Include the flake refs / eval time dependencies into the SBOM

[arianvp]

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" and for that it would be useful if we would also record the details from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

[henrirosten]

Hi @arianvp, thanks!
I'm not sure I understand the request. Would it be possible you provided a simple example of the output you would like to have, and how one would use that new information to 'link to the nixpkgs commit'?

[jonringer]

Disregard below, this is a build vs runtime issue, should probably be it's own issue:

I think he's mentioning the fact that sbomnix seems to force a .drv into a realised path, then only looks at the realised path (which is pruned of build time dependencies).

I would assume the desired behavior would reflect something like nix-store -q --requisites, where passing a .drv infers buildtime dependencies as well.

[16:16:08] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-build -A hello) | wc -l
5
[16:16:11] jringer@jringer-5560-nixos ~/projects/nixpkgs (master)
$ nix-store -qR $(nix-instantiate -A hello) | wc -l
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
343

[jonringer]

The SBOM generator is great! But often I want to know "Hey where did all these derivations come from" ... from the flake lock file in the SBOM so that we can easily link to the nixpkgs commit that built the artefact.

Nevermind, missed it the first time.

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

There's a few (potential) issues here:

• local flake's have an "unpinned" reference to "self", so it's kind of hard to know where packages come from if it's package in the same repo.
• could have multiple nixpkgs pins, especially if you reference other flakes
• you could try to use meta.pos, but this hard to do without involving the nix interpreter

[henrirosten]

@jonringer:

Disregard below, this is a build vs runtime issue, should probably be it's own issue

Most of the tools in this repository support working with --buildtime dependencies too, see e.g.: https://github.com/tiiuae/sbomnix?tab=readme-ov-file#generate-sbom-including-buildtime-dependencies

Looks like the ask is more like, "If I have one or many repos which package additional software, I would like to know where these package expressions are defined, are they from nixpkgs, or some other overlay?"

Right, think I got the request now but unfortunately I also don't see how that could be done.

[jonringer]

Right, think I got the request now but unfortunately I also don't see how that could be done.

You may be able to query it with meta.position

$ nix-instantiate --eval -A hello.meta.position
"/home/jon/projects/nixpkgs/pkgs/by-name/he/hello/package.nix:45"
$ nix eval .#hello.meta.position
warning: Git tree '/home/jon/projects/nixpkgs' is dirty
"/nix/store/jhl3lnj5vclrhnj22iagmnsk8pszdx0z-source/pkgs/by-name/he/hello/package.nix:45"

The hard part would be "which repo does this path prefix belong to?"

[arianvp]

We have the narhash of the repo in the flake.lock that should help no?

[arianvp]

NixOS/nix#11749 seems related too

[jonringer]

We have the narhash of the repo in the flake.lock that should help no?

lossy reconstruction is usually a losing game.

NixOS/nix#11749 seems related too

this looks more promising :)

[arianvp]

But honestly just as a start just augmenting the sbom with the output of nix flake metadata --json would already solve like 90% of my problems