Home Explore Blog Models CI



nixpkgs
6th chunk of `doc/stdenv/meta.chapter.md`
94caca1eca2d474e4390bed2eb80df239abef8d4a31cd2190000000100000980
### `lib.sourceTypes.binaryFirmware` {#lib.sourceTypes.binaryFirmware}

Code to be executed on a peripheral device or embedded controller, built by a third party.

### `lib.sourceTypes.binaryBytecode` {#lib.sourceTypes.binaryBytecode}

Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source.

## Software identifiers {#sec-meta-identifiers}

Package's `meta.identifiers` attribute specifies information about software identifiers associated with this package. Software identifiers are used, for example:
* to generate Software Bill of Materials (SBOM) that lists all components used to build the software, which can later be used to perform vulnerability or license analysis of the resulting software;
* to lookup software in different vulnerability databases or report new vulnerabilities to them.

Overriding the default `meta.identifiers` attribute is optional, but it is recommended to fill in pieces to help tools mentioned above get precise data.
For example, we could get automatic notifications about potential vulnerabilities for users in the future.
All identifiers specified in `meta.identifiers` are expected to be unambiguous and valid.

`meta.identifiers` contains `v1` attribute which is an attribute set that guarantees backward compatibility of its constituents. Right now it contains copies of all other attributes in `meta.identifiers`.

### CPE {#sec-meta-identifiers-cpe}

Common Platform Enumeration (CPE) is a specification maintained by NIST as part of the Security Content Automation Protocol (SCAP). It is used to identify software in National Vulnerabilities Database (NVD, https://nvd.nist.gov) and other vulnerability databases.

Current version of CPE 2.3 consists of 13 parts:

```
cpe:2.3:a:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
```

Some of them are as follows:

* *CPE version* - current version of CPE is `2.3`
* *part* - usually in Nixpkgs `a` for "application", can also be `o` for "operating system" or `h` for "hardware"
* *vendor* - can point to the source of the package, or to Nixpkgs itself
* *product* - name of the package
* *version* - version of the package
* *update* - name of the latest update, can be a patch version for semantically versioned packages
* *edition* - any additional specification about the version
Title: Nix Package Meta-attributes: Source Types, Software Identifiers, and CPE
Summary
This chunk briefly concludes the discussion of `lib.sourceTypes`, defining `binaryFirmware` as third-party code for peripheral devices and `binaryBytecode` as third-party code for VM interpreters or JIT compilation. The main focus then shifts to the `meta.identifiers` attribute, which specifies software identifiers to aid in generating Software Bill of Materials (SBOMs), vulnerability analysis, and reporting. While optional, populating this attribute is recommended for data precision and potential future vulnerability notifications. It includes a `v1` attribute for backward compatibility. A significant portion details the Common Platform Enumeration (CPE), a NIST-maintained specification used by the National Vulnerabilities Database (NVD). The text outlines the 13-part structure of CPE 2.3, explaining key components such as CPE version, part (e.g., 'a' for application), vendor, product, version, update, and edition.