Flake update

.envrc

@@ -1,3 +1,4 @@
+#! /usr/bin/env bash
 # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
 #
 # SPDX-License-Identifier: Apache-2.0

.github/workflows/check-commit-message.yaml

@@ -15,7 +15,7 @@ jobs:
   commit-msg:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.2.0
       - name: Check Commit Message
         env:
           GITHUB_CONTEXT: ${{ toJson(github) }}

.github/workflows/release_sbomnix.yml

@@ -11,14 +11,14 @@ on:
       - 'v*'
 
 jobs:
-  build: 
+  build:
     name: Upload Release Asset
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v22
+      - uses: actions/checkout@v4.2.0
+      - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: Build release asset

.github/workflows/test_sbomnix.yml

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-name: Test sbomnix 
+name: Test sbomnix
 
 on:
   push:
@@ -16,11 +16,13 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v22
+      - uses: actions/checkout@v4.2.0
+      - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
-      - name: Make sure nix-build works
+      - name: Ensure nix-build works
         run: nix-build '<nixpkgs>' -A hello
+      - name: Print nix version
+        run: nix --version
       - name: Run sbomnix CI tests
         run: nix develop --command make test-ci

doc/vulnxscan.md

@@ -376,5 +376,4 @@ For now, consider `vulnxscan` as a demonstration. Some improvement ideas are lis
  - Nix ecosystem is not supported in OSV: the way `osv.py` makes use of OSV data for Nix targets -- as explained in section [Nix and OSV vulnerability database](#nix-and-osv-vulnerability-database) -- makes the reported OSV vulnerabilities include false positives.
 
 ### Other Future Work
-- [vulnxscan](../src/vulnxscan/vulnxscan_cli.py) uses vulnix from a [forked repository](https://github.com/henrirosten/vulnix), to include vulnix support for [scanning runtime-only dependencies](https://github.com/nix-community/vulnix/compare/master...henrirosten:vulnix:master).
 - [vulnxscan](../src//vulnxscan/vulnxscan_cli.py) could include more scanners in addition to [vulnix](https://github.com/nix-community/vulnix), [grype](https://github.com/anchore/grype), and [osv.py](../src/vulnxscan/osv.py). Suggestions for other open-source scanners, especially those that can digest CycloneDX or SPDX SBOMs are welcome. Consider e.g. [bombon](https://github.com/nikstur/bombon) and [cve-bin-tool](https://github.com/intel/cve-bin-tool). Adding cve-bin-tool to vulnxscan was [demonstrated](https://github.com/tiiuae/sbomnix/pull/75) earlier, but not merged due to reasons explained in the [PR](https://github.com/tiiuae/sbomnix/pull/75#issuecomment-1670958503).

flake.nix

@@ -17,14 +17,6 @@
       url = "github:nix-community/flake-compat";
       flake = false;
     };
-    nix-visualize = {
-      url = "github:craigmbooth/nix-visualize";
-      flake = false;
-    };
-    vulnix = {
-      url = "github:henrirosten/vulnix";
-      flake = false;
-    };
   };
 
   outputs = inputs @ {flake-parts, ...}:

nix/devshell.nix

@@ -22,13 +22,13 @@
           grype
           gzip
           nix
+          nix-visualize
           pylint
           reuse
+          vulnix
         ])
         ++ (with self'.packages; [
-          nix-visualize
           python # that python with all sbomnix [dev-]dependencies
-          vulnix
         ]);
 
       # Add the repo root to PYTHONPATH, so invoking entrypoints (and them being