Comments (8)
Thanks, this is a good suggestion. I'll look into this as soon as possible.
from sbomnix.
On my test systems, this actually works with the current sbomnix out-of-the-box:
$ nix run github:tiiuae/sbomnix#sbomnix -- /home/hrosten/.nix-profile/
INFO Evaluating '/home/hrosten/.nix-profile/'
INFO Try force-realising store-path '/home/hrosten/.nix-profile/'
INFO Loading runtime dependencies referenced by '/nix/store/2hxmj8xcwh929z92i8l50by0i5q4mh69-user-environment'
INFO Wrote: sbom.cdx.json
INFO Wrote: sbom.spdx.json
INFO Wrote: sbom.csv
As stated in the error message you attached, the reason it fails in your example is that it's unable to find the derivation for:
/Users/arian/.nix-profile -> /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile
Under the hood, sbomnix uses nix derivation show /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile
to attempt to find the derivation for the given target path (here).
Not sure why that fails in your example case.
How do you setup your system?
If you set it up with flake, you could try running the sbomnix against the relevant flake reference, something like (using https://github.com/henrirosten/dotfiles as an example target):
nix run github:tiiuae/sbomnix#sbomnix -- github:henrirosten/dotfiles#homeConfigurations.hrosten.activationPackage
from sbomnix.
The derivations get garbage collected after running nix garbage collect but the realized out paths remain
So it will work for once when you install a package but as the profile grows over weeks parts will not have the original derivation file anymore I think?
from sbomnix.
By default, nix shouldn't remove derivations if the associated store path is used (non-garbage):
If true (default), the garbage collector will keep the derivations from which non-garbage store paths were built. If false, they will be deleted unless explicitly registered as a root (or reachable from other roots).
Keeping derivation around is useful for querying and traceability (e.g., it allows you to ask with what dependencies or options a store path was built), so by default this option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also turned on).
Default: true
from sbomnix.
Huh weird. It's on for me too. I'm wondering what's going on here. I'll report back if I can reproduce again. but it sounds like a problem with my setup
from sbomnix.
On a new setup:
% nix-store --query --deriver ~/.nix-profile
unknown-deriver
% nix show-config | grep keep-derivations
keep-derivations = true
Really strange
from sbomnix.
Even on a clean profile it doesn't work. @henrirosten are you sure you're using a new-style profile (nix profile
) and not an old style profile (nix-env
) ?
arian@Arians-MacBook-Pro ~ % rm -rf ~/.nix-profile
arian@Arians-MacBook-Pro ~ % rm -rf ~/.local/state/nix/profiles/
arian@Arians-MacBook-Pro ~ % nix profile list
arian@Arians-MacBook-Pro ~ % nix profile install nixpkgs#direnv
arian@Arians-MacBook-Pro ~ % nix profile list
Index: 0
Flake attribute: legacyPackages.aarch64-darwin.direnv
Original flake URL: flake:nixpkgs
Locked flake URL: github:NixOS/nixpkgs/5f5210aa20e343b7e35f40c033000db0ef80d7b9
Store paths: /nix/store/7dacgcmg51sh67kv4v6ilrsyn7ignsdh-direnv-2.33.0
arian@Arians-MacBook-Pro ~ % nix-store --query --deriver ~/.nix-profile
unknown-deriver
arian@Arians-MacBook-Pro ~ % sbomnix ~/.nix-profile
INFO Evaluating '/Users/arian/.nix-profile'
INFO Try force-realising store-path '/Users/arian/.nix-profile'
INFO Loading runtime dependencies referenced by '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile'
CRITICAL No deriver found for: '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile
from sbomnix.
@arianvp: thanks for taking the time to explain the issue.
With your instructions in the previous comment, I'm able to reproduce the problem. I was not aware that nix profile
works differently in this respect.
As you already suggested initially, I also think sbomnix
would have to parse the ~/.nix-profile/manifest.json
to support scanning such profiles.
from sbomnix.
Related Issues (17)
- Example or documentation on how to use it via an API HOT 4
- only produce `output_path` for the actually-used output HOT 3
- Packaging latest version in nixpkgs: "error: illegal path references in fixed-output derivation" HOT 9
- how to `nix build` vulnxscan? HOT 3
- scanning can take a long time, is there any ability to keep / cache the results for n days? HOT 2
- vulnxscan fails if the Nix output path is a JSON file HOT 3
- rewrite mapping nix packages to cpe identifiers HOT 1
- improve the way sbomnix reads pacakge metadata HOT 4
- allow reading runtime dependencies without requiring the package availability in local nix store HOT 1
- add tips&tricks page
- nixgraph: allow loading state
- vulnxscan: add severity information HOT 1
- sbomnix: go and rust dependencies HOT 2
- sbomnix: support aarch64-darwin HOT 1
- sbomnix: add option to include only direct dependencies HOT 1
- TypeError: sequence item 0: expected str instance, list found HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbomnix.