Software packages often need to be provided will a fully realised SBOM (software bill of materials) to meet regulatory requirements within various industries and jurisdictions. As a fundamental component of modern software security and supply chain integrity, providing a complete itemised inventory of all components, libraries, and dependencies used in both the build and runtime environments, the bill help enable the packager to demonstrate vulnerability management, licence compliance, and risk assessment practices.
Bills are often incomplete, negating their value as realisation can
be both complex and time consuming. Packaging with Nix dramatically reduces this overhead by
providing the ability to step through a derivation’s entire dependency
graph, capturing all relevant metadata against each component. Packages
such as nixpkgs#sbomnix
provide tools for automating of this process in combination with
standardised SBOM documentation generation, visualisation tools and
vulnerability scanning capabilities based upon graph.
Using the passthru
attribute of a Nix derivation, it is possible to bundle scripts for
these tools alongside the package itself:
{ pkgs ? import <nixpkgs> {} }:
let
pkg = pkgs.hello.overrideAttrs (_: {
passthru.sbomnix = pkgs.writeShellScriptBin "sbomnix" ''
${pkgs.sbomnix}/bin/sbomnix ${pkg.out} "$@"
'';
});
in
pkgNix itself is never a guarantee of any software security or known bill of materials completeness. It however is a tools for the packager to leverage in order to construct confidence in software security and supply chain integrity.