{"id":21134550,"url":"https://github.com/nikstur/bombon","last_synced_at":"2025-04-07T06:06:06.030Z","repository":{"id":116255596,"uuid":"526398555","full_name":"nikstur/bombon","owner":"nikstur","description":"Nix CycloneDX Software Bills of Materials (SBOMs)","archived":false,"fork":false,"pushed_at":"2025-03-17T12:06:29.000Z","size":402,"stargazers_count":78,"open_issues_count":6,"forks_count":10,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-31T05:03:06.541Z","etag":null,"topics":["bill-of-materials","bom","components","cyclonedx","dependencies","license","nix","nixos","purl","sbom","sbom-generator","software-bill-of-materials","spdx"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nikstur.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-18T23:06:53.000Z","updated_at":"2025-03-17T12:06:32.000Z","dependencies_parsed_at":"2024-05-13T14:40:38.035Z","dependency_job_id":"83bd463f-c1fb-4908-a3a8-0954685111a3","html_url":"https://github.com/nikstur/bombon","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikstur%2Fbombon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikstur%2Fbombon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikstur%2Fbombon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikstur%2Fbombon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nikstur","download_url":"https://codeload.github.com/nikstur/bombon/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247601447,"owners_count":20964864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","components","cyclonedx","dependencies","license","nix","nixos","purl","sbom","sbom-generator","software-bill-of-materials","spdx"],"created_at":"2024-11-20T06:31:02.146Z","updated_at":"2025-04-07T06:06:06.013Z","avatar_url":"https://github.com/nikstur.png","language":"Rust","funding_links":[],"categories":["Security","Dependency intelligence"],"sub_categories":["SCA and SBOM"],"readme":"# Bombon\n\nAutomagically build CycloneDX Software Bills of Materials (SBOMs) for Nix packages!\n\nBombon generates CycloneDX v1.5 SBOMs which aim to be compliant with:\n\n- The German [Technical Guideline TR-03183 v2.0.0][] of the Federal Office for Information\n  Security (BSI)\n- The US [Executive Order 14028][]\n\nIf you find that they aren't compliant in any way, please open an issue!\n\n[Technical Guideline TR-03183 v2.0.0]: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.pdf?__blob=publicationFile\u0026v=3\n[Executive Order 14028]: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1\n\n## Getting Started\n\n### Flakes\n\n```sh\nnix flake init -t github:nikstur/bombon\n```\n\nOr manually copy this to `flake.nix` in your repository:\n\n```nix\n# file: flake.nix\n{\n  inputs = {\n    nixpkgs.url = \"github:NixOS/nixpkgs/nixpkgs-unstable\";\n    bombon.url = \"github:nikstur/bombon\";\n    bombon.inputs.nixpkgs.follows = \"nixpkgs\";\n  };\n\n  outputs = { self, nixpkgs, bombon }:\n    let\n      system = \"x86_64-linux\";\n      pkgs = import nixpkgs { inherit system; };\n    in\n    {\n      packages.${system}.default = bombon.lib.${system}.buildBom pkgs.hello { };\n    };\n}\n```\n\n### Niv\n\n```sh\nniv init\nniv add nikstur/bombon\n```\n\n```nix\n# file: default.nix\nlet\n  sources = import ./nix/sources.nix { };\n  pkgs = import sources.nixpkgs { };\n  bombon = import sources.bombon { inherit pkgs; };\nin\nbombon.buildBom pkgs.hello { }\n```\n\n## Vendored Dependencies\n\nSome language ecosystems in Nixpkgs (most notably Rust and Go) vendor\ndependencies. This means that not every dependency is its own derivation and\nthus bombon cannot record their information as it does with \"normal\" Nix\ndependencies. However, bombon can automatically read SBOMs generated by other\ntools (like `cargo-cyclonedx`) for the vendored dependencies from a passthru\nderivation called `bombonVendoredSbom`.\n\nYou can use the `passthruVendoredSbom.rust` function to add the\n`bombonVendoredSbom` passthru derivation to a Rust package:\n\n```nix\nmyPackageWithSbom = bombon.passthruVendoredSbom.rust myPackage { inherit pkgs; };\n```\n\nOr using Flakes:\n\n```nix\nmyPackageWithSbom = bombon.lib.${system}.passthruVendoredSbom.rust myPackage { inherit pkgs; };\n```\n\nAn SBOM built from this new derivation will now include the vendored dependencies.\n\n## Options\n\n`buildBom` accepts options as an attribute set. All attributes are optional:\n\n- `extraPaths`: a list of store paths to also consider for the SBOM. This is\n  useful when you build images that discard their references (e.g. with\n  [`unsafeDiscardReferences`](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-unsafeDiscardReferences)\n  but you still want their contents to appear in the SBOM. The `extraPaths`\n  will appear as components of the main derivation.\n- `includeBuildtimeDependencies`: boolean flag to include buildtime dependencies in output.\n- `excludes`: a list of regex patterns of store paths to exclude from the final\n  SBOM.\n\nExample:\n\n```nix\nbombon.lib.${system}.buildBom pkgs.hello {\n  extraPaths = [ pkgs.git ];\n  includeBuildtimeDependencies = true;\n  excludes = [ \"service\" ];\n}\n```\n\n`passthruVendoredSbom.rust` also accepts `includeBuildtimeDependencies` as an optional attribute.\n\nExample:\n\n```nix\nmyPackageWithSbom = bombon.passthruVendoredSbom.rust myPackage { inherit pkgs; includeBuildtimeDependencies = true; };\n```\n\n## Contributing\n\nDuring development, the Nix Repl is a convenient and quick way to test changes.\nStart the repl, loading your local version of nixpkgs.\n\n```sh\nnix repl \u003cnixpkgs\u003e\n```\n\nInside the repl, load the bombon flake and build the BOM for a package you\nare interested in.\n\n```nix-repl\n:l .\n:b lib.x86_64-linux.buildBom python3 { }\n```\n\nRemember to re-load the bombon flake every time you made changes to any of the\nsource code.\n\n## Acknowledgements\n\nThe way dependencies are retrieved using Nix is heavily influenced by this\n[blog article from Nicolas\nMattia](https://www.nmattia.com/posts/2019-10-08-runtime-dependencies.html).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnikstur%2Fbombon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnikstur%2Fbombon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnikstur%2Fbombon/lists"}