Home Explore Blog CI



nixpkgs
1st chunk of `doc/interoperability/cyclonedx.md`
f2ede90ad991992916a5a89985bb9bc1cd29cac70bd19cbd0000000100000a24
# CycloneDX {#chap-interop-cyclonedx}

[OWASP](https://owasp.org/) [CycloneDX](https://cyclonedx.org/) is a Software [Bill of Materials](https://en.wikipedia.org/wiki/Bill_of_materials) (SBOM) standard.
The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.

## `nix` Namespace Property Taxonomy  {#sec-interop.cylonedx-nix}

The following tables describe namespaces for [properties](https://cyclonedx.org/docs/1.6/json/#components_items_properties) that may be attached to components within SBOMs.
Component properties are lists of name-value-pairs where values must be strings.
Properties with the same name may appear more than once.
Names and values are case-sensitive.

| Property         | Description |
|------------------|-------------|
| `nix:store_path` | A Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the `nix:narinfo:` and `nix:fod` namespaces. |


| Namespace     | Description |
|---------------|-------------|
| [`nix:narinfo`](#sec-interop.cylonedx-narinfo) | Namespace for properties that are specific to how a component is stored as a [Nix archive](https://nixos.org/manual/nix/stable/glossary#gloss-nar) (NAR) in a [binary cache](https://nixos.org/manual/nix/stable/glossary#gloss-binary-cache). |
| [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). |


### `nix:narinfo` {#sec-interop.cylonedx-narinfo}

Narinfo properties describe component archives that may be available from binary caches.
The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list.

| Property                  | Description |
|---------------------------|-------------|
| `nix:narinfo:store_path`  | Store path for the given store component. |
| `nix:narinfo:url`         | URL path component. |
| `nix:narinfo:nar_hash`    | Hash of the file system object part of the component when serialized as a Nix Archive. |
| `nix:narinfo:nar_size`    | Size of the component when serialized as a Nix Archive. |
| `nix:narinfo:compression` | The compression format that component archive is in. |
| `nix:narinfo:file_hash`   | A digest for the compressed component archive itself, as opposed to the data contained within. |
| `nix:narinfo:file_size`   | The size of the compressed component archive itself. |
Title: CycloneDX and Nix Integration
Summary
This section describes how to incorporate Nix-specific information into CycloneDX Software Bill of Materials (SBOMs) for interoperability. It defines namespaces and properties for including Nix store paths, Nix archive (NAR) information, and fixed-output derivation details within SBOM components. Specifically, it details the `nix:narinfo` namespace for properties related to how components are stored as Nix archives in binary caches, including store path, URL, NAR hash and size, compression format, and compressed archive file hash and size.