Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include the flake refs / eval time dependencies into the SBOM #121

Open
arianvp opened this issue Aug 27, 2024 · 6 comments
Open

Include the flake refs / eval time dependencies into the SBOM #121

arianvp opened this issue Aug 27, 2024 · 6 comments

Comments

@arianvp
Copy link

arianvp commented Aug 27, 2024

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" and for that it would be useful if we would also record the details from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

@arianvp arianvp changed the title Include the flake refs into the SBOM Include the flake refs / eval time dependencies into the SBOM Aug 27, 2024
@henrirosten
Copy link
Collaborator

Hi @arianvp, thanks!
I'm not sure I understand the request. Would it be possible you provided a simple example of the output you would like to have, and how one would use that new information to 'link to the nixpkgs commit'?

@jonringer
Copy link
Contributor

jonringer commented Sep 3, 2024

Disregard below, this is a build vs runtime issue, should probably be it's own issue:

I think he's mentioning the fact that sbomnix seems to force a .drv into a realised path, then only looks at the realised path (which is pruned of build time dependencies).

I would assume the desired behavior would reflect something like nix-store -q --requisites, where passing a .drv infers buildtime dependencies as well.

[16:16:08] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-build -A hello) | wc -l
5
[16:16:11] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-instantiate -A hello) | wc -l
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
343

@jonringer
Copy link
Contributor

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" ... from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

Nevermind, missed it the first time.

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

There's a few (potential) issues here:

  • local flake's have an "unpinned" reference to "self", so it's kind of hard to know where packages come from if it's package in the same repo.
  • could have multiple nixpkgs pins, especially if you reference other flakes
  • you could try to use meta.pos, but this hard to do without involving the nix interpreter

@henrirosten
Copy link
Collaborator

henrirosten commented Sep 4, 2024

@jonringer:

Disregard below, this is a build vs runtime issue, should probably be it's own issue

Most of the tools in this repository support working with --buildtime dependencies too, see e.g.: https://github.com/tiiuae/sbomnix?tab=readme-ov-file#generate-sbom-including-buildtime-dependencies

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

Right, think I got the request now but unfortunately I also don't see how that could be done.

@jonringer
Copy link
Contributor

Right, think I got the request now but unfortunately I also don't see how that could be done.

You may be able to query it with meta.position

$ nix-instantiate --eval -A hello.meta.position
"/home/jon/projects/nixpkgs/pkgs/by-name/he/hello/package.nix:45"
$ nix eval .#hello.meta.position
warning: Git tree '/home/jon/projects/nixpkgs' is dirty
"/nix/store/jhl3lnj5vclrhnj22iagmnsk8pszdx0z-source/pkgs/by-name/he/hello/package.nix:45"

The hard part would be "which repo does this path prefix belong to?"

@arianvp
Copy link
Author

arianvp commented Sep 4, 2024

We have the narhash of the repo in the flake.lock that should help no?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants