sbomnix
is a utility that generates SBOMs given nix derivations or out paths.
In addition to sbomnix
this repository is a home to nixgraph, a python library and command line utility for querying and visualizing dependency graphs for nix packages.
For a demonstration of how to use sbomnix
generated SBOM in automating vulnerability scans see: vulnscan.
sbomnix
and other tools in this repository originate from the Ghaf project.
sbomnix
requires common nix tools like nix
and nix-store
. These tools are expected to be in $PATH
.
nixgraph
requires graphviz.
sbomnix
requires python3 and packages specified in requirements.txt. You can install the required packages with:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix
$ pip3 install --user -r requirements.txt
After requirements have been installed, you can run sbomnix without installation as follows:
$ source scripts/env.sh
$ python3 sbomnix/main.py
usage: main.py [-h] [--version] [--verbose VERBOSE] [--meta [META]] [--type {runtime,buildtime,both}] [--csv [CSV]] [--cdx [CDX]] NIX_PATH
Examples in this README.md assume you have installed sbomnix
on your system and that command sbomnix
is in $PATH
. To install sbomnix
from source, run:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix
$ pip3 install --user .
In the below examples, we use nix package wget
as an example target.
To install wget and print out its derivation path on your local system, try something like:
$ nix-env -i wget && nix-env -q -a --drv-path wget
installing 'wget-1.21.3'
wget-1.21.3 /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv
By default sbomnix
scans the given derivation and generates an SBOM including the runtime dependencies:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv
...
INFO Wrote: sbom.cdx.json
INFO Wrote: sbom.csv
Main output is the SBOM json file (sbom.cdx.json) in CycloneDX format.
To include license information to the SBOM, first generate package meta information with nix-env
:
$ nix-env -qa --meta --json '.*' >meta.json
Then, run sbomnix
with --meta
argument to tell sbomnix to read meta information from the given json file:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --meta meta.json
By default sbomnix
scans the given target for runtime dependencies. You can tell sbomnix to include buildtime dependencies using the --type
argument.
Acceptable values for --type
are runtime, buildtime, both
. Below example generates SBOM including buildtime-only dependencies:
$ sbomnix /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --meta meta.json --type=buildtime
sbomnix
can be used with output paths too (e.g. anything which produces a result symlink):
$ sbomnix /path/to/result
sbomnix
finds the package dependencies using nixgraph
.
Moreover, nixgraph
can also be used as a stand-alone tool for visualizing package dependencies.
Below, we show an example of visualizing package wget
runtime dependencies:
$ nixgraph /nix/store/1kd6cas7lxhccf7bv1v37wvwmknahfrj-wget-1.21.3.drv --depth=2
Which outputs the dependency graph as an image (with maxdepth 2):
For more examples on querying and visualizing the package dependencies, see: nixgraph.
Any pull requests, suggestions, and error reports are welcome. To start development, we recommend using lightweight virtual environments by running the following commands:
$ git clone https://github.com/tiiuae/sbomnix
$ cd sbomnix/
$ python3 -mvenv venv
$ source venv/bin/activate
$ source scripts/env.sh
$ make install-dev
Run make help
to see the list of other make targets.
Prior to sending any pull requests, make sure at least the make pre-push
runs without failures.
To deactivate the virtualenv, run deactivate
in your shell.
This project is licensed under the Apache-2.0 license - see the Apache-2.0.txt file for details.
sbomnix
uses nix store derivation scanner (nix.py and derivation.py) originally from vulnix.