sbomnix is a utility that generates SBOMs given nix derivations or out paths.
In addition to sbomnix this repository is a home to nixgraph, a python library and command line utility for querying and visualizing dependency graphs for nix packages.
For a demonstration of how to use sbomnix generated SBOM in automating vulnerability scans see: vulnscan.
sbomnix and other tools in this repository originate from the Ghaf project.
sbomnix requires common nix tools like nix and nix-store. These tools are expected to be in $PATH.
nixgraph requires graphviz.
sbomnix requires python3 and packages specified in requirements.txt. You can install the required packages with:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix
$ pip3 install --user -r requirements.txtAfter requirements have been installed, you can run sbomnix without installation as follows:
$ source scripts/env.sh
$ python3 sbomnix/main.py
usage: main.py [-h] [--version] [--verbose VERBOSE] [--meta [META]] [--type {runtime,buildtime,both}] [--csv [CSV]] [--cdx [CDX]] NIX_PATHExamples in this README.md assume you have installed sbomnix on your system and that command sbomnix is in $PATH. To install sbomnix from source, run:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix
$ pip3 install --user .In the below examples, we use nix package wget as an example target.
To install wget and print out its derivation path on your local system, try something like:
$ nix-env -i wget && nix-env -q -a --drv-path wget
installing 'wget-1.21.3'
wget-1.21.3 /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drvBy default sbomnix scans the given derivation and generates an SBOM including the runtime dependencies:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv
...
INFO Wrote: sbom.cdx.json
INFO Wrote: sbom.csvMain output is the SBOM json file (sbom.cdx.json) in CycloneDX format.
To include license information to the SBOM, first generate package meta information with nix-env:
$ nix-env -qa --meta --json '.*' >meta.jsonThen, run sbomnix with --meta argument to tell sbomnix to read meta information from the given json file:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --meta meta.jsonBy default sbomnix scans the given target for runtime dependencies. You can tell sbomnix to include buildtime dependencies using the --type argument.
Acceptable values for --type are runtime, buildtime, both. Below example generates SBOM including buildtime-only dependencies:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --meta meta.json --type=buildtimesbomnix can be used with output paths too (e.g. anything which produces a result symlink):
$ sbomnix /path/to/result sbomnix finds the package dependencies using nixgraph.
Moreover, nixgraph can also be used as a stand-alone tool for visualizing package dependencies.
Below, we show an example of visualizing package wget runtime dependencies:
$ nixgraph /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --depth=2Which outputs the dependency graph as an image (with maxdepth 2):
For more examples on querying and visualizing the package dependencies, see: nixgraph.
Any pull requests, suggestions, and error reports are welcome. To start development, we recommend using lightweight virtual environments by running the following commands:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix/
$ python3 -mvenv venv
$ source venv/bin/activate
$ source scripts/env.sh
$ make install-devRun make help to see the list of other make targets.
Prior to sending any pull requests, make sure at least the make pre-push runs without failures.
To deactivate the virtualenv, run deactivate in your shell.
This project is licensed under the Apache-2.0 license - see the Apache-2.0.txt file for details.
sbomnix uses nix store derivation scanner (nix.py and derivation.py) originally from vulnix.