Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to scan nix profile? #105

Open
arianvp opened this issue Jan 9, 2024 · 8 comments
Open

Add option to scan nix profile? #105

arianvp opened this issue Jan 9, 2024 · 8 comments

Comments

@arianvp
Copy link

arianvp commented Jan 9, 2024

I.e. it can take ~/.nix-profile/manifest.json as input

Currently you get:

% sbomnix ~/.nix-profile              
INFO     Evaluating '/Users/arian/.nix-profile'
INFO     Try force-realising store-path '/Users/arian/.nix-profile'
INFO     Loading runtime dependencies referenced by '/nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile'
CRITICAL No deriver found for: '/nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile
@henrirosten
Copy link
Collaborator

Thanks, this is a good suggestion. I'll look into this as soon as possible.

@henrirosten
Copy link
Collaborator

On my test systems, this actually works with the current sbomnix out-of-the-box:

$ nix run github:tiiuae/sbomnix#sbomnix -- /home/hrosten/.nix-profile/
INFO     Evaluating '/home/hrosten/.nix-profile/'
INFO     Try force-realising store-path '/home/hrosten/.nix-profile/'
INFO     Loading runtime dependencies referenced by '/nix/store/2hxmj8xcwh929z92i8l50by0i5q4mh69-user-environment'
INFO     Wrote: sbom.cdx.json
INFO     Wrote: sbom.spdx.json
INFO     Wrote: sbom.csv

As stated in the error message you attached, the reason it fails in your example is that it's unable to find the derivation for:

/Users/arian/.nix-profile -> /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile

Under the hood, sbomnix uses nix derivation show /nix/store/pwcgic86vfhhdkpbh03cn7pv7a58vdqh-profile to attempt to find the derivation for the given target path (here).

Not sure why that fails in your example case.

How do you setup your system?

If you set it up with flake, you could try running the sbomnix against the relevant flake reference, something like (using https://github.com/henrirosten/dotfiles as an example target):

nix run github:tiiuae/sbomnix#sbomnix -- github:henrirosten/dotfiles#homeConfigurations.hrosten.activationPackage

@arianvp
Copy link
Author

arianvp commented Jan 13, 2024
edited
Loading

The derivations get garbage collected after running nix garbage collect but the realized out paths remain

So it will work for once when you install a package but as the profile grows over weeks parts will not have the original derivation file anymore I think?

@henrirosten
Copy link
Collaborator

By default, nix shouldn't remove derivations if the associated store path is used (non-garbage):

keep-derivations

If true (default), the garbage collector will keep the derivations from which non-garbage store paths were built. If false, they will be deleted unless explicitly registered as a root (or reachable from other roots).

Keeping derivation around is useful for querying and traceability (e.g., it allows you to ask with what dependencies or options a store path was built), so by default this option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also turned on).

Default: true

@arianvp
Copy link
Author

arianvp commented Jan 22, 2024

Huh weird. It's on for me too. I'm wondering what's going on here. I'll report back if I can reproduce again. but it sounds like a problem with my setup

@arianvp
Copy link
Author

arianvp commented Jan 22, 2024

On a new setup:

 % nix-store --query --deriver ~/.nix-profile
unknown-deriver
 % nix show-config | grep keep-derivations
keep-derivations = true

Really strange

@arianvp
Copy link
Author

arianvp commented Jan 22, 2024

Even on a clean profile it doesn't work. @henrirosten are you sure you're using a new-style profile (nix profile) and not an old style profile (nix-env) ?

arian@Arians-MacBook-Pro ~ % rm -rf ~/.nix-profile                          
arian@Arians-MacBook-Pro ~ % rm -rf ~/.local/state/nix/profiles/                           
arian@Arians-MacBook-Pro ~ % nix profile list                     
arian@Arians-MacBook-Pro ~ % nix profile install nixpkgs#direnv
arian@Arians-MacBook-Pro ~ % nix profile list
Index:              0
Flake attribute:    legacyPackages.aarch64-darwin.direnv
Original flake URL: flake:nixpkgs
Locked flake URL:   github:NixOS/nixpkgs/5f5210aa20e343b7e35f40c033000db0ef80d7b9
Store paths:        /nix/store/7dacgcmg51sh67kv4v6ilrsyn7ignsdh-direnv-2.33.0
arian@Arians-MacBook-Pro ~ % nix-store --query --deriver ~/.nix-profile
unknown-deriver
arian@Arians-MacBook-Pro ~ % sbomnix ~/.nix-profile 
INFO     Evaluating '/Users/arian/.nix-profile'
INFO     Try force-realising store-path '/Users/arian/.nix-profile'
INFO     Loading runtime dependencies referenced by '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile'
CRITICAL No deriver found for: '/nix/store/53xzw4cqhgrgxdwsx4j3s7k9mgi9rh46-profile

@henrirosten
Copy link
Collaborator

@arianvp: thanks for taking the time to explain the issue.

With your instructions in the previous comment, I'm able to reproduce the problem. I was not aware that nix profile works differently in this respect.

As you already suggested initially, I also think sbomnix would have to parse the ~/.nix-profile/manifest.json to support scanning such profiles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arianvp @henrirosten