- Notifications
You must be signed in to change notification settings - Fork10
Nix CycloneDX Software Bills of Materials (SBOMs)
License
nikstur/bombon
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Automagically build CycloneDX Software Bills of Materials (SBOMs) for Nix packages!
Bombon generates CycloneDX v1.5 SBOMs which aim to be compliant with:
- The GermanTechnical Guideline TR-03183 v2.0.0 of the Federal Office for InformationSecurity (BSI)
- The USExecutive Order 14028
If you find that they aren't compliant in any way, please open an issue!
nix flake init -t github:nikstur/bombon
Or manually copy this toflake.nix in your repository:
# file: flake.nix{inputs={nixpkgs.url="github:NixOS/nixpkgs/nixpkgs-unstable";bombon.url="github:nikstur/bombon";bombon.inputs.nixpkgs.follows="nixpkgs";};outputs={self,nixpkgs,bombon}:letsystem="x86_64-linux";pkgs=importnixpkgs{inheritsystem;};in{packages.${system}.default=bombon.lib.${system}.buildBompkgs.hello{};};}
niv initniv add nikstur/bombon
# file: default.nixletsources=import./nix/sources.nix{};pkgs=importsources.nixpkgs{};bombon=importsources.bombon{inheritpkgs;};inbombon.buildBompkgs.hello{}
Some language ecosystems in Nixpkgs (most notably Rust and Go) vendordependencies. This means that not every dependency is its own derivation andthus bombon cannot record their information as it does with "normal" Nixdependencies. However, bombon can automatically read SBOMs generated by othertools (likecargo-cyclonedx) for the vendored dependencies from a passthruderivation calledbombonVendoredSbom.
You can use thepassthruVendoredSbom.rust function to add thebombonVendoredSbom passthru derivation to a Rust package:
myPackageWithSbom=bombon.passthruVendoredSbom.rustmyPackage{inheritpkgs;};
Or using Flakes:
myPackageWithSbom=bombon.lib.${system}.passthruVendoredSbom.rustmyPackage{inheritpkgs;};
An SBOM built from this new derivation will now include the vendored dependencies.
buildBom accepts options as an attribute set. All attributes are optional:
extraPaths: a list of store paths to also consider for the SBOM. This isuseful when you build images that discard their references (e.g. withunsafeDiscardReferencesbut you still want their contents to appear in the SBOM. TheextraPathswill appear as components of the main derivation.includeBuildtimeDependencies: boolean flag to include buildtime dependencies in output.excludes: a list of regex patterns of store paths to exclude from the finalSBOM.
Example:
bombon.lib.${system}.buildBompkgs.hello{extraPaths=[pkgs.git];includeBuildtimeDependencies=true;excludes=["service"];}
passthruVendoredSbom.rust also acceptsincludeBuildtimeDependencies as an optional attribute.
Example:
myPackageWithSbom=bombon.passthruVendoredSbom.rustmyPackage{inheritpkgs;includeBuildtimeDependencies=true;};
During development, the Nix Repl is a convenient and quick way to test changes.Start the repl, loading your local version of nixpkgs.
nix repl<nixpkgs>
Inside the repl, load the bombon flake and build the BOM for a package youare interested in.
:l .:b lib.x86_64-linux.buildBom python3 { }Remember to re-load the bombon flake every time you made changes to any of thesource code.
The way dependencies are retrieved using Nix is heavily influenced by thisblog article from NicolasMattia.
About
Nix CycloneDX Software Bills of Materials (SBOMs)