nikstur / bombon Goto Github PK
View Code? Open in Web Editor NEWNix CycloneDX Software Bills of Materials (SBOMs)
License: MIT License
Nix CycloneDX Software Bills of Materials (SBOMs)
License: MIT License
Failing build at 9bf3e29. Not using any follows
but if I do so (for nixpkgs-unstable) the issue persists. Works ok against nixos-22.11
.
$ nix build .#sbom-nash-api
warning: Git tree '/home/freddy/code/nash/backend' is dirty
error: builder for '/nix/store/kghq8y61l8bhbhqi753w9rfrnyfyjc38-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu.drv' failed with exit code 1;
last 10 log lines:
> searching for dependencies of /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/cargo-fmt
> libgcc_s.so.1 -> not found!
> auto-patchelf: 2 dependencies could not be satisfied
> error: auto-patchelf could not satisfy dependency libgcc_s.so.1 wanted by /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/rustfmt
> error: auto-patchelf could not satisfy dependency libgcc_s.so.1 wanted by /nix/store/jxl86ppjyh79bq7l3max3gh3243h7ikr-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu/bin/cargo-fmt
> auto-patchelf failed to find all the required dependencies.
> Add the missing dependencies to --libs or use `--ignore-missing="foo.so.1 bar.so etc.so"`.
> /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 79: pop_var_context: head of shell_variables not a function context
> /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 1457: pop_var_context: head of shell_variables not a function context
> /nix/store/aa283g93zqf3111m66kawl6d5z3wlawd-stdenv-linux/setup: line 1594: pop_var_context: head of shell_variables not a function context
For full logs, run 'nix log /nix/store/kghq8y61l8bhbhqi753w9rfrnyfyjc38-rustfmt-preview-1.64.0-x86_64-unknown-linux-gnu.drv'.
error: 1 dependencies of derivation '/nix/store/g004xzj1jynbrp1h5q2i2277df47k9fn-rust-default-1.64.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/1y0dbbv984rfwi5hsr8i2k5hl0ycp9pl-bombon-transformer-0.1.0.drv' failed to build
Hello,
I'm exploring SBOM generation with Nix, using this tool. I've encountered an issue where patches specified in the Nix flake do not appear in the generated SBOM. Below is a flake example demonstrating the issue. This flake aims to generate an SBOM that should include at least two patches; however, these patches are missing from the final SBOM file.
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
systems.url = "github:nix-systems/default";
bombon.url = "github:nikstur/bombon";
};
outputs = inputs@{ self, flake-parts, systems, ... }: flake-parts.lib.mkFlake { inherit inputs; } {
systems = import systems;
perSystem = { config, self', inputs', pkgs, system, lib, ... }: {
packages = let
contents = [
(pkgs.php82.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches ++ [
(pkgs.fetchurl {
url = "https://gist.githubusercontent.com/drupol/f7b9bbe134338e0ce5e2fdac7bf6de0b/raw/e32f364d7e9f5793a8bd874af84ee609368d0bf0/php-ec.patch";
hash = "sha256-rbuihwDMZOzlrGgBrDs9eY8God2B09jpeXZF43zYlN8=";
})
];
}))
pkgs.php82.packages.composer
];
in {
sbom = inputs.bombon.lib.${system}.buildBom (pkgs.symlinkJoin { name = "sbom"; paths = contents; }) { };
};
};
};
}
To reproduce this issue, execute nix build .#sbom
(note: PHP compilation may take 5 to 10 minutes). For convenience, I have already generated the SBOM, which you can download here: sbom.json.
Interestingly, when I add the flag includeBuildtimeDependencies = true;
, the patches appear in the SBOM. The updated SBOM can be downloaded here: sbom.json.
Taking Composer as an example, the current version of Nixpkgs applies a patch for CVE-2024-24821, which can be found at this link. This patch is included in the SBOM as follows:
{
"type": "application",
"bom-ref": "urn:uuid:ef7eaa20-7a20-4001-84de-a673a369c681",
"name": "CVE-2024-24821.patch",
"version": "",
"purl": "pkg:nix/CVE-2024-24821.patch@"
}
However, the SBOM does not clearly indicate that the patch is associated with Composer.
I have two questions:
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
transformer/Cargo.toml
anyhow 1.0.65
cyclonedx-bom 0.3.5
itertools 0.10.5
serde 1.0.145
serde_json 1.0.87
.github/workflows/ci.yml
actions/checkout v3
cachix/install-nix-action v18
Looks like the runtime inputs are expected to be json but are newline separated filepaths:
bombon/runtime-dependencies.nix
Line 9 in dd57f23
And here they are expected to be json:
Line 20 in dd57f23
Edit: Maybe those two things are just misleading comments and include-buildtime-dependencies
just excludes runtime dependencies?
bombon/transformer/src/transform.rs
Line 29 in dd57f23
Edit 2: Actually it seems like the runtime dependencies are just never used?
Edit 3: Do I simply not understand how this works?
the issue is as follows:
mkDerivation
buildsdrvPath
so we can query the dependenciespkgs.callPackage ./buildtime-dependencies.nix {} (
pkgs.runCommand "foo" {} ''cp -r ${pkgs.hello}/bin $out''
)
this package clearly depends on pkgs.hello
but bombon doesn't recognize that.
I have not found a solution but a very sad one:
drvPath
of the derivationA declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.