Home Explore Blog Models CI



nixpkgs
1st chunk of `doc/interoperability/cyclonedx.md`
98bd72b0ea562a6d9f49921f413c77b324cce560b5c1ac650000000100000a24
# CycloneDX {#chap-interop-cyclonedx}

[OWASP](https://owasp.org/) [CycloneDX](https://cyclonedx.org/) is a Software [Bill of Materials](https://en.wikipedia.org/wiki/Bill_of_materials) (SBOM) standard.
The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.

## `nix` Namespace Property Taxonomy  {#sec-interop.cylonedx-nix}

The following tables describe namespaces for [properties](https://cyclonedx.org/docs/1.6/json/#components_items_properties) that may be attached to components within SBOMs.
Component properties are lists of name-value-pairs where values must be strings.
Properties with the same name may appear more than once.
Names and values are case-sensitive.

| Property         | Description |
|------------------|-------------|
| `nix:store_path` | A Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the `nix:narinfo:` and `nix:fod` namespaces. |


| Namespace     | Description |
|---------------|-------------|
| [`nix:narinfo`](#sec-interop.cylonedx-narinfo) | Namespace for properties that are specific to how a component is stored as a [Nix archive](https://nixos.org/manual/nix/stable/glossary#gloss-nar) (NAR) in a [binary cache](https://nixos.org/manual/nix/stable/glossary#gloss-binary-cache). |
| [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). |


### `nix:narinfo` {#sec-interop.cylonedx-narinfo}

Narinfo properties describe component archives that may be available from binary caches.
The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list.

| Property                  | Description |
|---------------------------|-------------|
| `nix:narinfo:store_path`  | Store path for the given store component. |
| `nix:narinfo:url`         | URL path component. |
| `nix:narinfo:nar_hash`    | Hash of the file system object part of the component when serialized as a Nix Archive. |
| `nix:narinfo:nar_size`    | Size of the component when serialized as a Nix Archive. |
| `nix:narinfo:compression` | The compression format that component archive is in. |
| `nix:narinfo:file_hash`   | A digest for the compressed component archive itself, as opposed to the data contained within. |
| `nix:narinfo:file_size`   | The size of the compressed component archive itself. |
Title: CycloneDX Integration with Nix-Specific SBOM Properties
Summary
This document describes how to include Nix-specific information within Software Bill of Materials (SBOMs) using the OWASP CycloneDX standard. It introduces a `nix` namespace for properties attached to SBOM components, detailing a `nix:store_path` property. Furthermore, it defines additional namespaces like `nix:narinfo` for properties related to how components are stored as Nix archives (NARs) in binary caches, and `nix:fod` for fixed-output derivations. The `nix:narinfo` section elaborates on properties such as `store_path`, `url`, `nar_hash`, `nar_size`, `compression`, `file_hash`, and `file_size`, all relevant to component archives.