Merge pull request #82 from nikstur/extra-paths

add extraPaths option
nikstur · Mar 12, 2024 · 4e968ff · 4e968ff
2 parents 56c8362 + 66d0dbf
commit 4e968ff
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -64,12 +64,18 @@ bombon.buildBom pkgs.hello { }
 
 `buildBom` accepts options as an attribute set. All attributes are optional:
 
+- `extraPaths`: a list of store paths to also consider for the SBOM. This is
+  useful when you build images that discard their references (e.g. with
+  [`unsafeDiscardReferences`](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-unsafeDiscardReferences)
+  but you still want their contents to appear in the SBOM. The `extraPaths`
+  will appear as components of the main derivation.
 - `includeBuildtimeDependencies`: boolean flag to include buildtime dependencies in output.
 
 Example:
 
 ```nix
 bombon.lib.${system}.buildBom pkgs.hello {
+  extraPaths = [ pkgs.git ];
   includeBuildtimeDependencies = true;
 }
 ```

diff --git a/nix/build-bom.nix b/nix/build-bom.nix
@@ -5,7 +5,10 @@
 , runtimeDependencies
 }:
 
-drv: { includeBuildtimeDependencies ? false }:
+drv: { extraPaths ? [ ]
+     , includeBuildtimeDependencies ? false
+     }:
+
 let
   flags = lib.optionals includeBuildtimeDependencies [
     "--include-buildtime-dependencies"
@@ -14,7 +17,7 @@ in
 runCommand "${drv.name}.cdx.json" { buildInputs = [ transformer ]; } ''
   bombon-transformer ${drv} \
     ${toString flags} \
-    ${buildtimeDependencies drv} \
-    ${runtimeDependencies drv} > $out
+    ${buildtimeDependencies drv extraPaths} \
+    ${runtimeDependencies drv extraPaths} > $out
 ''
 
diff --git a/nix/buildtime-dependencies.nix b/nix/buildtime-dependencies.nix
@@ -5,6 +5,7 @@
 }:
 
 let
+
   drvOutputs = drv:
     if builtins.hasAttr "outputs" drv
     then map (output: drv.${output}) drv.outputs
@@ -40,19 +41,29 @@ let
   optionalGetAttrs = names: attrs:
     lib.genAttrs (builtins.filter (x: lib.hasAttr x attrs) names) (name: attrs.${name});
 
-  # Retrieves only the required fields from a derivation and renames outPath so that 
+  # Retrieves only the required fields from a derivation and renames outPath so that
   # builtins.toJSON actually emits JSON and not only the nix store path
   fields = drv:
     (optionalGetAttrs [ "name" "pname" "version" "meta" ] drv) // { path = drv.outPath; };
+
 in
-drv:
+
+drv: extraPaths:
+
 let
+
+  allDrvs = [ drv ] ++ extraPaths;
+
+  allBuildtimeDerivations = lib.flatten (map buildtimeDerivations allDrvs);
+
   unformattedJson = writeText
     "${drv.name}-unformatted-buildtime-dependencies.json"
     (builtins.toJSON
-      (map (obj: (fields obj.drv)) (buildtimeDerivations drv))
+      (map (obj: (fields obj.drv)) allBuildtimeDerivations)
     );
+
 in
+
 # Format the json so that the transformer can better report where errors occur
 runCommand "${drv.name}-buildtime-dependencies.json" { } ''
   ${jq}/bin/jq < ${unformattedJson} > "$out"

diff --git a/nix/runtime-dependencies.nix b/nix/runtime-dependencies.nix
@@ -4,7 +4,7 @@
 , closureInfo
 }:
 
-drv:
+drv: extraPaths:
 runCommand "${drv.name}-runtime-dependencies.txt" { } ''
-  cat ${closureInfo { rootPaths = [ drv ]; }}/store-paths > $out
+  cat ${closureInfo { rootPaths = [ drv ] ++ extraPaths; }}/store-paths > $out
 ''
diff --git a/nix/tests/default.nix b/nix/tests/default.nix
@@ -21,6 +21,9 @@ let
 
     { name = "git"; drv = git; options = { }; }
     { name = "git-buildtime"; drv = git; options = buildtimeOptions; }
+
+    { name = "git-extra-paths"; drv = git; options = { extraPaths = [ poetry ]; }; }
+    { name = "git-extra-paths-buildtime"; drv = git; options = buildtimeOptions // { extraPaths = [ poetry ]; }; }
   ];
 
   cycloneDxSpec = pkgs.fetchFromGitHub {

diff --git a/rust/transformer/src/derivation.rs b/rust/transformer/src/derivation.rs
@@ -1,3 +1,4 @@
+use itertools::Itertools;
 use serde::Deserialize;
 
 #[derive(Deserialize, Clone, Debug, Default)]
@@ -11,19 +12,16 @@ pub struct Derivation {
 
 impl Derivation {
     pub fn new(store_path: &str) -> Self {
-        // Because we only have the store path we have to derive the pname and version from it
-        let stripped = store_path.strip_prefix("/nix/store/");
-        let pname = stripped
-            .and_then(|s| s.split('-').nth(1))
-            .map(ToOwned::to_owned);
-        let version = stripped
-            .and_then(|s| s.split('-').last())
-            .map(ToOwned::to_owned);
+        // Because we only have the store path we have to derive the name from it
+        let name = store_path.strip_prefix("/nix/store/").map(|s| {
+            let mut split = s.split('-');
+            split.next();
+            split.join("-")
+        });
 
         Self {
             path: store_path.to_string(),
-            pname,
-            version,
+            name,
             ..Self::default()
         }
     }