-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Basic Nix Cataloger #1107
Add Basic Nix Cataloger #1107
Conversation
Signed-off-by: Julio Tain Sueiras <juliosueiras@gmail.com>
7bd7f31
to
e7e50a7
Compare
Thanks for adding this - I can start going through today/tomorrow and smoothing this out a bit to get it to pass our CI checks and make sure we've got good coverage for the first draft here. |
Signed-off-by: Julio Tain Sueiras <juliosueiras@gmail.com>
7952dc9
to
7995c43
Compare
I gave this PR a try, simply by building what's in here. I can confirm the code successfully picks up different store paths from various layers as packages in a |
FilepathPatterns: []*regexp.Regexp{ | ||
regexp.MustCompile(`/nix/store/[^-]*-([^-]*)-(?P<version>.*)/$`), | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might want to use the regexes from https://github.com/nix-community/go-nix/blob/master/pkg/nixpath/nixpath.go#L19-L26 instead - they're a bit more strict.
I think the parser needs a few details still ironed out:
I don't think the version should be
edit: nvm! @juliosueiras would you like to pair on some of this? |
The -lib denotes this is the I don't think poking around in the Nix sqlite DB is a good idea. That's an internal implementation detail of how Nix does do this currently, and there's no stability guarantees. Also, it might not be available at all, if you're simply trying to scan a container built elsewhere. |
That's probably the right way to go. We can adjust as we find exceptions in the future too.
Though stability would be ideal, it's not required if we're using it purely for auxiliary info. That is, we should still using the That being said, I'm not saying that using the sqlite db is a must... this is definitely in the "it would be nice" category (something I wasn't clear about earlier). I'm also curious to learn more about what the fields in the DB are too (the hash and sigs fields). |
Yeah, that'd be a matter of adjusting the regex
Again, I think this would clearly be a very different type of cataloger. This requires the build system the container was built with to be around at the time of invoking syft (and not just the container image). I'd really see it out of scope for here. A better path forward for this would be something like Nix dumping some more version information into container metadata, or a well-known location inside the container. @juliosueiras do you have time to address the splitting of output names / regex changes in general and can then mark this as ready for review? |
That distinction makes sense. Ultimately, I'm alright with not including reading from this source in this PR, so I retract my earlier request 🙏 . [side discussion, no longer about this PR] I want to highlight that build-time info is a popular use case for SBOMs as well, so it still sounds like this data source could be an interesting add on later, but I'm curious on your thoughts about it needing to be a different cataloger (I was thinking it would be an extension of this one). |
I think Nix / the container building infrastructure should have a way to emit some standardized BOM format for a given Nix closure), and in the case of container images, attach it alongside, for syft to be able to pick it up. Not sure if there's a suitable metadata field for it (yet), but this is probably too much out of scope for here. It's also a problem independent of Nix - these BOMs could be created and attached for anything else assembling container images. Let's open an issue and discuss there? |
@juliosueiras I've tried pushing to your PR without luck, I get I've pushed changes to a local branch to this repo here: https://github.com/anchore/syft/compare/feature/nix-cataloger These changes include:
what's still left todo:
@juliosueiras / @flokli what do you think of these changes? @juliosueiras can you pull in these changes to your branch (if you approve of the changes)? |
@wagoodman I left some comments on your commits, but I feel like this here would be a more appropriate place to discuss. From your checkout, can you try pushing with |
I tried both of these things without luck (permission denied). |
I think the next best option is to change the branch target from @juliosueiras shout out if you're still interested in working on this directly and I'll hold off on that plan. |
FYI, I've merged this into a new in-repo branch |
Closes #462