Include patch in generated SBOM?

[drupol]

Hello,

I'm exploring SBOM generation with Nix, using this tool. I've encountered an issue where patches specified in the Nix flake do not appear in the generated SBOM. Below is a flake example demonstrating the issue. This flake aims to generate an SBOM that should include at least two patches; however, these patches are missing from the final SBOM file.

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    systems.url = "github:nix-systems/default";
    bombon.url = "github:nikstur/bombon";
  };

  outputs = inputs@{ self, flake-parts, systems, ... }: flake-parts.lib.mkFlake { inherit inputs; } {
    systems = import systems;

    perSystem = { config, self', inputs', pkgs, system, lib, ... }: {
      packages = let
        contents = [
          (pkgs.php82.overrideAttrs (oldAttrs: {
            patches = oldAttrs.patches ++ [
              (pkgs.fetchurl {
                url = "https://gist.githubusercontent.com/drupol/f7b9bbe134338e0ce5e2fdac7bf6de0b/raw/e32f364d7e9f5793a8bd874af84ee609368d0bf0/php-ec.patch";
                hash = "sha256-rbuihwDMZOzlrGgBrDs9eY8God2B09jpeXZF43zYlN8=";
              })
            ];
          }))
          pkgs.php82.packages.composer
        ];
      in {
        sbom = inputs.bombon.lib.${system}.buildBom (pkgs.symlinkJoin { name = "sbom"; paths = contents; }) { };
      };
    };
  };
}

To reproduce this issue, execute nix build .#sbom (note: PHP compilation may take 5 to 10 minutes). For convenience, I have already generated the SBOM, which you can download here: sbom.json.

Interestingly, when I add the flag includeBuildtimeDependencies = true;, the patches appear in the SBOM. The updated SBOM can be downloaded here: sbom.json.

Taking Composer as an example, the current version of Nixpkgs applies a patch for CVE-2024-24821, which can be found at this link. This patch is included in the SBOM as follows:

{
  "type": "application",
  "bom-ref": "urn:uuid:ef7eaa20-7a20-4001-84de-a673a369c681",
  "name": "CVE-2024-24821.patch",
  "version": "",
  "purl": "pkg:nix/CVE-2024-24821.patch@"
}

However, the SBOM does not clearly indicate that the patch is associated with Composer.

I have two questions:

1. Is it expected behavior for patches not to appear in the SBOM when build dependencies are not included?
2. How can we enhance the representation of patches in the SBOM when including buildtime dependencies to clearly indicate their association with specific derivations?

[nikstur]

1. Isn't a patch by definition a buildtime input because it modifies the source code?
2. We'd probably need to include the graph information in the SBOM. Cyclonedx already can do this. The question is how we can extract this nicely from Nix.

[drupol]

1. Isn't a patch by definition a buildtime input because it modifies the source code?

From that perspective, that's true. However, it would be nice to have this information in the SBOM.

2. We'd probably need to include the graph information in the SBOM. Cyclonedx already can do this. The question is how we can extract this nicely from Nix.

What kind of graph, do you have an example ?

[arianvp]

I think he means dependency graph. Currently genericClosure flattens this and throws away this info

#155