4.9 KiB
CycloneDX
OWASP CycloneDX is a Software Bill of Materials (SBOM) standard. The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.
nix Namespace Property Taxonomy
The following tables describe namespaces for properties that may be attached to components within SBOMs. Component properties are lists of name-value-pairs where values must be strings. Properties with the same name may appear more than once. Names and values are case-sensitive.
| Property | Description |
|---|---|
nix:store_path |
A Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the nix:narinfo: and nix:fod namespaces. |
| Namespace | Description |
|---|---|
nix:narinfo |
Namespace for properties that are specific to how a component is stored as a Nix archive (NAR) in a binary cache. |
nix:fod |
Namespace for properties that describe a fixed-output derivation. |
nix:narinfo
Narinfo properties describe component archives that may be available from binary caches.
The nix:narinfo properties should be accompanied by a nix:store_path property within the same property list.
| Property | Description |
|---|---|
nix:narinfo:store_path |
Store path for the given store component. |
nix:narinfo:url |
URL path component. |
nix:narinfo:nar_hash |
Hash of the file system object part of the component when serialized as a Nix Archive. |
nix:narinfo:nar_size |
Size of the component when serialized as a Nix Archive. |
nix:narinfo:compression |
The compression format that component archive is in. |
nix:narinfo:file_hash |
A digest for the compressed component archive itself, as opposed to the data contained within. |
nix:narinfo:file_size |
The size of the compressed component archive itself. |
nix:narinfo:deriver |
The path to the derivation from which this component is produced. |
nix:narinfo:system |
The hardware and software platform on which this component is produced. |
nix:narinfo:sig |
Signatures claiming that this component is what it claims to be. |
nix:narinfo:ca |
Content address of this store object's file system object, used to compute its store path. |
nix:narinfo:references |
A whitespace separated array of store paths that this component references. |
nix:fod
FOD properties describe a fixed-output derivation.
The nix:fod:method property is required and must be accompanied by a nix:store_path property within the same property list.
All other properties in this namespace are method-specific.
To reproduce the build of a component the nix:fod:method value is resolved to an appropriate function within Nixpkgs whose arguments intersect with the given properties.
When generating nix:fod properties the method selected should be a stable function with a minimal number arguments.
For example, the fetchFromGitHub is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, fetchzip.
| Property | Description |
|---|---|
nix:fod:method |
Nixpkg function that produces this FOD. Required. Examples: "fetchzip", "fetchgit" |
nix:fod:name |
Derivation name, present when method is "fetchzip" |
nix:fod:ref |
Git ref, present when method is "fetchgit" |
nix:fod:rev |
Git rev, present when method is "fetchgit" |
nix:fod:sha256 |
FOD hash |
nix:fod:url |
URL to fetch |
nix:fod properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function filterPropertiesToAttrs:
{ pkgs, filterPropertiesToAttrs, properties }:
let
fodProps = filterPropertiesToAttrs "nix:fod:" properties;
methods = {
fetchzip =
{ name, url, sha256, ... }:
pkgs.fetchzip {
inherit name url sha256;
};
};
in methods.${fodProps.method} fodProps