Add option to scan nix profile? about sbomnix HOT 8 OPEN

Thanks, this is a good suggestion. I'll look into this as soon as possible.

from sbomnix.

On my test systems, this actually works with the current sbomnix out-of-the-box:

$ nix run github:tiiuae/sbomnix#sbomnix -- /home/hrosten/.nix-profile/
INFO     Evaluating '/home/hrosten/.nix-profile/'
INFO     Try force-realising store-path '/home/hrosten/.nix-profile/'
INFO     Loading runtime dependencies referenced by '/nix/store/2hxmj8xcwh929z92i8l50by0i5q4mh69-user-environment'
INFO     Wrote: sbom.cdx.json
INFO     Wrote: sbom.spdx.json
INFO     Wrote: sbom.csv

As stated in the error message you attached, the reason it fails in your example is that it's unable to find the derivation for:

/Users/arian/.nix-profile -> /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile

Under the hood, sbomnix uses nix derivation show /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile to attempt to find the derivation for the given target path (here).

Not sure why that fails in your example case.

How do you setup your system?

If you set it up with flake, you could try running the sbomnix against the relevant flake reference, something like (using https://github.com/henrirosten/dotfiles as an example target):

nix run github:tiiuae/sbomnix#sbomnix -- github:henrirosten/dotfiles#homeConfigurations.hrosten.activationPackage

from sbomnix.

The derivations get garbage collected after running nix garbage collect but the realized out paths remain

So it will work for once when you install a package but as the profile grows over weeks parts will not have the original derivation file anymore I think?

from sbomnix.

By default, nix shouldn't remove derivations if the associated store path is used (non-garbage):

keep-derivations

If true (default), the garbage collector will keep the derivations from which non-garbage store paths were built. If false, they will be deleted unless explicitly registered as a root (or reachable from other roots).

Keeping derivation around is useful for querying and traceability (e.g., it allows you to ask with what dependencies or options a store path was built), so by default this option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also turned on).

Default: true

from sbomnix.

Huh weird. It's on for me too. I'm wondering what's going on here. I'll report back if I can reproduce again. but it sounds like a problem with my setup

from sbomnix.

On a new setup:

 % nix-store --query --deriver ~/.nix-profile
unknown-deriver
 % nix show-config | grep keep-derivations
keep-derivations = true

Really strange

from sbomnix.

Even on a clean profile it doesn't work. @henrirosten are you sure you're using a new-style profile (nix profile) and not an old style profile (nix-env) ?

arian@Arians-MacBook-Pro ~ % rm -rf ~/.nix-profile                          
arian@Arians-MacBook-Pro ~ % rm -rf ~/.local/state/nix/profiles/                           
arian@Arians-MacBook-Pro ~ % nix profile list                     
arian@Arians-MacBook-Pro ~ % nix profile install nixpkgs#direnv
arian@Arians-MacBook-Pro ~ % nix profile list
Index:              0
Flake attribute:    legacyPackages.aarch64-darwin.direnv
Original flake URL: flake:nixpkgs
Locked flake URL:   github:NixOS/nixpkgs/5f5210aa20e343b7e35f40c033000db0ef80d7b9
Store paths:        /nix/store/7dacgcmg51sh67kv4v6ilrsyn7ignsdh-direnv-2.33.0
arian@Arians-MacBook-Pro ~ % nix-store --query --deriver ~/.nix-profile
unknown-deriver
arian@Arians-MacBook-Pro ~ % sbomnix ~/.nix-profile 
INFO     Evaluating '/Users/arian/.nix-profile'
INFO     Try force-realising store-path '/Users/arian/.nix-profile'
INFO     Loading runtime dependencies referenced by '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile'
CRITICAL No deriver found for: '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile

from sbomnix.

@arianvp: thanks for taking the time to explain the issue.

With your instructions in the previous comment, I'm able to reproduce the problem. I was not aware that nix profile works differently in this respect.

As you already suggested initially, I also think sbomnix would have to parse the ~/.nix-profile/manifest.json to support scanning such profiles.

from sbomnix.