.com/NixOS/nixfmt - nixfmt.package = pkgs.nixfmt-rfc-style; # rfc-166 formatting conform version - statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + programs = { + black.enable = true; # lints python https://github.com/psf/black + deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix + isort.enable = true; # sort python imports https://github.com/PyCQA/isort + shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + nixfmt.enable = true; # nix formatter https://github.com/NixOS/nixfmt + nixfmt.package = pkgs.nixfmt-rfc-style; # rfc-166 formatting conform version + statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + }; }; - }; - # configures treefmt as the program to use when invoke `nix fmt` - formatter = config.treefmt.build.wrapper; - }; + # configures treefmt as the program to use when invoke `nix fmt` + formatter = config.treefmt.build.wrapper; + }; } diff --git a/shell.nix b/shell.nix index 867a3e3..e5368b1 100644 --- a/shell.nix +++ b/shell.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.shellNix +flake.shellNix