nikstur / bombon Goto Github PK

Failing build at 9bf3e29. Not using any follows but if I do so (for nixpkgs-unstable) the issue persists. Works ok against nixos-22.11.

$ nix build .#sbom-nash-api
warning: Git tree '/home/freddy/code/nash/backend' is dirty
error: builder for '/nix/store/kghq8y61l8bhbhqi753w9rfrnyfyjc38-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu.drv' failed with exit code 1;
       last 10 log lines:
       > searching for dependencies of /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/cargo-fmt
       >     libgcc_s.so.1 -> not found!
       > auto-patchelf: 2 dependencies could not be satisfied
       > error: auto-patchelf could not satisfy dependency libgcc_s.so.1 wanted by /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/rustfmt
       > error: auto-patchelf could not satisfy dependency libgcc_s.so.1 wanted by /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/cargo-fmt
       > auto-patchelf failed to find all the required dependencies.
       > Add the missing dependencies to --libs or use `--ignore-missing="foo.so.1 bar.so etc.so"`.
       > /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 79: pop_var_context: head of shell_variables not a function context
       > /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 1457: pop_var_context: head of shell_variables not a function context
       > /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 1594: pop_var_context: head of shell_variables not a function context
       For full logs, run 'nix log /nix/store/kghq8y61l8bhbhqi753w9rfrnyfyjc38-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu.drv'.
error: 1 dependencies of derivation '/nix/store/g004xzj1jynbrp1h5q2i2277df47k9fn-rust-default-1.64.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/1y0dbbv984rfwi5hsr8i2k5hl0ycp9pl-bombon-transformer-0.1.0.drv' failed to build

Hello,

I'm exploring SBOM generation with Nix, using this tool. I've encountered an issue where patches specified in the Nix flake do not appear in the generated SBOM. Below is a flake example demonstrating the issue. This flake aims to generate an SBOM that should include at least two patches; however, these patches are missing from the final SBOM file.

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    systems.url = "github:nix-systems/default";
    bombon.url = "github:nikstur/bombon";
  };

  outputs = inputs@{ self, flake-parts, systems, ... }: flake-parts.lib.mkFlake { inherit inputs; } {
    systems = import systems;

    perSystem = { config, self', inputs', pkgs, system, lib, ... }: {
      packages = let
        contents = [
          (pkgs.php82.overrideAttrs (oldAttrs: {
            patches = oldAttrs.patches ++ [
              (pkgs.fetchurl {
                url = "https://gist.githubusercontent.com/drupol/f7b9bbe134338e0ce5e2fdac7bf6de0b/raw/e32f364d7e9f5793a8bd874af84ee609368d0bf0/php-ec.patch";
                hash = "sha256-rbuihwDMZOzlrGgBrDs9eY8God2B09jpeXZF43zYlN8=";
              })
            ];
          }))
          pkgs.php82.packages.composer
        ];
      in {
        sbom = inputs.bombon.lib.${system}.buildBom (pkgs.symlinkJoin { name = "sbom"; paths = contents; }) { };
      };
    };
  };
}

To reproduce this issue, execute nix build .#sbom (note: PHP compilation may take 5 to 10 minutes). For convenience, I have already generated the SBOM, which you can download here: sbom.json.

Interestingly, when I add the flag includeBuildtimeDependencies = true;, the patches appear in the SBOM. The updated SBOM can be downloaded here: sbom.json.

Taking Composer as an example, the current version of Nixpkgs applies a patch for CVE-2024-24821, which can be found at this link. This patch is included in the SBOM as follows:

{
  "type": "application",
  "bom-ref": "urn:uuid:ef7eaa20-7a20-4001-84de-a673a369c681",
  "name": "CVE-2024-24821.patch",
  "version": "",
  "purl": "pkg:nix/CVE-2024-24821.patch@"
}

However, the SBOM does not clearly indicate that the patch is associated with Composer.

I have two questions:

1. Is it expected behavior for patches not to appear in the SBOM when build dependencies are not included?
2. How can we enhance the representation of patches in the SBOM when including buildtime dependencies to clearly indicate their association with specific derivations?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Looks like the runtime inputs are expected to be json but are newline separated filepaths:

And here they are expected to be json:

Edit: Maybe those two things are just misleading comments and include-buildtime-dependencies just excludes runtime dependencies?

Edit 2: Actually it seems like the runtime dependencies are just never used?

Edit 3: Do I simply not understand how this works?

the issue is as follows:

• for the build time dependencies we want to look up meta/ pname/ ... to find information about our packages
• for this we must be at the nix level, i.e. with access to the attrset that mkDerivation builds
• at this point we know the drvPath so we can query the dependencies
• these dependencies don't necessarily have to be available in the nix level, reason: string contexts; simple example:

pkgs.callPackage ./buildtime-dependencies.nix {} (
  pkgs.runCommand "foo" {} ''cp -r ${pkgs.hello}/bin $out''
)

this package clearly depends on pkgs.hello but bombon doesn't recognize that.

I have not found a solution but a very sad one:

• build meta for all of the packages that might be included; the user would pass a list of package sets and dependencies to build a meta "database" keyed by the drvPath of the derivation
• build the dependency tree of some package separately
• query the "database" against the drvPaths.