Detailed Nix Properties for CycloneDX: narinfo and fod

| [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). | ### `nix:narinfo` {#sec-interop.cylonedx-narinfo} Narinfo properties describe component archives that may be available from binary caches. The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list. | Property | Description | |---------------------------|-------------| | `nix:narinfo:store_path` | Store path for the given store component. | | `nix:narinfo:url` | URL path component. | | `nix:narinfo:nar_hash` | Hash of the file system object part of the component when serialized as a Nix Archive. | | `nix:narinfo:nar_size` | Size of the component when serialized as a Nix Archive. | | `nix:narinfo:compression` | The compression format that component archive is in. | | `nix:narinfo:file_hash` | A digest for the compressed component archive itself, as opposed to the data contained within. | | `nix:narinfo:file_size` | The size of the compressed component archive itself. | | `nix:narinfo:deriver` | The path to the derivation from which this component is produced. | | `nix:narinfo:system` | The hardware and software platform on which this component is produced. | | `nix:narinfo:sig` | Signatures claiming that this component is what it claims to be. | | `nix:narinfo:ca` | Content address of this store object's file system object, used to compute its store path. | | `nix:narinfo:references` | A whitespace separated array of store paths that this component references. | ### `nix:fod` {#sec-interop.cylonedx-fod} FOD properties describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list. All other properties in this namespace are method-specific. To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties. When generating `nix:fod` properties the method selected should be a stable function with a minimal number arguments. For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`. | Property | Description | |------------------|-------------| | `nix:fod:method` | Nixpkg function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` | | `nix:fod:name` | Derivation name, present when method is `"fetchzip"` | | `nix:fod:ref` | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` | | `nix:fod:rev` | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` | | `nix:fod:sha256` | FOD hash | | `nix:fod:url` | URL to fetch | `nix:fod` properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function `filterPropertiesToAttrs`: ```nix { pkgs, filterPropertiesToAttrs, properties, }: let fodProps = filterPropertiesToAttrs "nix:fod:" properties; methods = { fetchzip = { name, url, sha256, ... }: pkgs.fetchzip { inherit name url sha256; }; }; in methods.${fodProps.method} fodProps ```

This section details the `nix:narinfo` and `nix:fod` namespaces for use in CycloneDX SBOMs. It expands on the `nix:narinfo` properties, including `deriver`, `system`, `sig`, `ca`, and `references`. It then describes `nix:fod` properties for fixed-output derivations, highlighting the required `method` property and providing examples like `fetchzip` and `fetchgit`, along with relevant properties such as `name`, `ref`, `rev`, `sha256`, and `url`. It also includes example Nix code to extract and evaluate `nix:fod` properties into a derivation.