doc/interoperability: new chapter and section on CycloneDX #316626
Conversation
github-actions
bot
added
the
8.has: documentation
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/pre-rfc-cyclonedx-bom-taxonomy/45957/4 |
doc/interoperability/cycloneds.md
Outdated
| |---------------------------|-------------| | ||
| | `nix:narinfo:store_path` | Store path for the given store component. | | ||
| | `nix:narinfo:url` | URL path component. | | ||
| | `nix:narinfo:nar_hash` | Hash of the file system object part of the component when serialized as a Nix Archive. | |
There was a problem hiding this comment.
I prefer to use camel-case rather than snake-case because it saves a few characters and it's common Nix style.
doc/interoperability/cycloneds.md
Outdated
| | `nix:fod:url` | URL to fetch | | ||
|
|
||
|
|
||
| `nix:fod` properties may be extracted and evaluated to a derivation using code similar to the following: |
There was a problem hiding this comment.
Does such a function exist already?
There was a problem hiding this comment.
I have code for this out-of-tree, which is based on what I did for buildNimPackage for reading lockfiles. I was using the methods fetchzip and git but I like fetchgit for consistency.
ofborg
bot
added
10.rebuild-darwin: 0
|
A very minor nit, shouldn't we rename the file |
|
@fricklerhandwerk the text is good because I copied most of it from the Nix manual. I was thinking the property names should follow Store object info JSON format as close as possible but the @drupol the |
Co-authored-by: Valentin Gagarin <[email protected]>
|
I want to see this merged in some form so we can get the Nix namespace registered. |
|
Merging since Genealogos author @ErinvanderVeen approved. |
|
@fricklerhandwerk when does the manul on nixos.org get updated? |
|
That should happen automatically, but I don't maintain that site, @thilobillerbeck or @garbas may now. |
|
Its in the unstable manual and linked in the official taxonomy list https://github.com/CycloneDX/cyclonedx-property-taxonomy |
Add a section to the Nixpkgs manual describing a taxonomy for putting Nix info in CycloneDX SBOMs.
When this is merged and published it would be linked into the list of official taxonomies.
The normal way to do this is to create a separate Github repo with an administrative working group, but that's a bunch of noise and overhead that we don't need. By putting this information into Nixpkgs we version it with the releases and we can oblige anything in Nixpkgs that deals with these SBOMs to use the taxonomy that is the manual.
This change adds a new Interoperability Standards chapter to the manual because I couldn't find an existing chapter that was appropriate. I don't have a strong opinion on how the manual should be structured.
I have experimented with using the SBOM JSON as an intermediary format that can be used to build a Nix package - build-nim-sbom.nix.
If this works then ideally upstream projects that adopt SBOMs can have Nix information injected into them in an automated way that provides a reproducible Nix package, without requiring whoever is responsible for maintaining the SBOM be able to read and write Nix expressions.
This has implications for Genealogos so it should be reviewed by its developers.
Pinging @NixOS/documentation-team.
Ref tweag/genealogos#58
Add a 👍 reaction to pull requests you find important.