Home Explore Blog Models CI



nixpkgs
2nd chunk of `doc/interoperability/cyclonedx.md`
d7c896af07aa6cede4706aeda10ab9ac64df6c4b1af295ea0000000100000e49
| [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). |


### `nix:narinfo` {#sec-interop.cylonedx-narinfo}

Narinfo properties describe component archives that may be available from binary caches.
The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list.

| Property                  | Description |
|---------------------------|-------------|
| `nix:narinfo:store_path`  | Store path for the given store component. |
| `nix:narinfo:url`         | URL path component. |
| `nix:narinfo:nar_hash`    | Hash of the file system object part of the component when serialized as a Nix Archive. |
| `nix:narinfo:nar_size`    | Size of the component when serialized as a Nix Archive. |
| `nix:narinfo:compression` | The compression format that component archive is in. |
| `nix:narinfo:file_hash`   | A digest for the compressed component archive itself, as opposed to the data contained within. |
| `nix:narinfo:file_size`   | The size of the compressed component archive itself. |
| `nix:narinfo:deriver`     | The path to the derivation from which this component is produced. |
| `nix:narinfo:system`      | The hardware and software platform on which this component is produced. |
| `nix:narinfo:sig`         | Signatures claiming that this component is what it claims to be. |
| `nix:narinfo:ca`          | Content address of this store object's file system object, used to compute its store path. |
| `nix:narinfo:references`  | A whitespace separated array of store paths that this component references. |

### `nix:fod` {#sec-interop.cylonedx-fod}

FOD properties describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation).
The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list.
All other properties in this namespace are method-specific.
To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties.
When generating `nix:fod` properties the method selected should be a stable function with a minimal number of arguments.
For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`.

| Property         | Description |
|------------------|-------------|
| `nix:fod:method` | Nixpkgs function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` |
| `nix:fod:name`   | Derivation name, present when method is `"fetchzip"` |
| `nix:fod:ref`    | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` |
| `nix:fod:rev`    | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` |
| `nix:fod:sha256` | FOD hash |
| `nix:fod:url`    | URL to fetch |


`nix:fod` properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function `filterPropertiesToAttrs`:

```nix
{
  pkgs,
  filterPropertiesToAttrs,
  properties,
}:
let
  fodProps = filterPropertiesToAttrs "nix:fod:" properties;

  methods = {
    fetchzip =
      {
        name,
        url,
        sha256,
        ...
      }:
      pkgs.fetchzip { inherit name url sha256; };
  };

in
methods.${fodProps.method} fodProps
```
Title: Detailed Nix-Specific Properties for CycloneDX: Narinfo and FOD
Summary
This chunk elaborates on Nix-specific properties for CycloneDX SBOMs. It extends the `nix:narinfo` namespace with additional properties like `deriver`, `system`, `sig` (signatures), `ca` (content address), and `references`, all describing component archives. It then details the `nix:fod` namespace for fixed-output derivations (FODs), requiring the `nix:fod:method` property (e.g., `"fetchzip"`, `"fetchgit"`). Other `nix:fod` properties like `name`, `ref`, `rev`, `sha256`, and `url` are method-specific. The document advises using stable functions with minimal arguments for `nix:fod:method` and provides a Nix code example demonstrating how to extract and evaluate these `nix:fod` properties to reproduce a derivation.