Software packages often need to be provided with a fully realized
SBOM (software bill of materials) to meet regulatory requirements within
various industries and jurisdictions. As a fundamental component of
modern software security and supply chain integrity, providing a
complete itemized inventory of all components, libraries, and
dependencies used in both the build and runtime
environments helps packagers demonstrate vulnerability management,
license compliance, and risk assessment practices. Bills are often
incomplete, negating their value, as their realization can be both
complex and time-consuming. Packaging with Nix dramatically reduces this overhead by
providing the ability to step through a derivation’s entire dependency
graph, capturing all relevant metadata for each component. Packages such
as nixpkgs#sbomnix
provide tools for automation of this process in combination with
standardized SBOM documentation generation, visualization tools, and
vulnerability scanning capabilities based upon the graph.
Using the passthru
attribute of a Nix derivation, it is possible to bundle scripts for
these tools alongside the package itself:
{ pkgs ? import <nixpkgs> {} }:
let
pkg = pkgs.hello.overrideAttrs (_: {
passthru.sbomnix = pkgs.writeShellScriptBin "sbomnix" ''
${pkgs.sbomnix}/bin/sbomnix ${pkg.out} "$@"
'';
});
in
pkgNix itself is never a guarantee of software security or known bill-of-materials completeness. It is, however, a tool for packagers to leverage in order to construct confidence in software security and supply-chain integrity.
See also: