syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Add Nix Cataloger

Open wagoodman opened this issue 2 years ago • 10 comments

It would be ideal to be able to identify and catalog Nix packages.

wagoodman avatar Jul 15 '21 19:07 wagoodman

Just a note, I've been taking a look at this problem. Nix derivations, i.e. build definitions generated by the Nix expression language, are just json files containing almost all the info you would expect an SBOM to contain. They just need to be translated into the correct SBOM format.

The key thing that is missing from a derivation and is only included in the actual nix expression code for a package is metadata, e.g. license, maintainer, etc. This can get a little annoying because you need to reverse lookup from a derivation.

mlieberman85 avatar Aug 27 '21 15:08 mlieberman85

Screenshot from 2021-12-18 19-47-36 Screenshot from 2021-12-18 19-52-25

Doing a basic nix-store cataloger, since drv files doesn't get include the docker build when you are using dockerTools(which is more common one for nix users compare to in-docker nix-build)

Edit: still need to fix a few bugs

juliosueiras avatar Dec 19 '21 00:12 juliosueiras

@juliosueiras that's awesome --shout out if you want an extra helping hand! Up to you if you wanted to open up a draft PR and swarm on bug squashing or closing the gap on what's left 👍

wagoodman avatar Feb 03 '22 18:02 wagoodman

I am also interested in collaborating or lending any support I can in SBOM generation via nix through syft.

nikolaishields avatar Jul 09 '22 01:07 nikolaishields

Would be also interested in seeing support for nix :)

ghuntley avatar Jul 15 '22 11:07 ghuntley

Hey @nikolaishields! Thanks for the offer.

@juliosueiras did you still have the branch or draft of code from your screenshot above?

If you open a draft I'm sure @nikolaishields and myself can take a look and squash bugs and clean it up so we can get it merged. If not no worries and we can start getting a nix cataloger added that follows the same pattern as our other distro catalogers.

spiffcs avatar Jul 19 '22 19:07 spiffcs

sound good

juliosueiras avatar Jul 19 '22 19:07 juliosueiras

created the draft PR #1107 , which is based on the Deb cataloger, there is still the bug of certain stuff(that doesn't have version) not splitting correctly

juliosueiras avatar Jul 19 '22 21:07 juliosueiras

Legend.

ghuntley avatar Jul 20 '22 01:07 ghuntley

a quick note: the drv(json file refer from the earlier comment chain) is something that only exist on the build machine, not the finish artifact, so if an image is build via dockerTools family, then it will not contain any drvs, only the resulting store entries

juliosueiras avatar Jul 20 '22 01:07 juliosueiras

quick update: the above PR has been merged into the in-repo feature branch add-nix-cataloger for further development (see https://github.com/anchore/syft/pull/1107#issuecomment-1483306556). Tip-of-the-hat to @juliosueiras for the original implementation, I'll see what I can do to get this in.

wagoodman avatar Mar 24 '23 20:03 wagoodman