Add Nix Cataloger

[wagoodman]

It would be ideal to be able to identify and catalog Nix packages.

[mlieberman85]

Just a note, I've been taking a look at this problem. Nix derivations, i.e. build definitions generated by the Nix expression language, are just json files containing almost all the info you would expect an SBOM to contain. They just need to be translated into the correct SBOM format.

The key thing that is missing from a derivation and is only included in the actual nix expression code for a package is metadata, e.g. license, maintainer, etc. This can get a little annoying because you need to reverse lookup from a derivation.

[juliosueiras]

Doing a basic nix-store cataloger, since drv files doesn't get include the docker build when you are using dockerTools(which is more common one for nix users compare to in-docker nix-build)

Edit: still need to fix a few bugs

[wagoodman]

@juliosueiras that's awesome --shout out if you want an extra helping hand! Up to you if you wanted to open up a draft PR and swarm on bug squashing or closing the gap on what's left 👍

[nikolaishields]

I am also interested in collaborating or lending any support I can in SBOM generation via nix through syft.

[ghuntley]

Would be also interested in seeing support for nix :)

[spiffcs]

Hey @nikolaishields! Thanks for the offer.

@juliosueiras did you still have the branch or draft of code from your screenshot above?

If you open a draft I'm sure @nikolaishields and myself can take a look and squash bugs and clean it up so we can get it merged. If not no worries and we can start getting a nix cataloger added that follows the same pattern as our other distro catalogers.

[juliosueiras]

sound good

[juliosueiras]

created the draft PR #1107 , which is based on the Deb cataloger, there is still the bug of certain stuff(that doesn't have version) not splitting correctly

[ghuntley]

Legend.

[juliosueiras]

a quick note: the drv(json file refer from the earlier comment chain) is something that only exist on the build machine, not the finish artifact, so if an image is build via dockerTools family, then it will not contain any drvs, only the resulting store entries

[wagoodman]

quick update: the above PR has been merged into the in-repo feature branch add-nix-cataloger for further development (see #1107 (comment)). Tip-of-the-hat to @juliosueiras for the original implementation, I'll see what I can do to get this in.