Implementation of Nix extractor. #356
Conversation
extractor/filesystem/os/nix/nix.go
Outdated
|
|
||
| // Check if uniquePath has been already processed. Scalibr scans through files but the info | ||
| // about the nix packages are saved in the directory name. | ||
| if _, exists := visitedDir[uniquePath]; !exists { |
There was a problem hiding this comment.
This will be executed for all files in the nix directory. Is there no file pattern you can match on?
There was a problem hiding this comment.
As far as I understood, Scalibr scans each file individually, and matching on the nix/store/ pattern is the only viable way to identify relevant files.
If you have any suggestions or alternative approaches to optimize this process, I would be happy to explore them.
| PackageName string | ||
| PackageVersion string | ||
| PackageHash string | ||
| PackageOutput string |
There was a problem hiding this comment.
It is a part of what gets built when a package is created.
Ref: https://nixos.org/manual/nixpkgs/stable/#sec-package-naming
extractor/filesystem/os/nix/nix.go
Outdated
| return osID + ":" + m.OSVersionID | ||
| } | ||
|
|
||
| func toNamespace(m *Metadata) string { |
There was a problem hiding this comment.
Is there a spec for nix purls? I only see nix as the package type. Why do you set the namespace? I'd leave it empty
There was a problem hiding this comment.
Currently, there isn’t a formal specification for Nix PURLs beyond nix as the package type. We initially set the namespace to include OSID (or fall back to "nixos") to provide additional context about the package's origin. I can update the implementation to return an empty namespace if that aligns better with the project's goals
There was a problem hiding this comment.
Yeah, I'd keep namespace empty for now. I think it would be always nixos and that can be derived from the package type.
Context: For debian namespace is relevant, as it might be ubuntu for example. Ubuntu has a different vuln feed than debian afaik.
There was a problem hiding this comment.
I updated the code, removed the toNamespace function, and modified the Ecosystem function to return an empty string, similar to the behavior for Homebrew. Since there is no defined ecosystem for Nix, I aligned the implementation with that of the Homebrew extractor
Let me know if this works for you
Ref: https://ossf.github.io/osv-schema/#debian-vulnerability
Pull request for the Nix package manager extractor.
Implemented: