Software packages often need to be provided with a fully realized SBOM (software bill of materials) to meet regulatory requirements within various industries and jurisdictions. As a fundamental component of modern software security and supply chain integrity, providing a complete itemized inventory of all components, libraries, and dependencies used in both the build and runtime environments, the bill helps enable the packager to demonstrate vulnerability management, license compliance, and risk assessment practices.
Bills are often incomplete, negating their value as realization can
be both complex and time-consuming. Packaging with Nix dramatically reduces this overhead by
providing the ability to step through a derivation’s entire dependency
graph, capturing all relevant metadata against each component. Packages
such as nixpkgs#sbomnix
provide tools for automation of this process in combination with
standardized SBOM documentation generation, visualization tools, and
vulnerability scanning capabilities based upon the graph.
Using the passthru
attribute of a Nix derivation, it is possible to bundle scripts for
these tools alongside the package itself:
{ pkgs ? import <nixpkgs> {} }:
let
pkg = pkgs.hello.overrideAttrs (_: {
passthru.sbomnix = pkgs.writeShellScriptBin "sbomnix" ''
${pkgs.sbomnix}/bin/sbomnix ${pkg.out} "$@"
'';
});
in
pkgNix itself is never a guarantee of any software security or known bill of materials completeness. It, however, is a tool for the packager to leverage in order to construct confidence in software security and supply chain integrity.